|
Assistance ldap kerberos auth against AD 2008 centos 5.8
Hello,
I hope you are all well. I am in need of assistance, I have been trying to get our Centos 5.8 servers to authenticate against Active Directory 2008 servers. I have no control over the AD server, just a bunch of linux servers running Centos5.8. Previously ldap was setup and authenticating to the AD server with no tls certificate. Recently the AD people have started moving people away from our current domain to a new domain. And for the life of me I cannot get the servers to authenticate against the new domain. i am not using windbind or samba for authentication. If someone can have a look and see where I am going wrong/what I am missing I would greatly appreciate it. my ldapsearch returns positive results. authconfig --enablekrb5 --krb5realm=ABC.net --enablekrb5kdcdns --disbleldapauth --disablewinbindauth --disablewinbind --enableldap --ldapserver ldap://ldapsrv.ABC.net:3268 --ldapbasedn dc=ABC,dc=net --enablelocauthorize --disablesmbauth --updateall Here are my files: (santised version) /etc/ldap.conf host ABC.net base dc=ABC,dc=net binddn CN=USER1,OU=aa,OU=,pp,OU=blah,OU=moo,OU=blah,DC=ABC,DC=net bindpw the_password tls_cacertdir /etc/openldap/cacerts tls_checkpeer no ssl no bind_policy soft scope sub timelimit 120 bind_timelimit 120 idle_timelimit 3600 pagesize 1000 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm referrals no nss_schema rfc2307bis nss_base_passwd dc=ABC,dc=net?sub?&(objectCategory=user)(uidnumber=*) nss_base_shadow dc=ABC,dc=net?sub?&(objectCategory=user)(uidnumber=*) nss_base_group dc=ABC,dc=net?sub?&(objectCategory=group)(gidnumber=*) nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute shadowLastChange pwdLastSet nss_map_attribute gecos displayName nss_map_attribute uniqueMember member pam_member_attribute member pam_login_attribute sAMAccountName pam_password ad uri ldap://ldapsrv.ABC.net:3268 /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = abc.net dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 10h forwardable = yes renew_lifetime = 7d [realms] ABC.NET = { kdc = abc.net admin_server = abc.net } abc.net = { kdc = abc.net admin_server = abc.net } [domain_realm] #.example.com = EXAMPLE.COM #example.com = EXAMPLE.COM abc.net = ABC.NET .abc.net = ABC.NET [appdefaults] pam = { debug = false ticket_lifetime = 10h renew_lifetime = 7d forwardable = true krb4_convert = false } /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam domains = LDAP [nss] [pam] # Example LDAP domain [domain/LDAP] id_provider = ldap ldap_schema = rfc2307bis ldap_uri = ldap://ldapsrv.ABC.net:3269 ldap_search_base = dc=ABC,dc=net ldap_default_bind_dn = CN=USER1,OU=aa,OU=,pp,OU=blah,OU=moo,OU=blah,DC=ABC,DC=net ldap_default_authtok_type = password ldap_default_authtok = the_passord enumerate = false cache_credentials = true id_provider = ldap auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = GSSAPI ldap_user_object_class = user ldap_group_object_class = group ldap_group_search_base = OU=GRP,OU=Data,DC=ABC,DC=net ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_user_name = sAMAccountName ldap_group_member = member ldap_group_nesting_level = 4 #ldap_user_objectsid = objectSid #ldap_group_objectsid = objectSID #ldap_id_mapping = True ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_force_upper_case_realm = true ;min_id = 0 ; krb5_server = ABC.net krb5_realm = ABC.net #debug debug_level = 9 |
| All times are GMT -5. The time now is 12:20 AM. |