Trouble authenticating with Active Directory

spangler · 10-01-2013, 09:10 AM

I added my Oracle Linux 5 server to our Active Directory. It appears to have joined fine. I run wbinfo -g and see all the groups. I run wbingo -u and see the users. When I try to login useing my AD account I get a permission denied, please try again error. I look at /var/log/secure and see Invalid user errors and Failed password for invalid user errors. I know the user is valid and the password it good. The AD account is not locked.

Any suggestions would be appreciated.

Thanks

spike_white · 10-01-2013, 07:05 PM

It says in the wbinfo man page, not to use this for authentication. Only for querying.
It recommends ntlm_auth for authentication, but that's only a helper program that's called by another program.

So which PAM module are you using to do your AD authentication? pam_krb5? Quest Authentication Services (QAS)? Likewise? Centrify?

Spike

spangler · 10-02-2013, 08:20 AM

I was just using wbinfo to verify that it could see my user account. I believe I am using pam_krb5 for authentication.

i2_infinity · 02-08-2016, 08:30 AM

Maybe you have to enable users trying to log in to the systems to land up in their home directories using the following command:

authconfig --enablemkhomedir --update

spike_white · 02-09-2016, 02:59 PM

You can use raw pam_ldap + pam_krb5 to enact AD integration with Linux. I have done this (even implemented SASL bindings) and it works. But it seems quite fragile. If you're a hobbyist, or on a shoe-string subject -- this is the way to go.

But if you're in charge of an enterprise env, I'd recommend you going with one of the major players to do this: Centrify, Likewise or Quest (VAS).

They can handle cross-domain authentication, one-way trusts, cross-forest authentication from an untrusted domain and other complex scenarios. Also, they have the smart engineers on staff that know Kerberos inside and out.

Spike