I have been trying to get AD logins working on a linux machine. If I create a local linux user with the same name as the AD user, the linux machine will require the AD password. But if no corresponding local user exists, then I get invalid user errors:

Create test01 locally with no password. test01 can then login using the AD password:

Dec 21 16:06:41 doladtest002 sshd[8467]: pam_krb5[8467]: error reading keytab 'FILE:/etc/krb5.keytab'
Dec 21 16:06:41 doladtest002 sshd[8467]: pam_krb5[8467]: TGT verified
Dec 21 16:06:41 doladtest002 sshd[8467]: pam_krb5[8467]: authentication succeeds for 'test01' (test01@DOL.LOCAL)
Dec 21 16:06:41 doladtest002 sshd[8467]: Accepted password for test01 from x.x.x.x port 51130 ssh2
Dec 21 16:06:41 doladtest002 sshd[8467]: pam_unix(sshd:session): session opened for user test01 by (uid=0)
Dec 21 16:06:46 doladtest002 sshd[8467]: pam_unix(sshd:session): session closed for user test01

Delete local user test01 and delete home directory:

Dec 21 16:06:54 doladtest002 userdel[8498]: delete user `test01'
Dec 21 16:06:54 doladtest002 userdel[8498]: removed group `test01' owned by `test01'

Attempt login with AD account but no local account:

Dec 21 16:07:10 doladtest002 sshd[8504]: Invalid user test01 from x.x.x.x
Dec 21 16:07:10 doladtest002 sshd[8505]: input_userauth_request: invalid user test01
Dec 21 16:07:16 doladtest002 sshd[8504]: pam_unix(sshd:auth): check pass; user unknown
Dec 21 16:07:16 doladtest002 sshd[8504]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x
Dec 21 16:07:16 doladtest002 sshd[8504]: pam_succeed_if(sshd:auth): error retrieving information about user test01
Dec 21 16:07:18 doladtest002 sshd[8504]: Failed password for invalid user test01 from x.x.x.x port 51138 ssh2
Dec 21 16:07:20 doladtest002 sshd[8505]: Received disconnect from x.x.x.x: 13: Unable to authenticate

Attempt login with AD account using name@machine.dol.local:

Dec 21 16:12:53 doladtest002 sshd[8527]: Invalid user test01@doladtest002.dol.local from x.x.x.x
Dec 21 16:12:53 doladtest002 sshd[8528]: input_userauth_request: invalid user test01@doladtest002.dol.local
Dec 21 16:12:58 doladtest002 sshd[8527]: pam_unix(sshd:auth): check pass; user unknown
Dec 21 16:12:58 doladtest002 sshd[8527]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x
Dec 21 16:12:58 doladtest002 sshd[8527]: pam_succeed_if(sshd:auth): error retrieving information about user test01@doladtest002.dol.local
Dec 21 16:13:01 doladtest002 sshd[8527]: Failed password for invalid user test01@doladtest002.dol.local from x.x.x.x port 51220 ssh2
Dec 21 16:13:02 doladtest002 sshd[8528]: Received disconnect from x.x.x.x: 13: Unable to authenticate

I too cannot seem to get past this. When I played around with Samba and Winbind, I got better results, but I don't want to use that. I should be able to do this with just Kerberos and LDAP. I am copying the relevant config files from a linux machine in a different domain that authenticates to AD using Kerberos and authorizes access based on AD group via LDAP.

This is driving me insane. I have gone through every setting I can think of on both the Domain Controller and the linux machine. I have compared my config files to working config files. I have compared Domain Controller settings. In the domain where this is working, Samba is not being used. Any suggestions are welcome. I am stuck.

Here is a successful AD user login on a linux machine in the other domain. There is no corresponding local user:

Dec 21 10:49:26 enysvlalb012 sshd[27107]: pam_krb5[27107]: error reading keytab 'FILE:/etc/krb5.keytab'
Dec 21 10:49:26 enysvlalb012 sshd[27107]: pam_krb5[27107]: TGT verified
Dec 21 10:49:26 enysvlalb012 sshd[27107]: pam_krb5[27107]: authentication succeeds for 'tgiardi' (tgiardi@DOMAIN.COM)
Dec 21 10:49:26 enysvlalb012 sshd[27107]: Accepted password for tgiardi from x.x.x.x port 50618 ssh2
Dec 21 10:49:26 enysvlalb012 sshd[27107]: pam_unix(sshd:session): session opened for user tgiardi by (uid=0)

How does /etc/pam.d/ssh(d) (and any file it references, like /etc/pam.d/system-auth) compare with the corresponding file(s) on the working system?

I worked with Red Hat the other day and got it working. We replaced the ldap.conf file with a new simplified one. That did the trick. Not sure which lines were causing problems in the old one yet. Thanks.

jrella, mind you sharing that "simplified one"? which can shed some light to those who are having the same kind of problem. Cheers

Sure thing. Here it is:

host x.x.x.x

base dc=abc,dc=local

binddn ldapuser@ABC.LOCAL
bindpw Password1!

timelimit 120
bind_timelimit 120
idle_timelimit 3600

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

Okay now, jrella, what were the differences? What do you conjecture was the root-cause of the problem? Go ahead, please, and follow through on this thread to a logical conclusion that someone else, maybe months or years from now, can pick-up and actually use. So far, you've stopped with, "Well, I solved it!"

... leaving the next Gentle Reader to cry, "But how?" (Kinda like eating a whole box of Cracker Jacks and finding no toy in the bottom of the box.)

Unfortunately, I do not know the differences between the files. The config file I was using was modified from another AD setup in an identical fashion. It worked in that domain, but when I changed the domain and IP specific information and tried to use the same config in the new domain, it would not work. The simplified one above did work.

Here is the original, which worked in one domain but not the other:

host x.x.x.x
base dc=ABC,dc=LOCAL
uri ldap://fqdn/
binddn ldapuser@abc.LOCAL
bindpw Password1!
scope sub
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap
referrals no
ssl no
nss_base_passwd dc=DOL,dc=local?sub?
nss_base_shadow dc=DOL,dc=local?sub?
nss_base_group dc=DOL,dc=local?sub?&(objectCategory=group)(gidnumber=*)
nss_objectclass posixAccount user
nss_objectclass shadowAccount user
nss_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute gecos cn
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute uniqueMember
memberpam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
bind_policy soft
debug 1

If I had to guess, I would suspect that the lines...

uri ldap://fqdn/
referrals no
ssl no
nss_base_passwd dc=DOL,dc=local?sub?
nss_base_shadow dc=DOL,dc=local?sub?
nss_base_group dc=DOL,dc=local?sub?&(objectCategory=group)(gidnumber=*)

...were causing it to fail. Why, I do not know.

I hope that helps someone. Let me know if there is anything else I can provide.