LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   RHEL6, Windows 2008, LDAP (http://www.linuxquestions.org/questions/linux-server-73/rhel6-windows-2008-ldap-864982/)

Hejemin 02-25-2011 08:28 AM

RHEL6, Windows 2008, LDAP
 
I have Redhat 5 playing nice as it authenticates against windows server 2008. But I ran into issues trying to get Redhat 6 to do it as well.

Here is where I stand on my redhat 6 box:

I have my certificates working between the windows and the redhat box.

From Root user I can SU to an Active Directory user.
getent works. I can see all the users info.
ldapsearch works with the CA certificate so my SSL handshake is working.
I do not suspect cert issues


But when I try to login as active directory on my Redhat 6 box I get told I used an invalid password. The password works just fine on the windows server, so I didn't fat finger anything. I am just confused as to why I can have getent and ldapsearching but can not login.

I have turned off iptables on redhat and the firewall on 2008 server to see if that would change the situation but no luck.

I noted that in Redhat 6 I need to config SSSD rather then NSCD.

Let me know if you need to see my:

ldap.conf
nsswitch.conf
sssd.conf
var messages

to provide further light and guidance on what I maybe doing wrong or leaving out in my configurations.

battletroll 02-25-2011 09:07 AM

Ensure Kerberos is configured and the server times are synced

adamjohnson01 04-05-2011 04:32 AM

I am also getting the password error. Did you manage to figure this out?

adamjohnson01 04-05-2011 07:51 AM

I have figured this out now. I had to add the relevant lines into /etc/pam.d/password-auth. I had only edited system-auth.

brooky9999 05-19-2012 09:28 AM

Hi Hejemin,

I would dearly love to see your config files (minus sensitive bits of course), as I've been trying for two days to get this working and it's still not playing.

I can get RHEL 5.x clients working with 2008 R2 Active Directory without any issues... but getting RHEL 6 to do it is killing me.

My first question is where does ldap.conf go? /etc or /etc/openldap?

Here are my relevant files:

/etc/ldap.conf
Code:

uri ldap://192.168.0.1/
host 192.168.0.1
base dc=child,dc=test,dc=ad
binddn cn=sa_ldap,ou=Service Accounts,ou=Users,ou=Managed,dc=child,dc=test,dc=ad
bindpw Password123
scope sub
ssl no
nss_base_passwd dc=child,dc=test,dc=ad?sub
nss_base_shadow dc=child,dc=test,dc=ad?sub
nss_base_group dc=child,dc=test,dc=ad?sub? &(objectCategory=group) (gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute loginShell loginShell
nss_map_attribute gecos cn
nss_map_attribute userPassword msSFUPassword
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute cn cn
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm

/etc/openldap/ldap.conf
Code:

BASE    dc=child,dc=test,dc=ad
URI      ldap://192.168.0.1/

/etc/krb5.conf
Code:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = CHILD.TEST.AD
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 CHILD.TEST.AD = {
  kdc = dc.child.test.ad:88
  admin_server = dc.child.test.ad:749
  default_domain = child.test.ad
 }

[domain_realm]
 .nl.mdb-lab.com = CHILD.TEST.AD
 nl.mdb-lab.com = CHILD.TEST.AD

/etc/pam.d/password-auth
Code:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_krb5.so use_first_pass
auth        requisite    pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account    required      pam_unix.so
account    sufficient    pam_krb5.so
account    sufficient    pam_localuser.so
account    sufficient    pam_succeed_if.so uid < 500 quiet
account    required      pam_permit.so

password    requisite    pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session    optional      pam_keyinit.so revoke
session    required      pam_mkhomedir.so
session    required      pam_limits.so
session    [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session    required      pam_unix.so

/etc/nsswitch.conf
Code:

passwd:    files ldap
shadow:    files ldap
group:      files ldap

#hosts:    db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:  nisplus [NOTFOUND=return] files
#networks:  nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:    nisplus [NOTFOUND=return] files
#netmasks:  nisplus [NOTFOUND=return] files   

bootparams: nisplus [NOTFOUND=return] files

ethers:    files
netmasks:  files
networks:  files
protocols:  files
rpc:        files
services:  files

netgroup:  nisplus

publickey:  nisplus

automount:  files nisplus
aliases:    files nisplus

I'm not sure what should go in /etc/sssd.conf.

Time/date is synchronised with the domain controller, and all host names can be resolved without issue.

I realise this thread is quite old, but any pointers would be greatly received :-)

Many thanks,


-Mark


All times are GMT -5. The time now is 07:53 PM.