I'm trying to setup a Redhat AS 3 server to authenticate against Active Directory following an online article entitled "Unite your Linux and Active Directory authentication" on linux.com (the message board won't let me post the url), but I'm running into some problems. If I run getent passwd <username>, it successfully pulls the info from AD; but I'm not able to ssh into the machine. When I type in the correct username and password my logs show the following:
Sep 6 13:59:50 testmail2 sshd(pam_unix)[15667]: check pass; user unknown
Sep 6 13:59:50 testmail2 sshd(pam_unix)[15667]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=<source host>
When I type in the wrong password the logs show this:
Sep 6 14:00:24 testmail2 sshd(pam_unix)[15667]: check pass; user unknown
Sep 6 14:00:24 testmail2 sshd[15667]: pam_ldap: error trying to bind as user "CN=<user>,OU=<OU>,DC=<our>,DC=<domain>,DC=com" (Invalid credentials)
I have openldap-2.0.27-22 and nss_ldap-207-17 installed and configured as follows. /etc/ldap.conf:
host <our domain controller>
base dc=<our>,dc=<domain>,dc=com
binddn cn=<bind user>,ou=<ou>,dc=<our>,dc=<domain>,dc=com
bindpw <bind user password>
scope sub
ssl no
nss_base_passwd dc=<our>,dc=<domain>,dc=com?sub
nss_base_shadow dc=<our>,dc=<domain>,dc=com?sub
nss_base_group dc=<our>,dc=<domain>,dc=com?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn
pam_login_attribute sAMAccountName
pam_filter objectclass=user
pam_member_attribute msSFU30PosixMember
pam_password ad
/etc/nsswitch.conf includes:
passwd: files ldap
shadow: files ldap
group: files ldap
/etc/pam.d/system-auth:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_localuser.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
I followed the docs and I don't see anything that could be the problem so I'm stuck at this point. Any help would be appreciated.
Thanks,
Jason
