LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-20-2006, 09:49 AM   #1
cbtg2006
LQ Newbie
 
Registered: Apr 2006
Posts: 10

Rep: Reputation: 0
Question Fedora Core 4 and Wnidows Server 2003 Active Directory LDAP Bind Error


HI guys,

We're conducting an open source experiment, and I'm having serious issues getting a FC4 box to bind with our domain.

I have installed SFU 3.5 on both our Win 2k3 domain controllers;

camb-dc1.cambridge.news (10.0.20.1)
camb-dc2.cambridge.news (10.0.20.2)

I have configured several POSIX compiant users and a UNIX group that is associated with them.

I have created a bind account, and have given it permission to read all attricutes in AD.

I have been following this guide:


I had everything working a few days ago, but the machine I was working on died. I have since tried to setup another two machines and they will not bind with AD.


I have configured my /etc/krb5.conf as follows:


[libdefaults]
default_realm = CAMBRIDGE.NEWS
ticket_lifetime = 24h
clockskew = 300
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
CAMBRIDGE.NEWS = {
kdc = 10.0.20.1:88
kdc = 10.0.20.2:88
admin_server = 10.0.20.1:749
}

[domain_realm]
.cambridge.news = CAMBRIDGE.NEWS
cambridge.news = CAMBRIDGE.NEWS


I have configured my /etc/openldap/ldap.conf as follows:

HOST camb-dc1.cambridge.news camb-dc2.cambridge.news
BASE dc=cambridge,dc=news
TLS_CACERTDIR /etc/openldap/certs

I have configured my /etc/ldap.conf as follows:

####################### /etc/ldap.conf ###########################
#Stay away from spaces, LDAP does not like them.
# Your LDAP server. Must be resolvable without using LDAP.
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
# debug use this to determine errors
debug 1
host camb-dc1.cambridge.news camb-dc2.cambridge.news
base dc=cambridge,dc=news
binddn cn=dirsearch,cn=Users,dc=cambridge,dc=news
bindpw dirsearch
#rootbinddn cn=administrator,cn=users,dc=openad,dc=local
port 389
timelimit 30
#ssl start_tls
ssl no
#tls_checkpeer yes
#tls_cacertfile /etc/ssl/certs/adcert.pem
scope sub
#Active Directory Mappings
#
pam_password ad
nss_base_passwd dc=cambridge,dc=news?sub
nss_base_shadow dc=cambridge,dc=news?sub
nss_base_group dc=cambridge,dc=news?sub
pam_login_attribute sAMAccountName
pam_member_attribute msSFU30PosixMember
pam_filter objectclass=User
pam_groupdn cn=LinuxUsers,dc=cambridge,dc=news
# Update Active Directory password, by creating Unicode password
# and updating unicodePwd attribute.
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute cn sAMAccountName
nss_map_attribute uniqueMember member
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
tls_cacertdir /etc/openldap/cacerts
######################## END /etc/ldap.conf ####################

I have also added to /etc/nsswitch.conf:

passwd: files ldap
shadow: files ldap
group: files ldap


The error I get if I try to run getent passwd|grep chrisbradford is:

ldap_create
ldap_create
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP camb-dc1.cambridge.news:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 10.0.20.1:389
ldap_connect_timeout: fd: 4 tm: 30 async: 0
ldap_ndelay_on: 4
ldap_is_sock_ready: 4
ldap_ndelay_off: 4
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 71 bytes to sd 4
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=0
ldap_chkResponseList returns NULL
wait4msg (timeout 30 sec, 0 usec), msgid 1
wait4msg continue, msgid 1, all 0
** Connections:
* host: camb-dc1.cambridge.news port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Apr 20 14:29:43 2006

** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=0
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 0
ber_get_next
ber_get_next: tag 0x30 len 103 contents:
ldap_read: message type bind msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
ber_scanf fmt ({iaa}) ber:
ldap_chase_referrals
read1msg: V2 referral chased, mark request completed, id = 1
new result: res_errno: 49, res_error: <80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece>, res_matched: <>
read1msg: 0 new referrals
read1msg: mark request completed, id = 1
request 1 done
res_errno: 49, res_error: <80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_unbind
ldap_free_connection
ldap_send_unbind
ber_flush: 7 bytes to sd 4
ldap_free_connection: actually freed

I am aware that this is a authentication error, but I can assure you I have checked this several times. I also reset the password on the account to bring the unix password attribute up to date.

I have also tried to bind with an Administrator account.

Also if I run:

ldapsearch x -D "cn=Administrator,cn=Users,dc=cambridge,dc=news" -W "sAMAccountName=del"

Then enter the password i get:

Enter LDAP Password:
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:

Please can someone help me?! I have no idea where to go with this now. I have checked and double checked the guide and everything seems to check out.

The fact that it was working fine before also makes no sense.

Thank you,

Chris Bradford
 
Old 04-21-2006, 06:50 AM   #2
cbtg2006
LQ Newbie
 
Registered: Apr 2006
Posts: 10

Original Poster
Rep: Reputation: 0
OK, well the same LDAP.conf works with the openldap.conf in FC5 without any problems.

I can use getent passwd ¦grep chris

And it displays correctly, without error.

Can anyone tell me how to get pam_mount working in FC5?

Also how to configure /etc/pam.d/login as the config appears to not be the same as FC4. If I use my /etc/pam.d/login file i cannot login at the cli. I want to be able to log into gdm and cli with ldap users.

Cheers,
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Active Directory vs LDAP alex r Linux - Software 26 04-07-2010 04:47 AM
Fedora Directory Server sync Active Directory paul_mat Linux - Networking 8 03-08-2007 10:51 AM
LDAP and Active Directory Ecalvam Linux - Networking 5 11-10-2005 08:53 AM
Authenticating Linux against Windows 2003 Active Directory Builder Linux - Enterprise 26 08-30-2005 03:56 AM
Slackware Linux and Windows 2003 Server Active Directory..HOW TO? Synick_ Linux - Networking 0 05-14-2004 06:24 AM


All times are GMT -5. The time now is 05:20 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration