Hi all,

I'm reproducing a post that I made on experts exchange here as I'm hoping someone here might be able to help. I'm following the Lanrx documents for getting AD authentication working, but I've run into a problem.

I'm trying to authenticate a Red Hat Enterprise Linux AS 3 server against a Windows 2003 Active directory. I'm currently trying to use LDAP. I'm using Microsoft Services for Unix 3.5 on the Windows machine. Here is what I have done so far:

1. Installed nss_ldap-207-11.i386.rpm - This includes --enable-schema-mapping and --enable-rfc2307bis in the configure portion of the source RPM

2. Edited /etc/ldap.conf and set the following:
binddn cn=padl,cn=Users,dc=mydomain,dc=com
bindpw userpass

scope sub
ssl no
pam_password md5
nss_base_passwd cn=Users,dc=mydomain,dc=com?sub
nss_base_shadow cn=Users,dc=mydomain,dc=com?sub
nss_base_group cn=Users,dc=mydomain,dc=com?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn
pam_login_attribute sAMAcountName
pam_filter objectclass=user
pam_member_attribute msSFU30PosixMember
pam_groupdn cn=unixusergroup,dc=mydomain,dc=com

3. Setup auth by using authconfig as follows:
Select LDAP for NSS information, select cache information, added the IP for the AD server, set the Base DN to cn=Users,dc=mydomain,dc=com
Select LDAP for authentication, use prepopulated fields from previous screen
Select OK and then edit /etc/pam.d/system-auth so that it looks as follows:

auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
account sufficient /lib/security/pam_localuser.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so

4. Enter information in Unix Services tab in Active Directory Users and Computers tool and then reset the user's password so that it is sync'd

Having done all of that, if I try and login as a user in the AD using ssh, I get the following messages:

sshd(pam_unix)[18113]: check pass; user unknown
sshd(pam_unix)[18113]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=10.xxx.xxx.xxx

I'm not seeing any mention of pam_ldap in those messages. However, each time I try and login, I see several new successful logins for the padl account in the Windows Event Viewer.

Can anyone either help me resolve this issue and get this working, or point me at a comprehensive howto that illustrates doing this with winbind ? The problem as I understand it with using winbind is that you don't get consistent UID / GID information, or anything else that you would normally get from Microsoft services for unix. Is there a way to use winbind for authentication and then LDAP for information maybe ?

Hi Wayne,
I don't know if this will help but I am out at a site where we were running Solaris and wanted to so something similar to you. We had to create a Kerberos Realm on the Windows 2003 Server and use Kerberos from Solaris to accomplish the authentication.

Again, I am not sure if this applies to your situation or not

Good Luck

Thanks for the response

I've got kerberos running, and I can do a kinit Administrator, and receive a ticket...

Once I've received that ticket, I can do a
net ads join
and once I've done that, I can see that a machine account for the machine is added to the AD server. However, I still can't use pam_ldap for ssh / console logins

Have you got that working at all ? Or is that not something that you're trying to do ?

Hey Wayne-

This particular problem is likely related to the inability of PAM to locate the appropriate NSS information.

After further review, it looks like you might have a typo in your schema mapping for the pam_login_attribute

pam_login_attribute sAMAcountName

That should be sAMAccountName (note the second C in account)

Hope this helps.

I've still not been able to access the documents from LanRX. I have registered at the site multiple times, but have never received a reply with a user name/password. When I try to log in with an account I've created, I'm redirected back to the "create account" dialogue. Can anyone suggest what I'm doing wrong? Is there an alternate source for the documents?

If you tell me what your username is, I can make sure that your account is activated.
As far as an alternative source for the documents, in the near future, you will be able to get them at newsforge.com

I have created accounts as dbruso@abm.com and dbruso@pacbell.net. I appreciate your help. One of the benefits of working with open source products is "meeting" the community. Thanks a lot!

Regards,

dbruso

I think that I saw your e-mails bouncing back to me, for some reason.

I enabled your account. If you have more problems, e-mail me at Eric dot Anderson at LanRx dot com, and I will be happy to reset your password or whatnot.

Hi all,

Ok, I'm getting somewhere. I'm now able to authenticate against the AD using the following ldap.conf:

host ip.of.ad.server
base cn=Users,dc=our,dc=domain,dc=com

binddn cn=padl,cn=Users,dc=our,dc=domain,dc=com
bindpw OurPassword

ssl no

nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group

nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30uidNumber
nss_map_attribute gidNumber msSFU30gidNumber
nss_map_attribute gecos cn
nss_map_attribute homeDirectory msSFU30homeDirectory
nss_map_attribute loginShell msSFU30loginShell

pam_login_attribute sAMAccountName
pam_filter objectclass=User
nss_base_passwd cn=Users,dc=our,dc=domain,dc=com?one
pam_password ad

This is the config taken from a securityfocus article.

I can now login as a user, and I can see AD users and groups when I do a getent passwd or getent group

The problem I now have is that a getent group shows the groups, but not the members. Which is a problem for a number of reasons.

I've just tried the following command:
ldapsearch -H ldap://our.server.ip -x -D cn=padl,cn=Users,dc=our,dc=domain,dc=com -wOurPassword -b cn=Users,dc=our,dc=domain,dc=com -s sub "sAMAccountName=testgroup"

I get multiple msSFU30PosixMember attributes in the output of this command, one per user in the group, but the entry is as follows:
msSFU30PosixMember: CN=Wayne P,CN=Users,DC=our,DC=domain,DC=com

testgroup is a group that includes a user named waynep. getent group shows this group as follows (and does not include the user):
testgroup:x:10011:

Is there any way that I can have users being part of groups on the AD ?

I believe that I had that same problem, and that I resolved it by changing

nss_map_attribute uid sAMAccountName

to

nss_map_attribute uid uid

I discovered that when I was having a problem with the component requiring group membership to authenticate

Hmmm - that doesn't seem to work. In fact, it seems to stop authentication against the AD working all together.

I made the change as advised, and once I had, getent passwd no longer showed AD users. Attempting to use users with su or ssh failed with
su: user waynep does not exist
and
check pass; user unknown
respectively.

I then tried changing the pam_login_attribute from sAMAccountName to uid as well, but that still didnt' work.

I then reverted pam_login_attribute and nss_map attribute uid to sAMAccountName and was able to login again, but the group situation was not resolved.

I then changed my approach slightly so that instead of looking for uid or short username (waynep instead of Wayne P) in the output of an ldapsearch on the group, I looked for group information in the ldap search output of the user.

In there, I see multiple lines starting with memberOf and listing the group name, e.g.
memberOf: CN=testgroup,CN=users,DC=our,DC=domain,DC=com

Is there any way to use that rather than the member list from the group info ?

Or am I on the wrong track ?

Just to sumarise (as reading through my original e-mail, this may not be clear), I want a user that authenticates against the AD to be part of multiple groups that should be maintained on the AD

For example, when I do an id when logged in as waynep, I want to see
uid=10002(waynep) gid=10002(waynep_unixgroup) groups=10002(waynep_unixgroup),10011(testgroup)

Sorry about that...I made a mistake. That's what I get for telling you without looking at the documentation.

Change

nss_map_attribute uid uid

back to

nss_map_attribute uid uid

and then change your CN mapping to look like this:


nss_map_attribute cn cn

Thanks for all the feedback

sorry to be a pain, but this still makes no difference to the list of groups that id shows a user to belong to

Unfortunately, then, I'm going to have to wait to look into it further until I have my AD Lab back up and running (which I have to have done within a matter of days, anyway). I"ll try to pop back in and let you know what I find.

Also, dbruso, I just looked at your account again, and it was showing blocked again.

I unblocked you...again...try getting in...again.

I'll check on it again later today/tomorrow.