LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   centOS 5.9 getent passwd returns only local accounts. (https://www.linuxquestions.org/questions/linux-server-73/centos-5-9-getent-passwd-returns-only-local-accounts-4175490477/)

jjiang2014 01-07-2014 05:09 PM
centOS 5.9 getent passwd returns only local accounts.
 
Hi all,
recently I tried to setup kerberos+ldap authentication to window 2008 sever for my centOS 5.9 64bit client, but I can't find domain users like I did at centOS 5.10 64 bit, following are config files, and port 389 and 88 are open, I did ldapsearch with bind accounts also fine.
any help appreciate!

Note: I installed krb5-workstation,openldap-clients,nss_ldap,pam_krb5

[root@xxx ~]# nc -zv x.x.7.34 389
Connection to x.x.7.34 389 port [tcp/ldap] succeeded!
[root@xxx ~]# nc -zv x.x.7.34 88
Connection to x.x.7.34 88 port [tcp/kerberos] succeeded!
[root@xxx ~]# nc -u -zv x.x.7.34 88
Connection to x.x.7.34 88 port [udp/kerberos] succeeded!


1./etc/nsswitch.conf

passwd: files ldap
shadow: files ldap
group: files ldap

2./etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

3./etc/krb5.conf

[libdefaults]
default_realm = x.x.COM
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
x.x.COM = {
kdc = x1-inf-dc-s01.cloud.x.com
admin_server =x1-inf-dc-s01.cloud.x.com
}

[domain_realm]
x.com = x.x.COM
.x.com = x.x.COM
[appdefaults]
validate = false

4./etc/ldap.conf

uri ldap://x.x.7.34/
base dc=x,dc=x,dc=com

ldap_version 3
port 389
scope sub
ssl no

binddn CN=Linux-bind-user,OU=Service_accounts,OU=x,DC=cloud,DC=x,DC=com
bindpw xxxxx

nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group

nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber

nss_map_attribute gecos name

nss_map_attribute homeDirectory msSFU30HomeDirectory

nss_map_attribute userPassword msSFU30Password
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn

pam_login_attribute sAMAccountName

pam_filter objectclass=User


nss_base_passwd OU=x,OU=Administrators,OU=x,dc=cloud,dc=x,dc=com?sub
nss_base_shadow OU=x,OU=Administrators,OU=x,dc=cloud,dc=x,dc=com?sub
nss_base_group OU=Groups,OU=x,dc=cloud,dc=x,dc=com?sub



pam_password ad

sudoers_base CN=x-admins,OU=Groups,OU=x,DC=cloud,DC=x,DC=com

linosaurusroot 01-10-2014 09:17 AM
Do you also have a hosts definition in nsswitch.conf, and all necessary hostnames in /etc/hosts ?

jjiang2014 01-10-2014 11:59 AM
Following is my /etc/host, I can ping the DC server by name since /etc/resolv,conf defined name server.

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 x.cloud.x.com x-x-x-g01 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
/etc/hosts (END)

/etc/nsswitch.conf

hosts: files dns


All times are GMT -5. The time now is 05:27 PM.