LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices

Reply
 
Search this Thread
Old 12-21-2011, 04:54 PM   #1
jrella
LQ Newbie
 
Registered: Apr 2008
Posts: 21

Rep: Reputation: 0
Unhappy Kerberos/LDAP against Windows Server 2008 Active Directory - requires local user


I have been trying to get AD logins working on a linux machine. If I create a local linux user with the same name as the AD user, the linux machine will require the AD password. But if no corresponding local user exists, then I get invalid user errors:

Create test01 locally with no password. test01 can then login using the AD password:

Dec 21 16:06:41 doladtest002 sshd[8467]: pam_krb5[8467]: error reading keytab 'FILE:/etc/krb5.keytab'
Dec 21 16:06:41 doladtest002 sshd[8467]: pam_krb5[8467]: TGT verified
Dec 21 16:06:41 doladtest002 sshd[8467]: pam_krb5[8467]: authentication succeeds for 'test01' (test01@DOL.LOCAL)
Dec 21 16:06:41 doladtest002 sshd[8467]: Accepted password for test01 from x.x.x.x port 51130 ssh2
Dec 21 16:06:41 doladtest002 sshd[8467]: pam_unix(sshd:session): session opened for user test01 by (uid=0)
Dec 21 16:06:46 doladtest002 sshd[8467]: pam_unix(sshd:session): session closed for user test01

Delete local user test01 and delete home directory:

Dec 21 16:06:54 doladtest002 userdel[8498]: delete user `test01'
Dec 21 16:06:54 doladtest002 userdel[8498]: removed group `test01' owned by `test01'

Attempt login with AD account but no local account:

Dec 21 16:07:10 doladtest002 sshd[8504]: Invalid user test01 from x.x.x.x
Dec 21 16:07:10 doladtest002 sshd[8505]: input_userauth_request: invalid user test01
Dec 21 16:07:16 doladtest002 sshd[8504]: pam_unix(sshd:auth): check pass; user unknown
Dec 21 16:07:16 doladtest002 sshd[8504]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x
Dec 21 16:07:16 doladtest002 sshd[8504]: pam_succeed_if(sshd:auth): error retrieving information about user test01
Dec 21 16:07:18 doladtest002 sshd[8504]: Failed password for invalid user test01 from x.x.x.x port 51138 ssh2
Dec 21 16:07:20 doladtest002 sshd[8505]: Received disconnect from x.x.x.x: 13: Unable to authenticate

Attempt login with AD account using name@machine.dol.local:

Dec 21 16:12:53 doladtest002 sshd[8527]: Invalid user test01@doladtest002.dol.local from x.x.x.x
Dec 21 16:12:53 doladtest002 sshd[8528]: input_userauth_request: invalid user test01@doladtest002.dol.local
Dec 21 16:12:58 doladtest002 sshd[8527]: pam_unix(sshd:auth): check pass; user unknown
Dec 21 16:12:58 doladtest002 sshd[8527]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x
Dec 21 16:12:58 doladtest002 sshd[8527]: pam_succeed_if(sshd:auth): error retrieving information about user test01@doladtest002.dol.local
Dec 21 16:13:01 doladtest002 sshd[8527]: Failed password for invalid user test01@doladtest002.dol.local from x.x.x.x port 51220 ssh2
Dec 21 16:13:02 doladtest002 sshd[8528]: Received disconnect from x.x.x.x: 13: Unable to authenticate

I too cannot seem to get past this. When I played around with Samba and Winbind, I got better results, but I don't want to use that. I should be able to do this with just Kerberos and LDAP. I am copying the relevant config files from a linux machine in a different domain that authenticates to AD using Kerberos and authorizes access based on AD group via LDAP.

This is driving me insane. I have gone through every setting I can think of on both the Domain Controller and the linux machine. I have compared my config files to working config files. I have compared Domain Controller settings. In the domain where this is working, Samba is not being used. Any suggestions are welcome. I am stuck.

Here is a successful AD user login on a linux machine in the other domain. There is no corresponding local user:

Dec 21 10:49:26 enysvlalb012 sshd[27107]: pam_krb5[27107]: error reading keytab 'FILE:/etc/krb5.keytab'
Dec 21 10:49:26 enysvlalb012 sshd[27107]: pam_krb5[27107]: TGT verified
Dec 21 10:49:26 enysvlalb012 sshd[27107]: pam_krb5[27107]: authentication succeeds for 'tgiardi' (tgiardi@DOMAIN.COM)
Dec 21 10:49:26 enysvlalb012 sshd[27107]: Accepted password for tgiardi from x.x.x.x port 50618 ssh2
Dec 21 10:49:26 enysvlalb012 sshd[27107]: pam_unix(sshd:session): session opened for user tgiardi by (uid=0)
 
Old 01-18-2012, 08:35 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,013

Rep: Reputation: Disabled
How does /etc/pam.d/ssh(d) (and any file it references, like /etc/pam.d/system-auth) compare with the corresponding file(s) on the working system?
 
Old 01-19-2012, 09:55 AM   #3
jrella
LQ Newbie
 
Registered: Apr 2008
Posts: 21

Original Poster
Rep: Reputation: 0
Working

I worked with Red Hat the other day and got it working. We replaced the ldap.conf file with a new simplified one. That did the trick. Not sure which lines were causing problems in the old one yet. Thanks.
 
Old 08-23-2012, 07:04 PM   #4
bigfootw
LQ Newbie
 
Registered: Jan 2009
Posts: 3

Rep: Reputation: 0
jrella, mind you sharing that "simplified one"? which can shed some light to those who are having the same kind of problem. Cheers
 
Old 08-27-2012, 03:52 PM   #5
jrella
LQ Newbie
 
Registered: Apr 2008
Posts: 21

Original Poster
Rep: Reputation: 0
Sure thing. Here it is:

host x.x.x.x

base dc=abc,dc=local

binddn ldapuser@ABC.LOCAL
bindpw Password1!

timelimit 120
bind_timelimit 120
idle_timelimit 3600

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
 
Old 08-29-2012, 10:52 AM   #6
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,425

Rep: Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159
Okay now, jrella, what were the differences? What do you conjecture was the root-cause of the problem? Go ahead, please, and follow through on this thread to a logical conclusion that someone else, maybe months or years from now, can pick-up and actually use. So far, you've stopped with, "Well, I solved it!"

... leaving the next Gentle Reader to cry, "But how?" (Kinda like eating a whole box of Cracker Jacks and finding no toy in the bottom of the box.)

Last edited by sundialsvcs; 08-29-2012 at 10:54 AM.
 
Old 09-05-2012, 04:58 PM   #7
jrella
LQ Newbie
 
Registered: Apr 2008
Posts: 21

Original Poster
Rep: Reputation: 0
Unfortunately, I do not know the differences between the files. The config file I was using was modified from another AD setup in an identical fashion. It worked in that domain, but when I changed the domain and IP specific information and tried to use the same config in the new domain, it would not work. The simplified one above did work.

Here is the original, which worked in one domain but not the other:

host x.x.x.x
base dc=ABC,dc=LOCAL
uri ldap://fqdn/
binddn ldapuser@abc.LOCAL
bindpw Password1!
scope sub
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap
referrals no
ssl no
nss_base_passwd dc=DOL,dc=local?sub?
nss_base_shadow dc=DOL,dc=local?sub?
nss_base_group dc=DOL,dc=local?sub?&(objectCategory=group)(gidnumber=*)
nss_objectclass posixAccount user
nss_objectclass shadowAccount user
nss_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute gecos cn
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute uniqueMember
memberpam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
bind_policy soft
debug 1


If I had to guess, I would suspect that the lines...

uri ldap://fqdn/
referrals no
ssl no
nss_base_passwd dc=DOL,dc=local?sub?
nss_base_shadow dc=DOL,dc=local?sub?
nss_base_group dc=DOL,dc=local?sub?&(objectCategory=group)(gidnumber=*)


...were causing it to fail. Why, I do not know.

I hope that helps someone. Let me know if there is anything else I can provide.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LDAP/Kerberos authentication to Windows Active Directory Shad0wguy Linux - Enterprise 7 02-15-2012 01:04 PM
[SOLVED] LDAP / Kerberos / Active Directory - Only *some* users appearing fantasygoat Linux - Server 2 04-20-2011 10:34 AM
HOW TO: SUSE Linux Enterprise Desktop SLED10 LDAP / Kerberos Authentication to Active Directory / Windows Server 2003 R2 Shannon_VanWagner LinuxAnswers Discussion 2 06-13-2007 10:29 AM
HOW TO: SUSE Linux Enterprise Desktop SLED10 LDAP / Kerberos Authentication to Active Directory / Windows Server 2003 R2 Shannon_VanWagner LinuxAnswers Discussion 0 03-23-2007 03:22 PM
Active Directory, Kerberos, LDAP, PAM, and nsswitch PenguinPwrdBox Linux - Security 1 06-04-2005 10:56 PM


All times are GMT -5. The time now is 07:22 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration