centOS 5.9 getent passwd returns only local accounts.
Hi all,
recently I tried to setup kerberos+ldap authentication to window 2008 sever for my centOS 5.9 64bit client, but I can't find domain users like I did at centOS 5.10 64 bit, following are config files, and port 389 and 88 are open, I did ldapsearch with bind accounts also fine.
any help appreciate!
Note: I installed krb5-workstation,openldap-clients,nss_ldap,pam_krb5
[root@xxx ~]# nc -zv x.x.7.34 389
Connection to x.x.7.34 389 port [tcp/ldap] succeeded!
[root@xxx ~]# nc -zv x.x.7.34 88
Connection to x.x.7.34 88 port [tcp/kerberos] succeeded!
[root@xxx ~]# nc -u -zv x.x.7.34 88
Connection to x.x.7.34 88 port [udp/kerberos] succeeded!
1./etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
2./etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
3./etc/krb5.conf
[libdefaults]
default_realm = x.x.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
x.x.COM = {
kdc = x1-inf-dc-s01.cloud.x.com
admin_server =x1-inf-dc-s01.cloud.x.com
}
[domain_realm]
x.com = x.x.COM
.x.com = x.x.COM
[appdefaults]
validate = false
4./etc/ldap.conf
uri ldap://x.x.7.34/
base dc=x,dc=x,dc=com
ldap_version 3
port 389
scope sub
ssl no
binddn CN=Linux-bind-user,OU=Service_accounts,OU=x,DC=cloud,DC=x,DC=com
bindpw xxxxx
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute gecos name
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute userPassword msSFU30Password
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn
pam_login_attribute sAMAccountName
pam_filter objectclass=User
nss_base_passwd OU=x,OU=Administrators,OU=x,dc=cloud,dc=x,dc=com?sub
nss_base_shadow OU=x,OU=Administrators,OU=x,dc=cloud,dc=x,dc=com?sub
nss_base_group OU=Groups,OU=x,dc=cloud,dc=x,dc=com?sub
pam_password ad
sudoers_base CN=x-admins,OU=Groups,OU=x,DC=cloud,DC=x,DC=com
|