Fedora Core 4 and Wnidows Server 2003 Active Directory LDAP Bind Error
HI guys,
We're conducting an open source experiment, and I'm having serious issues getting a FC4 box to bind with our domain. I have installed SFU 3.5 on both our Win 2k3 domain controllers; camb-dc1.cambridge.news (10.0.20.1) camb-dc2.cambridge.news (10.0.20.2) I have configured several POSIX compiant users and a UNIX group that is associated with them. I have created a bind account, and have given it permission to read all attricutes in AD. I have been following this guide: I had everything working a few days ago, but the machine I was working on died. I have since tried to setup another two machines and they will not bind with AD. I have configured my /etc/krb5.conf as follows: [libdefaults] default_realm = CAMBRIDGE.NEWS ticket_lifetime = 24h clockskew = 300 dns_lookup_realm = true dns_lookup_kdc = true [realms] CAMBRIDGE.NEWS = { kdc = 10.0.20.1:88 kdc = 10.0.20.2:88 admin_server = 10.0.20.1:749 } [domain_realm] .cambridge.news = CAMBRIDGE.NEWS cambridge.news = CAMBRIDGE.NEWS I have configured my /etc/openldap/ldap.conf as follows: HOST camb-dc1.cambridge.news camb-dc2.cambridge.news BASE dc=cambridge,dc=news TLS_CACERTDIR /etc/openldap/certs I have configured my /etc/ldap.conf as follows: ####################### /etc/ldap.conf ########################### #Stay away from spaces, LDAP does not like them. # Your LDAP server. Must be resolvable without using LDAP. # Another way to specify your LDAP server is to provide an # uri with the server name. This allows to use # Unix Domain Sockets to connect to a local LDAP Server. # debug use this to determine errors debug 1 host camb-dc1.cambridge.news camb-dc2.cambridge.news base dc=cambridge,dc=news binddn cn=dirsearch,cn=Users,dc=cambridge,dc=news bindpw dirsearch #rootbinddn cn=administrator,cn=users,dc=openad,dc=local port 389 timelimit 30 #ssl start_tls ssl no #tls_checkpeer yes #tls_cacertfile /etc/ssl/certs/adcert.pem scope sub #Active Directory Mappings # pam_password ad nss_base_passwd dc=cambridge,dc=news?sub nss_base_shadow dc=cambridge,dc=news?sub nss_base_group dc=cambridge,dc=news?sub pam_login_attribute sAMAccountName pam_member_attribute msSFU30PosixMember pam_filter objectclass=User pam_groupdn cn=LinuxUsers,dc=cambridge,dc=news # Update Active Directory password, by creating Unicode password # and updating unicodePwd attribute. nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_objectclass posixGroup Group nss_map_attribute uid sAMAccountName nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute cn sAMAccountName nss_map_attribute uniqueMember member nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_attribute loginShell msSFU30LoginShell nss_map_attribute gecos name tls_cacertdir /etc/openldap/cacerts ######################## END /etc/ldap.conf #################### I have also added to /etc/nsswitch.conf: passwd: files ldap shadow: files ldap group: files ldap The error I get if I try to run getent passwd|grep chrisbradford is: ldap_create ldap_create ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP camb-dc1.cambridge.news:389 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 10.0.20.1:389 ldap_connect_timeout: fd: 4 tm: 30 async: 0 ldap_ndelay_on: 4 ldap_is_sock_ready: 4 ldap_ndelay_off: 4 ldap_open_defconn: successful ldap_send_server_request ber_flush: 71 bytes to sd 4 ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=0 ldap_chkResponseList returns NULL wait4msg (timeout 30 sec, 0 usec), msgid 1 wait4msg continue, msgid 1, all 0 ** Connections: * host: camb-dc1.cambridge.news port: 389 (default) refcnt: 2 status: Connected last used: Thu Apr 20 14:29:43 2006 ** Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=1, all=0 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 1, all 0 ber_get_next ber_get_next: tag 0x30 len 103 contents: ldap_read: message type bind msgid 1, original id 1 ber_scanf fmt ({iaa) ber: ber_scanf fmt ({iaa}) ber: ldap_chase_referrals read1msg: V2 referral chased, mark request completed, id = 1 new result: res_errno: 49, res_error: <80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece>, res_matched: <> read1msg: 0 new referrals read1msg: mark request completed, id = 1 request 1 done res_errno: 49, res_error: <80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_unbind ldap_free_connection ldap_send_unbind ber_flush: 7 bytes to sd 4 ldap_free_connection: actually freed I am aware that this is a authentication error, but I can assure you I have checked this several times. I also reset the password on the account to bring the unix password attribute up to date. I have also tried to bind with an Administrator account. Also if I run: ldapsearch x -D "cn=Administrator,cn=Users,dc=cambridge,dc=news" -W "sAMAccountName=del" Then enter the password i get: Enter LDAP Password: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: Please can someone help me?! I have no idea where to go with this now. I have checked and double checked the guide and everything seems to check out. The fact that it was working fine before also makes no sense. Thank you, Chris Bradford |
OK, well the same LDAP.conf works with the openldap.conf in FC5 without any problems.
I can use getent passwd ¦grep chris And it displays correctly, without error. Can anyone tell me how to get pam_mount working in FC5? Also how to configure /etc/pam.d/login as the config appears to not be the same as FC4. If I use my /etc/pam.d/login file i cannot login at the cli. I want to be able to log into gdm and cli with ldap users. Cheers, |
All times are GMT -5. The time now is 09:55 AM. |