LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 10-22-2012, 03:26 AM   #1
skimeer
Member
 
Registered: Jun 2007
Posts: 55
Blog Entries: 1

Rep: Reputation: 0
Configuring Active Directory users authentication on Cent-OS boxes


Hello,

I am trying to authenticate AD users on Cent-OS box.I have installed AD on my test machine. From Cent-OS, I can do ldapsearch on that.

However when I try to authenticate using users it gives error in /var/log/messages as

Code:
 failed to bind to LDAP server ldap://10.55.199.117/: Server is unwilling to perform
Also, I have some basic questions on this scenario,

1.Does configuring kerberos authentication is required for this setup to work.
2.Does machine need to be added in AD to users get authenticate. Means do I need to add DNS server entries in /etc/resolve.conf
 
Old 10-22-2012, 03:30 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
1. no, not at all. You can do the entire thing with just ldap
2. no

given you're not using ssl there, I would generically say look at the ldap request being done and compare that to your manual bind, using wireshark.
 
Old 10-22-2012, 03:53 AM   #3
skimeer
Member
 
Registered: Jun 2007
Posts: 55
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Hi acid_kewpie,

Thanks for clearing my doubt. I am now installing wireshark and will check with that.

I have tried with new machine to point to same AD. I have used authconfig-tui to enable the authentication. Now when I tried to use
Code:
getent passwd
It does not list AD users and /var/log/messages shows below errors,


Code:
Oct 22 10:12:36 br0212 su: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Oct 22 10:12:40 br0212 su: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Oct 22 10:12:48 br0212 su: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Oct 22 10:13:04 br0212 su: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...

my /etc/ldap.conf with removing commented line is as below,

Code:
base dc=test,dc=com
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
uri ldap://10.55.199.114/
tls_cacertdir /etc/openldap/cacerts
pam_password md5
Does /etc/ldap.conf has any issues?
 
Old 10-22-2012, 04:32 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
well you already have 2 different IP addreses in use there - .114 vs .117... what's that about? There are no bind credentials there, is AD allowing anonymous binds?
 
Old 10-22-2012, 04:40 AM   #5
skimeer
Member
 
Registered: Jun 2007
Posts: 55
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Hi acid_kewpie,

Sorry for confusion, actually .117 is Openldap server and .114 is AD server. earlier for .117 also similar messages was coming. But that was issue with my n/w.From my client, I am not able to reach to .117 with 389 port.After resolving that my authentication with Openldap is working fine.

Now I want to do the same with AD. But I am getting above messages.

To get the dump, I have tried tcudump command on client end [Cent-OS]. When I tried tcpdump, it does not show any messages. However /var/log/messages give
Code:
Oct 22 11:04:18 br0212 nscd: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Oct 22 11:04:19 br0212 tcpdump: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Oct 22 11:04:19 br0212 tcpdump: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
Oct 22 11:04:19 br0212 tcpdump: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
Oct 22 11:04:20 br0212 tcpdump: nss_ldap: could not search LDAP server - Server is unavailable
Oct 22 11:04:20 br0212 kernel: device eth0 left promiscuous mode
Oct 22 11:04:21 br0212 kernel: device eth0 entered promiscuous mode
Oct 22 11:04:26 br0212 tcpdump: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Oct 22 11:04:30 br0212 tcpdump: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Oct 22 11:04:34 br0212 nscd: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
Oct 22 11:04:38 br0212 tcpdump: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Oct 22 11:04:54 br0212 tcpdump: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
 
Old 10-22-2012, 04:42 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
tcpdump won't decode the LDAP protocol, you really need to capture with wireshark / tshark / tcpdump and look at the capture in wireshark.

So can you do an ldapsearch to AD or not??
 
Old 10-22-2012, 04:46 AM   #7
skimeer
Member
 
Registered: Jun 2007
Posts: 55
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Hi,

Ok, will take capture in file and check.

Yes my ldapsearch is working with AD

Code:
[root@DevMMC2 ~]# ldapsearch -x -LLL -D 'test\Administrator' -H  ldap://10.55.199.114 -b "dc=test,dc=com" -w '$unsolaris123' "(cn=pradip)"
dn: CN=pradip,CN=Users,DC=test,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: pradip
givenName: pradip
distinguishedName: CN=pradip,CN=Users,DC=test,DC=com
instanceType: 4
whenCreated: 20121019085606.0Z
whenChanged: 20121019085835.0Z
displayName: pradip
uSNCreated: 16764
memberOf: CN=test1,CN=Users,DC=test,DC=com
uSNChanged: 16787
name: pradip
objectGUID:: Itw7DxX+k06dgZjduugpEg==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 129951105661512658
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA7o8yjRVCYHR3V485XwQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: pradip
sAMAccountType: 805306368
userPrincipalName: pradip@test.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=com
dSCorePropagationData: 20121022084440.0Z
dSCorePropagationData: 16010101000001.0Z
unixUserPassword: ABCD!efgh12345$67890
uid: pradip
msSFU30Name: pradip
msSFU30NisDomain: test
uidNumber: 10005
gidNumber: 10000
unixHomeDirectory: /home/pradip
loginShell: /bin/sh

# refldap://test.com/CN=Configuration,DC=test,DC=com
 
Old 10-22-2012, 04:47 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
right so you have a binddn there, but none in ldap.conf, sounds like a good starting point.
 
Old 10-22-2012, 05:25 AM   #9
skimeer
Member
 
Registered: Jun 2007
Posts: 55
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Added entry in /etc/ldap.conf

Code:
binddn cn=Administrator,cn=users,dc=test,dc=com
But same error messages.
 
Old 10-22-2012, 05:33 AM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
is there a password?

I'd suggest you look at wireshark to see the difference in the two queries, it's so useful.
 
Old 10-22-2012, 06:02 AM   #11
skimeer
Member
 
Registered: Jun 2007
Posts: 55
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Yes, AD has password set for Administrator. But I have enabled Anonymous access on AD. Do we need to pass it from client using any file

Wireshark is not giving much info on packets, I am debugging that further.
 
Old 10-22-2012, 06:08 AM   #12
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
ldap on port 389, wireshark will break it all down very nicely, you'll get more information about the LDAP queries than you thought existed in the first place. Unless you've got TLS running on it too, but that's probably not the case.
 
Old 10-22-2012, 10:53 AM   #13
skimeer
Member
 
Registered: Jun 2007
Posts: 55
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Well, Might I have got the coz,

Below is tcpdump extract for two queries with AD

1.Successful ldapsearch command.

Code:
0+...`&.....test\Administrator.
$unsolaris1230........a.....
......04...c/..dc=test,dc=com
..
...............cn..pradip0.0....V...d....M.!CN=pradip,CN=Users,DC=test,DC=com0....$0....<..objectClass1....)..top..person..organizationalPerson..user0.......cn1.......pradip0.......title1.......ldap-support0.......givenName1.......pradip0....<..distinguishedName1....#.!CN=pradip,CN=Users,DC=test,DC=com0.......instanceType1.......40....&..whenCreated1.......20121019085606.0Z0....&..whenChanged1.......20121022120950.0Z0.......displayName1.......pradip0......
uSNCreated1.......167640....^..memberOf1....N.*CN=seachange-login,CN=Users,DC=test,DC=com. CN=test1,CN=Users,DC=test,DC=com0......
uSNChanged1.......173180.......name1.......pradip0....$.
objectGUID1.......".;....N......).0....!..userAccountControl1.......660480.......badPwdCount1.......00.......codePage1.......00.......countryCode1.......00.......badPasswordTime1.......00......
lastLogoff1.......00.......lastLogon1.......00....&.
pwdLastSet1.......1299511056615126580.......primaryGroupID1.......5130..../..objectSid1.....................2..B`twW.9_...0....+..accountExpires1.......92233720368547758070......
logonCount1.......00.......sAMAccountName1.......pradip0....!..sAMAccountType1.......8053063680....*..userPrincipalName1.......pradip@test.com0....K..objectCategory1....5.3CN=Person,CN=Schema,CN=Configuration,DC=test,DC=com0....C..dSCorePropagationData1....&..20121022084440.0Z..16010101000001.0Z0.......unixUserPassword1.......ABCD!efgh12345$678900.......uid1.......pradip0.......msSFU30Name1.......pradip0.......msSFU30NisDomain1.......test0.......uidNumber1.......100050.......gidNumber1.......100010....'..unixHomeDirectory1......./home/pradip0......
loginShell1......./bin/sh0....:...s....1./ldap://test.com/CN=Configuration,DC=test,DC=com0........e.....
......0....B.
2. Failed su command

Code:
04...`/....(cn=Administrator,cn=users,dc=test,dc=com..0........a.....
......0.....c....dc=test,dc=com
..
.......x....,....objectClass..posixAccount.
..uid..vikram0i..uid..userPassword..uidNumber..gidNumber..cn.
homeDirectory.
loginShell..gecos..description..objectClass0........e.....
..........000004DC: LdapErr: DSID-0C0906DC, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db0.0....B

I have observed two things,


1.For su request its not able to bind with AD, might becoz its not getting password.
2.Search query for su is with filter (&(objectclass=posixAccount)(uid=pradip))"

Hence,

1.Need to pass password for Administrator bind
2.Somehow AD users are not POSIX enabled.so need to enable them

Please comment on this if I am shooting in wrong direction
 
Old 10-22-2012, 01:44 PM   #14
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
yet again, please use wireshark to inspect the captures.

ALthough even from that binary garbage you can see you need to do a bind.
 
Old 10-22-2012, 02:02 PM   #15
skimeer
Member
 
Registered: Jun 2007
Posts: 55
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Yes, I have used wireshark. but pasted the results which I get using 'Follow TCP stream' option.

Anyways, no issue is with bind with AD.I have googled and found that maybe I have to pass password through /etc/ldap.conf. However, I have enabled anonymous users to have read access on AD.

Is there any other things to be checked?
 
  


Reply

Tags
active directory, centos5, ldap


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Authentication Active Directory finsh Linux - Networking 2 01-12-2011 01:18 AM
Active Directory Authentication zenix Suse/Novell 29 03-22-2007 10:00 AM
interfacing linux boxes with active directory? fibbi Linux - Networking 2 06-30-2005 06:00 AM
Active Directory authentication? cwhitmore Mandriva 3 03-09-2005 11:25 AM
active directory authentication mozilla Linux - Networking 2 02-21-2005 04:55 AM


All times are GMT -5. The time now is 04:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration