LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Configuring Active Directory users authentication on Cent-OS boxes (http://www.linuxquestions.org/questions/linux-newbie-8/configuring-active-directory-users-authentication-on-cent-os-boxes-4175433452/)

skimeer 10-22-2012 03:26 AM

Configuring Active Directory users authentication on Cent-OS boxes
 
Hello,

I am trying to authenticate AD users on Cent-OS box.I have installed AD on my test machine. From Cent-OS, I can do ldapsearch on that.

However when I try to authenticate using users it gives error in /var/log/messages as

Code:

failed to bind to LDAP server ldap://10.55.199.117/: Server is unwilling to perform
Also, I have some basic questions on this scenario,

1.Does configuring kerberos authentication is required for this setup to work.
2.Does machine need to be added in AD to users get authenticate. Means do I need to add DNS server entries in /etc/resolve.conf

acid_kewpie 10-22-2012 03:30 AM

1. no, not at all. You can do the entire thing with just ldap
2. no

given you're not using ssl there, I would generically say look at the ldap request being done and compare that to your manual bind, using wireshark.

skimeer 10-22-2012 03:53 AM

Hi acid_kewpie,

Thanks for clearing my doubt. I am now installing wireshark and will check with that.

I have tried with new machine to point to same AD. I have used authconfig-tui to enable the authentication. Now when I tried to use
Code:

getent passwd
It does not list AD users and /var/log/messages shows below errors,


Code:

Oct 22 10:12:36 br0212 su: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Oct 22 10:12:40 br0212 su: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Oct 22 10:12:48 br0212 su: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Oct 22 10:13:04 br0212 su: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...


my /etc/ldap.conf with removing commented line is as below,

Code:

base dc=test,dc=com
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
uri ldap://10.55.199.114/
tls_cacertdir /etc/openldap/cacerts
pam_password md5

Does /etc/ldap.conf has any issues?

acid_kewpie 10-22-2012 04:32 AM

well you already have 2 different IP addreses in use there - .114 vs .117... what's that about? There are no bind credentials there, is AD allowing anonymous binds?

skimeer 10-22-2012 04:40 AM

Hi acid_kewpie,

Sorry for confusion, actually .117 is Openldap server and .114 is AD server. earlier for .117 also similar messages was coming. But that was issue with my n/w.From my client, I am not able to reach to .117 with 389 port.After resolving that my authentication with Openldap is working fine.

Now I want to do the same with AD. But I am getting above messages.

To get the dump, I have tried tcudump command on client end [Cent-OS]. When I tried tcpdump, it does not show any messages. However /var/log/messages give
Code:

Oct 22 11:04:18 br0212 nscd: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Oct 22 11:04:19 br0212 tcpdump: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Oct 22 11:04:19 br0212 tcpdump: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
Oct 22 11:04:19 br0212 tcpdump: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
Oct 22 11:04:20 br0212 tcpdump: nss_ldap: could not search LDAP server - Server is unavailable
Oct 22 11:04:20 br0212 kernel: device eth0 left promiscuous mode
Oct 22 11:04:21 br0212 kernel: device eth0 entered promiscuous mode
Oct 22 11:04:26 br0212 tcpdump: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Oct 22 11:04:30 br0212 tcpdump: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Oct 22 11:04:34 br0212 nscd: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
Oct 22 11:04:38 br0212 tcpdump: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Oct 22 11:04:54 br0212 tcpdump: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...


acid_kewpie 10-22-2012 04:42 AM

tcpdump won't decode the LDAP protocol, you really need to capture with wireshark / tshark / tcpdump and look at the capture in wireshark.

So can you do an ldapsearch to AD or not??

skimeer 10-22-2012 04:46 AM

Hi,

Ok, will take capture in file and check.

Yes my ldapsearch is working with AD

Code:

[root@DevMMC2 ~]# ldapsearch -x -LLL -D 'test\Administrator' -H  ldap://10.55.199.114 -b "dc=test,dc=com" -w '$unsolaris123' "(cn=pradip)"
dn: CN=pradip,CN=Users,DC=test,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: pradip
givenName: pradip
distinguishedName: CN=pradip,CN=Users,DC=test,DC=com
instanceType: 4
whenCreated: 20121019085606.0Z
whenChanged: 20121019085835.0Z
displayName: pradip
uSNCreated: 16764
memberOf: CN=test1,CN=Users,DC=test,DC=com
uSNChanged: 16787
name: pradip
objectGUID:: Itw7DxX+k06dgZjduugpEg==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 129951105661512658
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA7o8yjRVCYHR3V485XwQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: pradip
sAMAccountType: 805306368
userPrincipalName: pradip@test.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=com
dSCorePropagationData: 20121022084440.0Z
dSCorePropagationData: 16010101000001.0Z
unixUserPassword: ABCD!efgh12345$67890
uid: pradip
msSFU30Name: pradip
msSFU30NisDomain: test
uidNumber: 10005
gidNumber: 10000
unixHomeDirectory: /home/pradip
loginShell: /bin/sh

# refldap://test.com/CN=Configuration,DC=test,DC=com


acid_kewpie 10-22-2012 04:47 AM

right so you have a binddn there, but none in ldap.conf, sounds like a good starting point.

skimeer 10-22-2012 05:25 AM

Added entry in /etc/ldap.conf

Code:

binddn cn=Administrator,cn=users,dc=test,dc=com
But same error messages.

acid_kewpie 10-22-2012 05:33 AM

is there a password?

I'd suggest you look at wireshark to see the difference in the two queries, it's so useful.

skimeer 10-22-2012 06:02 AM

Yes, AD has password set for Administrator. But I have enabled Anonymous access on AD. Do we need to pass it from client using any file

Wireshark is not giving much info on packets, I am debugging that further.

acid_kewpie 10-22-2012 06:08 AM

ldap on port 389, wireshark will break it all down very nicely, you'll get more information about the LDAP queries than you thought existed in the first place. Unless you've got TLS running on it too, but that's probably not the case.

skimeer 10-22-2012 10:53 AM

Well, Might I have got the coz,

Below is tcpdump extract for two queries with AD

1.Successful ldapsearch command.

Code:

0+...`&.....test\Administrator.
$unsolaris1230........a.....
......04...c/..dc=test,dc=com
..
...............cn..pradip0.0....V...d....M.!CN=pradip,CN=Users,DC=test,DC=com0....$0....<..objectClass1....)..top..person..organizationalPerson..user0.......cn1.......pradip0.......title1.......ldap-support0.......givenName1.......pradip0....<..distinguishedName1....#.!CN=pradip,CN=Users,DC=test,DC=com0.......instanceType1.......40....&..whenCreated1.......20121019085606.0Z0....&..whenChanged1.......20121022120950.0Z0.......displayName1.......pradip0......
uSNCreated1.......167640....^..memberOf1....N.*CN=seachange-login,CN=Users,DC=test,DC=com. CN=test1,CN=Users,DC=test,DC=com0......
uSNChanged1.......173180.......name1.......pradip0....$.
objectGUID1.......".;....N......).0....!..userAccountControl1.......660480.......badPwdCount1.......00.......codePage1.......00.......countryCode1.......00.......badPasswordTime1.......00......
lastLogoff1.......00.......lastLogon1.......00....&.
pwdLastSet1.......1299511056615126580.......primaryGroupID1.......5130..../..objectSid1.....................2..B`twW.9_...0....+..accountExpires1.......92233720368547758070......
logonCount1.......00.......sAMAccountName1.......pradip0....!..sAMAccountType1.......8053063680....*..userPrincipalName1.......pradip@test.com0....K..objectCategory1....5.3CN=Person,CN=Schema,CN=Configuration,DC=test,DC=com0....C..dSCorePropagationData1....&..20121022084440.0Z..16010101000001.0Z0.......unixUserPassword1.......ABCD!efgh12345$678900.......uid1.......pradip0.......msSFU30Name1.......pradip0.......msSFU30NisDomain1.......test0.......uidNumber1.......100050.......gidNumber1.......100010....'..unixHomeDirectory1......./home/pradip0......
loginShell1......./bin/sh0....:...s....1./ldap://test.com/CN=Configuration,DC=test,DC=com0........e.....
......0....B.

2. Failed su command

Code:

04...`/....(cn=Administrator,cn=users,dc=test,dc=com..0........a.....
......0.....c....dc=test,dc=com
..
.......x....,....objectClass..posixAccount.
..uid..vikram0i..uid..userPassword..uidNumber..gidNumber..cn.
homeDirectory.
loginShell..gecos..description..objectClass0........e.....
..........000004DC: LdapErr: DSID-0C0906DC, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db0.0....B


I have observed two things,


1.For su request its not able to bind with AD, might becoz its not getting password.
2.Search query for su is with filter (&(objectclass=posixAccount)(uid=pradip))"

Hence,

1.Need to pass password for Administrator bind
2.Somehow AD users are not POSIX enabled.so need to enable them

Please comment on this if I am shooting in wrong direction :)

acid_kewpie 10-22-2012 01:44 PM

yet again, please use wireshark to inspect the captures.

ALthough even from that binary garbage you can see you need to do a bind.

skimeer 10-22-2012 02:02 PM

Yes, I have used wireshark. but pasted the results which I get using 'Follow TCP stream' option.

Anyways, no issue is with bind with AD.I have googled and found that maybe I have to pass password through /etc/ldap.conf. However, I have enabled anonymous users to have read access on AD.

Is there any other things to be checked?


All times are GMT -5. The time now is 06:59 AM.