LinuxQuestions.org - Fedora Core 4 and Wnidows Server 2003 Active Directory LDAP Bind Error

HI guys,

We're conducting an open source experiment, and I'm having serious issues getting a FC4 box to bind with our domain.

I have installed SFU 3.5 on both our Win 2k3 domain controllers;

camb-dc1.cambridge.news (10.0.20.1)
camb-dc2.cambridge.news (10.0.20.2)

I have configured several POSIX compiant users and a UNIX group that is associated with them.

I have created a bind account, and have given it permission to read all attricutes in AD.

I have been following this guide:

I had everything working a few days ago, but the machine I was working on died. I have since tried to setup another two machines and they will not bind with AD.

I have configured my /etc/krb5.conf as follows:

[libdefaults]
default_realm = CAMBRIDGE.NEWS
ticket_lifetime = 24h
clockskew = 300
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
CAMBRIDGE.NEWS = {
kdc = 10.0.20.1:88
kdc = 10.0.20.2:88
admin_server = 10.0.20.1:749
}

[domain_realm]
.cambridge.news = CAMBRIDGE.NEWS
cambridge.news = CAMBRIDGE.NEWS

I have configured my /etc/openldap/ldap.conf as follows:

HOST camb-dc1.cambridge.news camb-dc2.cambridge.news
BASE dc=cambridge,dc=news
TLS_CACERTDIR /etc/openldap/certs

I have configured my /etc/ldap.conf as follows:

####################### /etc/ldap.conf ###########################
#Stay away from spaces, LDAP does not like them.
# Your LDAP server. Must be resolvable without using LDAP.
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
# debug use this to determine errors
debug 1
host camb-dc1.cambridge.news camb-dc2.cambridge.news
base dc=cambridge,dc=news
binddn cn=dirsearch,cn=Users,dc=cambridge,dc=news
bindpw dirsearch
#rootbinddn cn=administrator,cn=users,dc=openad,dc=local
port 389
timelimit 30
#ssl start_tls
ssl no
#tls_checkpeer yes
#tls_cacertfile /etc/ssl/certs/adcert.pem
scope sub
#Active Directory Mappings
#
pam_password ad
nss_base_passwd dc=cambridge,dc=news?sub
nss_base_shadow dc=cambridge,dc=news?sub
nss_base_group dc=cambridge,dc=news?sub
pam_login_attribute sAMAccountName
pam_member_attribute msSFU30PosixMember
pam_filter objectclass=User
pam_groupdn cn=LinuxUsers,dc=cambridge,dc=news
# Update Active Directory password, by creating Unicode password
# and updating unicodePwd attribute.
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute cn sAMAccountName
nss_map_attribute uniqueMember member
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
tls_cacertdir /etc/openldap/cacerts
######################## END /etc/ldap.conf ####################

I have also added to /etc/nsswitch.conf:

passwd: files ldap
shadow: files ldap
group: files ldap

The error I get if I try to run getent passwd|grep chrisbradford is:

ldap_create
ldap_create
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP camb-dc1.cambridge.news:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 10.0.20.1:389
ldap_connect_timeout: fd: 4 tm: 30 async: 0
ldap_ndelay_on: 4
ldap_is_sock_ready: 4
ldap_ndelay_off: 4
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 71 bytes to sd 4
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=0
ldap_chkResponseList returns NULL
wait4msg (timeout 30 sec, 0 usec), msgid 1
wait4msg continue, msgid 1, all 0
** Connections:
* host: camb-dc1.cambridge.news port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Apr 20 14:29:43 2006

** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=0
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 0
ber_get_next
ber_get_next: tag 0x30 len 103 contents:
ldap_read: message type bind msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
ber_scanf fmt ({iaa}) ber:
ldap_chase_referrals
read1msg: V2 referral chased, mark request completed, id = 1
new result: res_errno: 49, res_error: <80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece>, res_matched: <>
read1msg: 0 new referrals
read1msg: mark request completed, id = 1
request 1 done
res_errno: 49, res_error: <80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_unbind
ldap_free_connection
ldap_send_unbind
ber_flush: 7 bytes to sd 4
ldap_free_connection: actually freed

I am aware that this is a authentication error, but I can assure you I have checked this several times. I also reset the password on the account to bring the unix password attribute up to date.

I have also tried to bind with an Administrator account.

Also if I run:

ldapsearch x -D "cn=Administrator,cn=Users,dc=cambridge,dc=news" -W "sAMAccountName=del"

Then enter the password i get:

Enter LDAP Password:
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:

Please can someone help me?! I have no idea where to go with this now. I have checked and double checked the guide and everything seems to check out.

The fact that it was working fine before also makes no sense.

Thank you,

Chris Bradford