LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   Active Directory vs LDAP (http://www.linuxquestions.org/questions/linux-software-2/active-directory-vs-ldap-287606/)

alex r 02-08-2005 05:55 AM

Active Directory vs LDAP
 
Hello everybody!
I have a windows 2003 server running and want to connect some linux clients to it. The users of the linux clients don't have their user accounts in the /etc/passwd and /etc/shadow files but in the active directory. So I installed the ldap client to make authentication possible. After edting /etc/pam.d/system-auth , /etc/ldap.conf and /etc/nsswitch.conf (since I have fedore core 2 running I did everything with authconfig) I tried to logon with a user name I created on the windows server. I got the error message: login incorrect. A look into /var/log/messages:

linux login(pam_unix) [2367]: check pass; user unknown
linux login(pam_unix) [2367]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
pam_ldap: error trying to bind (invalid credentials)

The user I tried to log on with has admin rights! Any idea what this can be?


Thanks!
Alex

musicman_ace 02-08-2005 06:12 AM

Is pam-kbr5 loaded. You'll need Kerberos security to authenicate to a Windows domain. Not sure that LDAP itself would do that for you.

alex r 02-08-2005 06:35 AM

Quote:

Originally posted by musicman_ace
Is pam-kbr5 loaded. You'll need Kerberos security to authenicate to a Windows domain. Not sure that LDAP itself would do that for you.
Yes, it is loaded and Kerberos authentication works. I tried it with e.g. kinit <username> or ksu <username>.

I think the problem is ldap. I enter the command ' ldapsearch -x "" ' and get an output like:

# base <> with scope sub
# filter: (objectclass =*)
# requesting:

result: 1 operations error
text: 00000000: Ldap Err: DSID-0C090SFF

[...]

same with the command ' ldapsearch -x '. Any idea what this could be?

Brian Knoblauch 02-08-2005 10:49 AM

Running Active Directory in 2000/NT compatibility mode, or native 2003 mode?

alex r 02-08-2005 09:50 PM

Running in native 2003 mode. That 2003 mode is compatible to the ldap, isn't it?

alex r 02-09-2005 12:58 AM

After asking google for hours I made it to create a working command that looks like this:

ldapsearch -x -D "cn=Administrator,cn=Users,dc=company,dc=com" -W "sAMAccountName"


But authenticating is still not possible. Entering dmesg shows this line:

linux login: nss_ldap: could not search LDAP server - Operations error


And here's some additional output from /var/log/secure

Feb 9 08:48:31 linux login: nss_ldap: could not search LDAP server - Operations error
Feb 9 08:48:34 linux last message repeated 11 times
Feb 9 08:48:34 linux login(pam_unix)[26124]: check pass; user unknown
Feb 9 08:48:34 linux login(pam_unix)[26124]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
Feb 9 08:48:34 linux login[26124]: pam_ldap: ldap_search_s Operations error
Feb 9 08:48:36 linux login[26124]: FAILED LOGIN 1 FROM (null) FOR test2, Authentication failure



Any ideas about that?

Brian Knoblauch 02-09-2005 07:52 AM

Quote:

Originally posted by alex r
Running in native 2003 mode. That 2003 mode is compatible to the ldap, isn't it?
It may not be. 2003 native mode doesn't even use the same ports as 2000. I ran into this problem trying to get Mac OS X to talk to our Active Directory. Lots of people are doing it, but they all are int 2000 mode. I'm in 2003 native and can't get it going. Many hours of research have lead to the discovery of significant differences. Whether or not that carries over to Linux as well, I can't say for sure. :)

enigmasoldier 02-09-2005 11:25 AM

So you know, Active Directory IS AN LDAP implimentation by MS.

I included a links to a tutorials that will help

External Link:
http://www.microsoft.com/windowsserv.../ldapcomp.mspx
http://www.nwc.com/showArticle.jhtml?articleID=55301455 This is a great 3 page article detailing exactly what you need to do to get this working
http://sadms.sourceforge.net/en/index.html this looks promising.

alex r 02-11-2005 12:02 AM

Thanks for the articles, that was very kind of of you. I found out what the problem was.
I had to create a user with permissions to access user data on the AD (this user is called 'ldapuser' in my configuration).
Then adding a line to /etc/ldap.conf that looks like:

binddn "cn=ldapuser,cn=users,dn=company,dn=com"
bindpw MyNonSecretPassword

Of course the command in my previous post worked because the 'test2' user had access to ldap.
By the way, if you don't activate Kerberos in the authconfig menu, all of your passwords will be tranferred in plain text over the network. Just a thing to remember...


Anyway, I'm now facing a new problem:

Feb 11 04:46:58 linux login(pam_unix)[789]: check pass; user unknown
Feb 11 04:46:58 linux login(pam_unix)[789]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
Feb 11 04:47:00 linux login[789]: pam_krb5[789]: authentication succeeds for 'alex' (alex@company.com)
Feb 11 04:47:02 linux login(pam_unix)[789]: session opened for user alex
by LOGIN(uid=0)
Feb 11 04:47:02 linux -- alex[789]: LOGIN ON tty1 BY alex
Feb 11 04:47:02 linux login(pam_unix)[789]: session closed for user alex
Feb 11 04:47:02 linux init: open(/dev/pts/0): No such file or directory


Did you see it? Login and immediately logout. Any ideas about that?

alex r 02-13-2005 10:05 PM

Well, this problem's getting more and more weird. With some users the error described in the message above does not happen. But when I create a new user and try to log on, this will happen:

Feb 11 09:50:25 linux login(pam_unix)[1759]: check pass; user unknown
Feb 11 09:50:25 linux login(pam_unix)[1759]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
Feb 11 09:50:25 linux login[1759]: pam_krb5[1759]: error resolving user name 'labuser' to uid/gid pair
Feb 11 09:50:25 linux login[1759]: pam_krb5[1759]: error getting information about 'labuser'
Feb 11 09:50:25 linux login(pam_unix)[1759]: could not identify user (from getpwnam(labuser))
Feb 11 09:50:25 linux login[1759]: pam_krb5[1759]: error resolving user name 'labuser' to uid/gid pair
Feb 11 09:50:25 linux login[1759]: pam_krb5[1759]: error getting information about 'labuser'
Feb 11 09:50:25 linux login[1759]: User not known to the underlying authentication module
Feb 11 09:50:25 linux init: open(/dev/pts/0): No such file or directory


Again: any ideas? :confused:

musicman_ace 02-13-2005 10:11 PM

what release of kerberos is loaded? Is it heimdal or MIT's version?

My guess would be that authentication is failing cause it wants MIT's version 5.

alex r 02-14-2005 01:43 AM

It's the MIT version 5 of Kerberos. Don't think it's because of the version because a 'kinit labuser' works perfectly. Also, another user 'test2' can authenticate but don't ask me what's that special with this user. I gave 'labuser' exactely the same permissions as 'test2' but that didn't help.

alex r 02-16-2005 03:38 AM

Ok, the problem's solved. There was an error in the ldap.conf file I assume. I took that document from Microsoft http://www.microsoft.com/technet/its...w/01wsdsu.mspx and did everything step by step. Now it works.

But one problem follows another... AD users don't have a home directory. When I entered 'getent passwd' everything worked fine, first I saw the unix accounts then the ldap accounts. Now I don't see the ldap accounts anymore, only the ones that got saved from former logins. And these don't have a home directory. Logging in results in:

No directory !
Logging in with home = '/'.

But I remember that the accounts that got listed by getent had a proper home directory. Any ideas anyone?

alex r 02-16-2005 06:05 AM

error found
 
ok, now this was a real annoying mistake! In ldap.conf there were these lines

nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute homeDirectory msSFU30HomeDirectory

wrongly written. I forgot to type 30 into the attribute. Very annoying! :tisk:
After putting this line into /etc/pam.d/system-auth and /etc/pam.d/gdm

session optional /lib/security/$ISA/mkhomedir.so skel=/etc/skel umask=0022

it's now working. Also 'getent passwd' is now showing up data correctly :D

musicman_ace 02-16-2005 07:57 AM

Congrats. Now that you've went through all that, have you thought of writing a how-to? Possibly the LinuxQuestions Answer?


All times are GMT -5. The time now is 01:35 PM.