LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 04-19-2011, 04:55 PM   #1
fantasygoat
Member
 
Registered: Sep 2009
Posts: 117

Rep: Reputation: 17
LDAP / Kerberos / Active Directory - Only *some* users appearing


I've got an LDAP / Kerberos / Active Directory setup (AD has the UNIX Attributes) for logging into our CentOS servers. Up until today I only had myself and my junior tech in the list of users, but now I've added some developers but they aren't appearing in the getent output.

Here's my configs.

/etc/krb5.conf

Quote:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.INT
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
EXAMPLE.INT = {
kdc = ldap.example.int:88
admin_server = ldap.example.int:749
default_domain = example.int
}

[domain_realm]
.example.int = EXAMPLE.INT
example.int = EXAMPLE.INT

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/ldap.conf

Quote:
base dc=example,dc=int
uri ldap://ldap.example.int/
binddn winbind@example.int
bindpw xxx
ssl no
referrals no

nss_base_passwd dc=example,dc=int?sub
nss_base_shadow dc=example,dc=int?sub
nss_base_group dc=example,dc=int?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
/etc/samba/smb.conf

Quote:
workgroup = EXAMPLE
security = ads
realm = EXAMPLE.INT
use kerberos keytab = true
password server = ldap.example.int
/etc/pam.d/system-auth

Quote:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so
auth required pam_deny.so

account sufficient pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_krb5.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_deny.so

password requisite pam_cracklib.so retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session required pam_mkhomedir.so umask=0007
session required pam_limits.so
session required pam_unix.so
/etc/nsswitch.conf

Quote:
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files

netgroup: files

publickey: files

automount: files
aliases: files
Output from getent passwd:

Quote:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0perator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
distcache:x:94:94istcache:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:102:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
alex.max:*:10001:10:Alex Max:/home/alex.max:/bin/bash
jeremy.wilson:*:1000:10:Jeremy Wilson:/home/jwilson:/bin/tcsh
I can't see any differences between our AD accounts and those I've set up. We're in wheel, but so is another person and they are also not showing up.

If I update the group listings, all the groups appear in "getent group" and have the appropriate accounts in them.

Why would the two accounts I set up work but the others do not?
 
Old 04-20-2011, 09:10 AM   #2
fantasygoat
Member
 
Registered: Sep 2009
Posts: 117

Original Poster
Rep: Reputation: 17
Anyone have any ideas? This is driving me crazy. I've tried restarting the AD service on the Windows server, no difference. I've compared the raw LDAP records for myself and other users and can't find any differences that might cause this issue.
 
Old 04-20-2011, 09:34 AM   #3
fantasygoat
Member
 
Registered: Sep 2009
Posts: 117

Original Poster
Rep: Reputation: 17
Okay, I figured it out.

The user I was using to bind did not have the appropriate permissions - it was merely a Domain User rather than Domain Admin. Once I added that all the users appeared.

I have no idea why my assistant and my accounts appeared. Perhaps because we are Domain Admins?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SLES11, Samba, Kerberos, LDAP integration with Active Directory jstalewski Suse/Novell 1 08-02-2010 01:10 PM
CentOS 5.2 LDAP/kerberos authentication fails against Active Directory ccaum Linux - Server 14 03-24-2010 11:15 AM
HOW TO: SUSE Linux Enterprise Desktop SLED10 LDAP / Kerberos Authentication to Active Directory / Windows Server 2003 R2 Shannon_VanWagner LinuxAnswers Discussion 0 03-23-2007 02:22 PM
Active Directory, Kerberos, LDAP, PAM, and nsswitch PenguinPwrdBox Linux - Security 1 06-04-2005 09:56 PM
samba ldap winbindd kerberos with active directory errors xtrusion Linux - Software 0 03-21-2005 04:24 PM


All times are GMT -5. The time now is 06:15 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration