LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices

Reply
 
LinkBack Search this Thread
Old 10-27-2011, 02:39 PM   #1
Shad0wguy
LQ Newbie
 
Registered: Oct 2011
Location: Long Island, NY
Distribution: Fedora 15
Posts: 2

Rep: Reputation: Disabled
LDAP/Kerberos authentication to Windows Active Directory


First time posting here, but I am at my wits end with this.

I am trying to set up a single sign on for all the systems at the company I work for. We had Active Directory in place for the Windows users, so I wanted to use the existing system to authenticate the Linux machines we have, running Fedora 15, as well as our multi-function printer and a few internal web services (blog, wiki, etc).

Anyway, I've been testing with a spare PC and have both LDAP and Kerberos configured. I am able to run an ldap search with my own AD credentials, as well as pull a Kerberos ticket. So I know the two machines are communicating.

The issue is that I can't seem to manage to log in using my AD credentials. Getent passwd only displays the local accounts as well.

I've spent the last week or so reading everything I could find and getting to this point. Any input would be greatly appreciated.
 
Old 10-27-2011, 03:41 PM   #2
Shad0wguy
LQ Newbie
 
Registered: Oct 2011
Location: Long Island, NY
Distribution: Fedora 15
Posts: 2

Original Poster
Rep: Reputation: Disabled
Update: I just noticed that I can add a user with the same user name as their AD account and they are able to log in using their AD password. However, they don't get their proper UID that is set to their account on AD.
 
Old 12-21-2011, 03:31 PM   #3
jrella
LQ Newbie
 
Registered: Apr 2008
Posts: 21

Rep: Reputation: 0
Unhappy same thing

I have the exact same issue. If I create a local linux user with the same name as the AD user, the linux machine will require the AD password. But if no corresponding local user exists, then I get invalid user errors:

Create test01 locally with no password. test01 can then login using the AD password:

Dec 21 16:06:41 doladtest002 sshd[8467]: pam_krb5[8467]: error reading keytab 'FILE:/etc/krb5.keytab'
Dec 21 16:06:41 doladtest002 sshd[8467]: pam_krb5[8467]: TGT verified
Dec 21 16:06:41 doladtest002 sshd[8467]: pam_krb5[8467]: authentication succeeds for 'test01' (test01@DOL.LOCAL)
Dec 21 16:06:41 doladtest002 sshd[8467]: Accepted password for test01 from x.x.x.x port 51130 ssh2
Dec 21 16:06:41 doladtest002 sshd[8467]: pam_unix(sshd:session): session opened for user test01 by (uid=0)
Dec 21 16:06:46 doladtest002 sshd[8467]: pam_unix(sshd:session): session closed for user test01

Delete local user test01 and delete home directory:

Dec 21 16:06:54 doladtest002 userdel[8498]: delete user `test01'
Dec 21 16:06:54 doladtest002 userdel[8498]: removed group `test01' owned by `test01'

Attempt login with AD account but no local account:

Dec 21 16:07:10 doladtest002 sshd[8504]: Invalid user test01 from x.x.x.x
Dec 21 16:07:10 doladtest002 sshd[8505]: input_userauth_request: invalid user test01
Dec 21 16:07:16 doladtest002 sshd[8504]: pam_unix(sshd:auth): check pass; user unknown
Dec 21 16:07:16 doladtest002 sshd[8504]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x
Dec 21 16:07:16 doladtest002 sshd[8504]: pam_succeed_if(sshd:auth): error retrieving information about user test01
Dec 21 16:07:18 doladtest002 sshd[8504]: Failed password for invalid user test01 from x.x.x.x port 51138 ssh2
Dec 21 16:07:20 doladtest002 sshd[8505]: Received disconnect from x.x.x.x: 13: Unable to authenticate

Attempt login with AD account using name@machine.dol.local:

Dec 21 16:12:53 doladtest002 sshd[8527]: Invalid user test01@doladtest002.dol.local from x.x.x.x
Dec 21 16:12:53 doladtest002 sshd[8528]: input_userauth_request: invalid user test01@doladtest002.dol.local
Dec 21 16:12:58 doladtest002 sshd[8527]: pam_unix(sshd:auth): check pass; user unknown
Dec 21 16:12:58 doladtest002 sshd[8527]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x
Dec 21 16:12:58 doladtest002 sshd[8527]: pam_succeed_if(sshd:auth): error retrieving information about user test01@doladtest002.dol.local
Dec 21 16:13:01 doladtest002 sshd[8527]: Failed password for invalid user test01@doladtest002.dol.local from x.x.x.x port 51220 ssh2
Dec 21 16:13:02 doladtest002 sshd[8528]: Received disconnect from x.x.x.x: 13: Unable to authenticate

I too cannot seem to get past this. When I played around with Samba and Winbind, I got better results, but I don't want to use that. I should be able to do this with just Kerberos and LDAP. I am copying the relevant config files from a linux machine in a different domain that authenticates to AD using Kerberos and authorizes access based on AD group via LDAP.

This is driving me insane. I have gone through every setting I can think of on both the Domain Controller and the linux machine. I have compared my config files to working config files. I have compared Domain Controller settings. In the domain where this is working, Samba is not being used. Any suggestions are welcome. I am stuck.

Here is a successful AD user login on a linux machine in the other domain. There is no corresponding local user:

Dec 21 10:49:26 enysvlalb012 sshd[27107]: pam_krb5[27107]: error reading keytab 'FILE:/etc/krb5.keytab'
Dec 21 10:49:26 enysvlalb012 sshd[27107]: pam_krb5[27107]: TGT verified
Dec 21 10:49:26 enysvlalb012 sshd[27107]: pam_krb5[27107]: authentication succeeds for 'tgiardi' (tgiardi@DOMAIN.COM)
Dec 21 10:49:26 enysvlalb012 sshd[27107]: Accepted password for tgiardi from x.x.x.x port 50618 ssh2
Dec 21 10:49:26 enysvlalb012 sshd[27107]: pam_unix(sshd:session): session opened for user tgiardi by (uid=0)

Last edited by jrella; 12-21-2011 at 03:55 PM.
 
Old 12-22-2011, 11:45 AM   #4
0.o
Member
 
Registered: May 2004
Location: Raleigh, NC
Distribution: Debian, Solaris, HP-UX, AIX
Posts: 207

Rep: Reputation: 35
I too am trying to authenticate Linux users from AD LDAP. I am currently authenticating them against a OpenLDAP system. However, rather than having two different authentication systems running at the same time, I would prefer to use AD LDAP. It doesn't seem to be that easy. Is it not possible to authenticate Linux users against AD LDAP without the use of winbind or Kerberos?
 
Old 02-10-2012, 03:26 AM   #5
Stratocaster72
LQ Newbie
 
Registered: Jun 2007
Posts: 7

Rep: Reputation: Disabled
abc
 
Old 02-12-2012, 02:29 PM   #6
cbtshare
Member
 
Registered: Jul 2009
Posts: 561

Rep: Reputation: 42
if getent passwd only gives :

add this to your smb.conf
Quote:
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = Yes
 
Old 02-13-2012, 03:55 PM   #7
ronw69
LQ Newbie
 
Registered: Feb 2012
Posts: 5

Rep: Reputation: Disabled
Check out a package called Likewise This package installs and manages all of the components and allows you to login to AD even under a different OU which is very hard to manage. Here is a URL to the project.
http://sourceforge.net/projects/likewiseopen/
 
Old 02-15-2012, 12:04 PM   #8
jrella
LQ Newbie
 
Registered: Apr 2008
Posts: 21

Rep: Reputation: 0
@cbtshare: Trying to do this without using any kind of Samba.

@ronw69: Same thing... trying to do this with just Kerberos and LDAP. Might use a third party product sometime in the future though, so thanks for the info.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Re LXer Syndicated Linux News 0 06-17-2011 10:12 PM
CentOS 5.2 LDAP/kerberos authentication fails against Active Directory ccaum Linux - Server 14 03-24-2010 11:15 AM
HOW TO: SUSE Linux Enterprise Desktop SLED10 LDAP / Kerberos Authentication to Active Directory / Windows Server 2003 R2 Shannon_VanWagner LinuxAnswers Discussion 2 06-13-2007 09:29 AM
HOW TO: SUSE Linux Enterprise Desktop SLED10 LDAP / Kerberos Authentication to Active Directory / Windows Server 2003 R2 Shannon_VanWagner LinuxAnswers Discussion 0 03-23-2007 02:22 PM
Kerberos -> Active Directory Authentication Ogrius Red Hat 0 04-05-2006 02:26 PM


All times are GMT -5. The time now is 07:49 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration