LinuxQuestions.org - RHEL 5 SSH Login with AD User

Hi all,

I got my RHEL 5 Server joined to our domain but I can't seem to log in using ssh with an AD user. I am able to sudo to a domain user once I log in with root so I'm not sure what exactly is wrong.

nsswitch.conf:

Code:

passwd:    files winbind

shadow:    files winbind

group:      files winbind

ethers:    files

netmasks:  files

networks:  files

protocols:  files

rpc:        files

services:  files



netgroup:  files



publickey:  nisplus



automount:  files

aliases:    files

krb5.conf:

Code:

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log



[libdefaults]

 default_realm = CHILD.CORP.DOMAIN.COM

 dns_lookup_realm = false

 dns_lookup_kdc = false

 ticket_lifetime = 24h

 forwardable = yes



[realms]

 CHILD.CORP.DOMAIN.COM = {

  kdc = DC01.CHILD.CORP.DOMAIN.COM:88

  admin_server = DC01.CHILD.CORP.DOMAIN.COM:749

  default_domain = CHILD.CORP.DOMAIN.COM

 }



[domain_realm]

 .child.corp.domain.com = CHILD.CORP.DOMAIN.COM

 child.corp.domain.com = CHILD.CORP.DOMAIN.COM



[appdefaults]

 pam = {

  debug = true

  ticket_lifetime = 36000

  renew_lifetime = 36000

  forwardable = true

  krb4_convert = false

 }

smb.conf:

Code:

workgroup = CHILD

realm = CHILD.CORP.DOMAIN.COM

security = ads

password server = DC01.CHILD.CORP.DOMAIN.COM

idmap uid = 16777216-33554431

idmap gid = 16777216-33554431

template shell = /bin/bash

winbind use default domain = true

winbind enum groups = yes

winbind enum users = yes

template homedir = /home/%D/%U

system-auth:

Code:

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite    pam_succeed_if.so uid >= 500 quiet

auth        required      pam_deny.so

auth        sufficient    pam_winbind.so use_first_pass



account    required      pam_unix.so broken_shadow

account    sufficient    pam_succeed_if.so uid < 500 quiet

account    required      pam_permit.so

account [default=bad success=ok user_unknown=ignore] pam_winbind.so



password    requisite    pam_cracklib.so try_first_pass retry=3

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok

password    required      pam_deny.so

password    sufficient    pam_winbind.so use_authtok



session    optional      pam_keyinit.so revoke

session    required      pam_limits.so

session    [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session    required      pam_unix.so

session    required      pam_mkhomedir.so skel=/etc/skel umask=0077

when I run

Code:

wbinfo -u

I get my domain users.

when I run

Code:

wbinfo -g

I get my domain groups.

when I run

Code:

getent passwd

I get my local users and domain users.

when I run

Code:

getent group

I get my local groups and domain groups.

when I run

Code:

net ads testjoin

I get "join OK"

when I run

Code:

kinit user@CHILD.CORP.DOMAIN.COM

and then

Code:

klist -5

I get to see my kerberos ticket

So it all seems to be set up correctly but when I try to ssh into the server, I get an access denied error. Unfortunately the server is offsite so I can't try at the terminal to see if it works from there. Anyone know what I might be missing?:(

Thanks,

Victor