-   Linux - Server (
-   -   RHEL6, Windows 2008, LDAP (

Hejemin 02-25-2011 09:28 AM

RHEL6, Windows 2008, LDAP
I have Redhat 5 playing nice as it authenticates against windows server 2008. But I ran into issues trying to get Redhat 6 to do it as well.

Here is where I stand on my redhat 6 box:

I have my certificates working between the windows and the redhat box.

From Root user I can SU to an Active Directory user.
getent works. I can see all the users info.
ldapsearch works with the CA certificate so my SSL handshake is working.
I do not suspect cert issues

But when I try to login as active directory on my Redhat 6 box I get told I used an invalid password. The password works just fine on the windows server, so I didn't fat finger anything. I am just confused as to why I can have getent and ldapsearching but can not login.

I have turned off iptables on redhat and the firewall on 2008 server to see if that would change the situation but no luck.

I noted that in Redhat 6 I need to config SSSD rather then NSCD.

Let me know if you need to see my:

var messages

to provide further light and guidance on what I maybe doing wrong or leaving out in my configurations.

battletroll 02-25-2011 10:07 AM

Ensure Kerberos is configured and the server times are synced

adamjohnson01 04-05-2011 05:32 AM

I am also getting the password error. Did you manage to figure this out?

adamjohnson01 04-05-2011 08:51 AM

I have figured this out now. I had to add the relevant lines into /etc/pam.d/password-auth. I had only edited system-auth.

brooky9999 05-19-2012 10:28 AM

Hi Hejemin,

I would dearly love to see your config files (minus sensitive bits of course), as I've been trying for two days to get this working and it's still not playing.

I can get RHEL 5.x clients working with 2008 R2 Active Directory without any issues... but getting RHEL 6 to do it is killing me.

My first question is where does ldap.conf go? /etc or /etc/openldap?

Here are my relevant files:


uri ldap://
base dc=child,dc=test,dc=ad
binddn cn=sa_ldap,ou=Service Accounts,ou=Users,ou=Managed,dc=child,dc=test,dc=ad
bindpw Password123
scope sub
ssl no
nss_base_passwd dc=child,dc=test,dc=ad?sub
nss_base_shadow dc=child,dc=test,dc=ad?sub
nss_base_group dc=child,dc=test,dc=ad?sub? &(objectCategory=group) (gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute loginShell loginShell
nss_map_attribute gecos cn
nss_map_attribute userPassword msSFUPassword
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute cn cn
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm


BASE    dc=child,dc=test,dc=ad
URI      ldap://


 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = CHILD.TEST.AD
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

  kdc =
  admin_server =
  default_domain =

[domain_realm] = CHILD.TEST.AD = CHILD.TEST.AD


# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required
auth        sufficient nullok try_first_pass
auth        sufficient use_first_pass
auth        requisite uid >= 500 quiet
auth        required

account    required
account    sufficient
account    sufficient
account    sufficient uid < 500 quiet
account    required

password    requisite try_first_pass retry=3 type=
password    sufficient use_authtok
password    sufficient sha512 shadow nullok try_first_pass use_authtok
password    required

session    optional revoke
session    required
session    required
session    [success=1 default=ignore] service in crond quiet use_uid
session    required


passwd:    files ldap
shadow:    files ldap
group:      files ldap

#hosts:    db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:  nisplus [NOTFOUND=return] files
#networks:  nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:    nisplus [NOTFOUND=return] files
#netmasks:  nisplus [NOTFOUND=return] files   

bootparams: nisplus [NOTFOUND=return] files

ethers:    files
netmasks:  files
networks:  files
protocols:  files
rpc:        files
services:  files

netgroup:  nisplus

publickey:  nisplus

automount:  files nisplus
aliases:    files nisplus

I'm not sure what should go in /etc/sssd.conf.

Time/date is synchronised with the domain controller, and all host names can be resolved without issue.

I realise this thread is quite old, but any pointers would be greatly received :-)

Many thanks,


All times are GMT -5. The time now is 02:58 AM.