LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices

Reply
 
LinkBack Search this Thread
Old 09-11-2008, 04:26 PM   #1
vicjalan
LQ Newbie
 
Registered: Sep 2008
Location: Altanta, GA
Distribution: RHEL 5, Fedora 8, Fedora 9
Posts: 9

Rep: Reputation: 0
RHEL 5 SSH Login with AD User


Hi all,

I got my RHEL 5 Server joined to our domain but I can't seem to log in using ssh with an AD user. I am able to sudo to a domain user once I log in with root so I'm not sure what exactly is wrong.

nsswitch.conf:
Code:
passwd:     files winbind
shadow:     files winbind
group:      files winbind
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files

publickey:  nisplus

automount:  files
aliases:    files
krb5.conf:

Code:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = CHILD.CORP.DOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 CHILD.CORP.DOMAIN.COM = {
  kdc = DC01.CHILD.CORP.DOMAIN.COM:88
  admin_server = DC01.CHILD.CORP.DOMAIN.COM:749
  default_domain = CHILD.CORP.DOMAIN.COM
 }

[domain_realm]
 .child.corp.domain.com = CHILD.CORP.DOMAIN.COM
 child.corp.domain.com = CHILD.CORP.DOMAIN.COM

[appdefaults]
 pam = {
   debug = true
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
smb.conf:

Code:
workgroup = CHILD
realm = CHILD.CORP.DOMAIN.COM
security = ads
password server = DC01.CHILD.CORP.DOMAIN.COM
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = true
winbind enum groups = yes
winbind enum users = yes
template homedir = /home/%D/%U
system-auth:

Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
auth        sufficient    pam_winbind.so use_first_pass

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so
password    sufficient    pam_winbind.so use_authtok

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     required      pam_mkhomedir.so skel=/etc/skel umask=0077
when I run
Code:
wbinfo -u
I get my domain users.

when I run
Code:
wbinfo -g
I get my domain groups.

when I run
Code:
getent passwd
I get my local users and domain users.

when I run
Code:
getent group
I get my local groups and domain groups.

when I run
Code:
net ads testjoin
I get "join OK"

when I run
Code:
kinit user@CHILD.CORP.DOMAIN.COM
and then
Code:
klist -5
I get to see my kerberos ticket

So it all seems to be set up correctly but when I try to ssh into the server, I get an access denied error. Unfortunately the server is offsite so I can't try at the terminal to see if it works from there. Anyone know what I might be missing?


Thanks,

Victor
 
Old 09-12-2008, 09:40 AM   #2
vicjalan
LQ Newbie
 
Registered: Sep 2008
Location: Altanta, GA
Distribution: RHEL 5, Fedora 8, Fedora 9
Posts: 9

Original Poster
Rep: Reputation: 0
Got it!

I got it, I knew all I needed was a good night's rest

I needed to add the following to etc/pam.d/sshd.conf

Code:
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
password sufficient pam_winbind.so use_authtok
Once I added these 3 parameters I was able to log into the server using ssh.
 
Old 09-12-2008, 11:22 AM   #3
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , Solaris 10, RHEL
Posts: 1,927
Blog Entries: 1

Rep: Reputation: 176Reputation: 176
Thanks for posting the solution! I was scratching my head over that one too!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH - cannot login as 1 particular user pnellesen Linux - Networking 7 11-24-2006 11:25 PM
ssh login without password for only one user zhjim Linux - Server 4 11-21-2006 04:31 PM
unable to login as user other than root on RHEL 4 done some changes in etc /shawdow abhi_raj Linux - Newbie 1 07-18-2006 08:47 AM
HELP me on SSH User login manya Linux - Security 1 05-03-2004 03:56 PM
how can i restrick user to login with ssh? davidrios Linux - Networking 1 04-27-2004 05:59 PM


All times are GMT -5. The time now is 08:19 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration