LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices



Reply
 
Search this Thread
Old 08-01-2007, 09:36 AM   #1
jmerry01
LQ Newbie
 
Registered: Jul 2007
Posts: 4

Rep: Reputation: 0
Troubleshooting - Using AD to authenticate Linux logins - I know I'm close!


I know I'm really close to getting this to work...Can anybody tell me what I'm missing? I've read over a half dozen FAQs/HOWTOs/etc but can't seem to find the missing piece of the puzzle.

My test account is a member of CN=Administrators,CN=Builtin,DC=mycompany,DC=com

The logs show that pam is finding my userDN after I enter my login information, but it's coming up with invalid credentials. I've verified that the password is correct by logging in to AD with that same password.

getent passwd does not return any AD users
getent shadow returns ~1000 users (there are 9000 users in AD)
getent group does not return any AD groups

Here's my output from /var/log/messages and /var/log/secure:

==> /var/log/messages <==
Aug 1 09:19:23 LINUXHOST sshd(pam_unix)[5220]: check pass; user unknown
Aug 1 09:19:23 LINUXHOST sshd(pam_unix)[5220]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=linuxhost
Aug 1 09:19:23 LINUXHOST sshd[5220]: pam_ldap: error trying to bind as user "CN=User\, Test,OU=IT,OU=mycompanyOU,DC=mycompany,DC=com" (Invalid credentials)

==> /var/log/secure <==
Aug 1 13:19:20 LINUXHOST sshd[5221]: Failed gssapi-with-mic for invalid user testuser from ::ffff:127.0.0.1 port 33042 ssh2
Aug 1 09:19:25 LINUXHOST sshd[5220]: Failed password for invalid user testuser from ::ffff:127.0.0.1 port 33042 ssh2
Aug 1 13:19:25 LIUNXHOST sshd[5221]: Failed password for invalid user testuser from ::ffff:127.0.0.1 port 33042 ssh2
Aug 1 13:19:27 LINUXHOST sshd[5221]: Connection closed by ::ffff:127.0.0.1


Here is /etc/ldap.conf:
base dc=mycompany,dc=com
uri ldap://myadcontroller:389
ldap_version 3
binddn cn=ldapquery,ou=IT,dc=mycompany,dc=com
bindpw myrealldapquerypassword
nss_base_passwd dc=mycompany,dc=com?sub
nss_base_shadow dc=mycompany,dc=com?sub
nss_base_group dc=mycompany,dc=com?sub
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember member
nss_map_attribute cn sAMAccountName
pam_login_attribute sAMAccountName
pam_filter objectclass=user
pam_password ad
pam_groupdn CN=Administrators,CN=Builtin,DC=mycompany,DC=com
host myadcontroller.windstream.com
scope sub
ssl no
tls_cacertdir /etc/openldap/cacerts

And here is /etc/openldap/ldap.conf:
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

SIZELIMIT 12000
TIMELIMIT 150
#DEREF never
BASE dc=mycompany,dc=com
HOST myadcontroller.mycompany.com
URI ldap://myadcontroller.mycompany.com
TLS_CACERTDIR /etc/openldap/cacerts
 
Old 08-01-2007, 10:14 AM   #2
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
Add the 'ldap' to the /etc/nsswitch.conf file:

password: files ldap
shadow: files ldap
group: files ldap
 
Old 08-01-2007, 10:23 AM   #3
jmerry01
LQ Newbie
 
Registered: Jul 2007
Posts: 4

Original Poster
Rep: Reputation: 0
Nuts, I knew I was forgetting to include a file.

here is /etc/nss_switch.conf:

passwd: files ldap
shadow: files ldap
group: files ldap

#hosts: db files ldap nis dns
hosts: files dns

# Example - obey only what ldap tells us...
#services: ldap [NOTFOUND=return] files
#networks: ldap [NOTFOUND=return] files
#protocols: ldap [NOTFOUND=return] files
#rpc: ldap [NOTFOUND=return] files
#ethers: ldap [NOTFOUND=return] files

bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: files ldap
publickey: files
automount: files ldap
aliases: files
 
Old 08-01-2007, 10:29 AM   #4
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
Rinse and repeat all your steps and document what you are doing so you can trace your steps.
 
Old 08-01-2007, 11:59 AM   #5
jmerry01
LQ Newbie
 
Registered: Jul 2007
Posts: 4

Original Poster
Rep: Reputation: 0
Okay I've repeated everything, and the problem still exists. What next?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Looking to linux for hardware troubleshooting jstars Linux - Hardware 15 07-19-2007 08:45 AM
How can I authenticate Linux against SUN One DS? mramos Linux - General 2 05-24-2006 07:31 AM
Why can't my user authenticate from RH Linux to Sun ONE DS using LDAP? Erikka Linux - Networking 1 08-25-2005 12:53 AM
Linux box Authenticate against Active Directory tulip4heaven Linux - Networking 2 05-31-2005 01:31 AM
LDAP to authenticate Linux w/eDir mttjbs Linux - Newbie 0 01-15-2004 11:15 AM


All times are GMT -5. The time now is 05:35 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration