Troubleshooting - Using AD to authenticate Linux logins - I know I'm close!
I know I'm really close to getting this to work...Can anybody tell me what I'm missing? I've read over a half dozen FAQs/HOWTOs/etc but can't seem to find the missing piece of the puzzle.
My test account is a member of CN=Administrators,CN=Builtin,DC=mycompany,DC=com
The logs show that pam is finding my userDN after I enter my login information, but it's coming up with invalid credentials. I've verified that the password is correct by logging in to AD with that same password.
getent passwd does not return any AD users
getent shadow returns ~1000 users (there are 9000 users in AD)
getent group does not return any AD groups
Here's my output from /var/log/messages and /var/log/secure:
==> /var/log/messages <==
Aug 1 09:19:23 LINUXHOST sshd(pam_unix): check pass; user unknown
Aug 1 09:19:23 LINUXHOST sshd(pam_unix): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=linuxhost
Aug 1 09:19:23 LINUXHOST sshd: pam_ldap: error trying to bind as user "CN=User\, Test,OU=IT,OU=mycompanyOU,DC=mycompany,DC=com" (Invalid credentials)
==> /var/log/secure <==
Aug 1 13:19:20 LINUXHOST sshd: Failed gssapi-with-mic for invalid user testuser from ::ffff:127.0.0.1 port 33042 ssh2
Aug 1 09:19:25 LINUXHOST sshd: Failed password for invalid user testuser from ::ffff:127.0.0.1 port 33042 ssh2
Aug 1 13:19:25 LIUNXHOST sshd: Failed password for invalid user testuser from ::ffff:127.0.0.1 port 33042 ssh2
Aug 1 13:19:27 LINUXHOST sshd: Connection closed by ::ffff:127.0.0.1
Here is /etc/ldap.conf:
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember member
nss_map_attribute cn sAMAccountName
And here is /etc/openldap/ldap.conf:
# LDAP Defaults
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666