LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 02-25-2011, 08:28 AM   #1
Hejemin
LQ Newbie
 
Registered: Feb 2011
Posts: 1

Rep: Reputation: 0
RHEL6, Windows 2008, LDAP


I have Redhat 5 playing nice as it authenticates against windows server 2008. But I ran into issues trying to get Redhat 6 to do it as well.

Here is where I stand on my redhat 6 box:

I have my certificates working between the windows and the redhat box.

From Root user I can SU to an Active Directory user.
getent works. I can see all the users info.
ldapsearch works with the CA certificate so my SSL handshake is working.
I do not suspect cert issues


But when I try to login as active directory on my Redhat 6 box I get told I used an invalid password. The password works just fine on the windows server, so I didn't fat finger anything. I am just confused as to why I can have getent and ldapsearching but can not login.

I have turned off iptables on redhat and the firewall on 2008 server to see if that would change the situation but no luck.

I noted that in Redhat 6 I need to config SSSD rather then NSCD.

Let me know if you need to see my:

ldap.conf
nsswitch.conf
sssd.conf
var messages

to provide further light and guidance on what I maybe doing wrong or leaving out in my configurations.
 
Old 02-25-2011, 09:07 AM   #2
battletroll
Member
 
Registered: Dec 2004
Location: Alabama
Distribution: Slackware, Solaris,Fedora, CentOS, Redhat, SGI
Posts: 63

Rep: Reputation: 16
Ensure Kerberos is configured and the server times are synced
 
Old 04-05-2011, 04:32 AM   #3
adamjohnson01
LQ Newbie
 
Registered: Jun 2008
Posts: 7

Rep: Reputation: 0
I am also getting the password error. Did you manage to figure this out?
 
Old 04-05-2011, 07:51 AM   #4
adamjohnson01
LQ Newbie
 
Registered: Jun 2008
Posts: 7

Rep: Reputation: 0
I have figured this out now. I had to add the relevant lines into /etc/pam.d/password-auth. I had only edited system-auth.
 
Old 05-19-2012, 09:28 AM   #5
brooky9999
Member
 
Registered: May 2006
Location: Marlow, UK
Distribution: Slackware 12.2
Posts: 232

Rep: Reputation: 30
Hi Hejemin,

I would dearly love to see your config files (minus sensitive bits of course), as I've been trying for two days to get this working and it's still not playing.

I can get RHEL 5.x clients working with 2008 R2 Active Directory without any issues... but getting RHEL 6 to do it is killing me.

My first question is where does ldap.conf go? /etc or /etc/openldap?

Here are my relevant files:

/etc/ldap.conf
Code:
uri ldap://192.168.0.1/
host 192.168.0.1
base dc=child,dc=test,dc=ad
binddn cn=sa_ldap,ou=Service Accounts,ou=Users,ou=Managed,dc=child,dc=test,dc=ad
bindpw Password123
scope sub
ssl no
nss_base_passwd dc=child,dc=test,dc=ad?sub
nss_base_shadow dc=child,dc=test,dc=ad?sub
nss_base_group dc=child,dc=test,dc=ad?sub? &(objectCategory=group) (gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute loginShell loginShell
nss_map_attribute gecos cn
nss_map_attribute userPassword msSFUPassword
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute cn cn
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
/etc/openldap/ldap.conf
Code:
BASE     dc=child,dc=test,dc=ad
URI      ldap://192.168.0.1/
/etc/krb5.conf
Code:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = CHILD.TEST.AD
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 CHILD.TEST.AD = {
  kdc = dc.child.test.ad:88
  admin_server = dc.child.test.ad:749
  default_domain = child.test.ad
 }

[domain_realm]
 .nl.mdb-lab.com = CHILD.TEST.AD
 nl.mdb-lab.com = CHILD.TEST.AD
/etc/pam.d/password-auth
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_krb5.so use_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_krb5.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_mkhomedir.so
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
/etc/nsswitch.conf
Code:
passwd:     files ldap
shadow:     files ldap
group:      files ldap

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   nisplus

publickey:  nisplus

automount:  files nisplus
aliases:    files nisplus
I'm not sure what should go in /etc/sssd.conf.

Time/date is synchronised with the domain controller, and all host names can be resolved without issue.

I realise this thread is quite old, but any pointers would be greatly received :-)

Many thanks,


-Mark
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
RHEL6: LDAP-based Auth, pam_ldap, and uidNumber issues... enigma_0Z Linux - Enterprise 1 11-22-2011 02:51 PM
ldap 2.4 rhel6 problem with openldap ldap_bind: Invalid credentials (49) dshivji Linux - Server 3 12-04-2010 03:23 AM
intigration of windows 2008 server with open ldap yasir453 Linux - Server 6 10-01-2010 05:31 PM
rdesktop 1.6 and windows server 2008 fmedwards3 Linux - Software 2 08-02-2010 11:51 AM
ldap on ubuntuserver + windows terminalserver 2008 stian General 2 06-25-2009 08:33 AM


All times are GMT -5. The time now is 02:33 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration