LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   LDAP / Kerberos / Active Directory - Only *some* users appearing (https://www.linuxquestions.org/questions/linux-server-73/ldap-kerberos-active-directory-only-%2Asome%2A-users-appearing-875980/)

fantasygoat 04-19-2011 04:55 PM
LDAP / Kerberos / Active Directory - Only *some* users appearing
 
I've got an LDAP / Kerberos / Active Directory setup (AD has the UNIX Attributes) for logging into our CentOS servers. Up until today I only had myself and my junior tech in the list of users, but now I've added some developers but they aren't appearing in the getent output.

Here's my configs.

/etc/krb5.conf

Quote:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.INT
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
EXAMPLE.INT = {
kdc = ldap.example.int:88
admin_server = ldap.example.int:749
default_domain = example.int
}

[domain_realm]
.example.int = EXAMPLE.INT
example.int = EXAMPLE.INT

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/ldap.conf

Quote:
base dc=example,dc=int
uri ldap://ldap.example.int/
binddn winbind@example.int
bindpw xxx
ssl no
referrals no

nss_base_passwd dc=example,dc=int?sub
nss_base_shadow dc=example,dc=int?sub
nss_base_group dc=example,dc=int?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
/etc/samba/smb.conf

Quote:
workgroup = EXAMPLE
security = ads
realm = EXAMPLE.INT
use kerberos keytab = true
password server = ldap.example.int
/etc/pam.d/system-auth

Quote:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so
auth required pam_deny.so

account sufficient pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_krb5.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_deny.so

password requisite pam_cracklib.so retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session required pam_mkhomedir.so umask=0007
session required pam_limits.so
session required pam_unix.so
/etc/nsswitch.conf

Quote:
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files

netgroup: files

publickey: files

automount: files
aliases: files
Output from getent passwd:

Quote:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
distcache:x:94:94:Distcache:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:102:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
alex.max:*:10001:10:Alex Max:/home/alex.max:/bin/bash
jeremy.wilson:*:1000:10:Jeremy Wilson:/home/jwilson:/bin/tcsh
I can't see any differences between our AD accounts and those I've set up. We're in wheel, but so is another person and they are also not showing up.

If I update the group listings, all the groups appear in "getent group" and have the appropriate accounts in them.

Why would the two accounts I set up work but the others do not?

fantasygoat 04-20-2011 09:10 AM
Anyone have any ideas? This is driving me crazy. I've tried restarting the AD service on the Windows server, no difference. I've compared the raw LDAP records for myself and other users and can't find any differences that might cause this issue.

fantasygoat 04-20-2011 09:34 AM
Okay, I figured it out.

The user I was using to bind did not have the appropriate permissions - it was merely a Domain User rather than Domain Admin. Once I added that all the users appeared.

I have no idea why my assistant and my accounts appeared. Perhaps because we are Domain Admins?


All times are GMT -5. The time now is 10:58 PM.