I've got an LDAP / Kerberos / Active Directory setup (AD has the UNIX Attributes) for logging into our CentOS servers. Up until today I only had myself and my junior tech in the list of users, but now I've added some developers but they aren't appearing in the getent output.
Here's my configs.
/etc/krb5.conf
Quote:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.INT
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
EXAMPLE.INT = {
kdc = ldap.example.int:88
admin_server = ldap.example.int:749
default_domain = example.int
}
[domain_realm]
.example.int = EXAMPLE.INT
example.int = EXAMPLE.INT
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
|
/etc/ldap.conf
Quote:
base dc=example,dc=int
uri ldap://ldap.example.int/
binddn winbind@example.int
bindpw xxx
ssl no
referrals no
nss_base_passwd dc=example,dc=int?sub
nss_base_shadow dc=example,dc=int?sub
nss_base_group dc=example,dc=int?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
|
/etc/samba/smb.conf
Quote:
workgroup = EXAMPLE
security = ads
realm = EXAMPLE.INT
use kerberos keytab = true
password server = ldap.example.int
|
/etc/pam.d/system-auth
Quote:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so
auth required pam_deny.so
account sufficient pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_krb5.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_deny.so
password requisite pam_cracklib.so retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session required pam_mkhomedir.so umask=0007
session required pam_limits.so
session required pam_unix.so
|
/etc/nsswitch.conf
Quote:
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: files
automount: files
aliases: files
|
Output from getent passwd:
Quote:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0perator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
distcache:x:94:94istcache:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:102:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
alex.max:*:10001:10:Alex Max:/home/alex.max:/bin/bash
jeremy.wilson:*:1000:10:Jeremy Wilson:/home/jwilson:/bin/tcsh
|
I can't see any differences between our AD accounts and those I've set up. We're in wheel, but so is another person and they are also not showing up.
If I update the group listings, all the groups appear in "getent group" and have the appropriate accounts in them.
Why would the two accounts I set up work but the others do not?