Troubleshooting - Using AD to authenticate Linux logins - I know I'm close!
I know I'm really close to getting this to work...Can anybody tell me what I'm missing? I've read over a half dozen FAQs/HOWTOs/etc but can't seem to find the missing piece of the puzzle.
My test account is a member of CN=Administrators,CN=Builtin,DC=mycompany,DC=com
The logs show that pam is finding my userDN after I enter my login information, but it's coming up with invalid credentials. I've verified that the password is correct by logging in to AD with that same password.
getent passwd does not return any AD users
getent shadow returns ~1000 users (there are 9000 users in AD)
getent group does not return any AD groups
Here's my output from /var/log/messages and /var/log/secure:
==> /var/log/messages <==
Aug 1 09:19:23 LINUXHOST sshd(pam_unix)[5220]: check pass; user unknown
Aug 1 09:19:23 LINUXHOST sshd(pam_unix)[5220]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=linuxhost
Aug 1 09:19:23 LINUXHOST sshd[5220]: pam_ldap: error trying to bind as user "CN=User\, Test,OU=IT,OU=mycompanyOU,DC=mycompany,DC=com" (Invalid credentials)
==> /var/log/secure <==
Aug 1 13:19:20 LINUXHOST sshd[5221]: Failed gssapi-with-mic for invalid user testuser from ::ffff:127.0.0.1 port 33042 ssh2
Aug 1 09:19:25 LINUXHOST sshd[5220]: Failed password for invalid user testuser from ::ffff:127.0.0.1 port 33042 ssh2
Aug 1 13:19:25 LIUNXHOST sshd[5221]: Failed password for invalid user testuser from ::ffff:127.0.0.1 port 33042 ssh2
Aug 1 13:19:27 LINUXHOST sshd[5221]: Connection closed by ::ffff:127.0.0.1
Here is /etc/ldap.conf:
base dc=mycompany,dc=com
uri ldap://myadcontroller:389
ldap_version 3
binddn cn=ldapquery,ou=IT,dc=mycompany,dc=com
bindpw myrealldapquerypassword
nss_base_passwd dc=mycompany,dc=com?sub
nss_base_shadow dc=mycompany,dc=com?sub
nss_base_group dc=mycompany,dc=com?sub
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember member
nss_map_attribute cn sAMAccountName
pam_login_attribute sAMAccountName
pam_filter objectclass=user
pam_password ad
pam_groupdn CN=Administrators,CN=Builtin,DC=mycompany,DC=com
host myadcontroller.windstream.com
scope sub
ssl no
tls_cacertdir /etc/openldap/cacerts
And here is /etc/openldap/ldap.conf:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
SIZELIMIT 12000
TIMELIMIT 150
#DEREF never
BASE dc=mycompany,dc=com
HOST myadcontroller.mycompany.com
URI ldap://myadcontroller.mycompany.com
TLS_CACERTDIR /etc/openldap/cacerts
|