Hi Hejemin,
I would dearly love to see your config files (minus sensitive bits of course), as I've been trying for two days to get this working and it's still not playing.
I can get RHEL 5.x clients working with 2008 R2 Active Directory without any issues... but getting RHEL 6 to do it is killing me.
My first question is where does ldap.conf go? /etc or /etc/openldap?
Here are my relevant files:
/etc/ldap.conf
Code:
uri ldap://192.168.0.1/
host 192.168.0.1
base dc=child,dc=test,dc=ad
binddn cn=sa_ldap,ou=Service Accounts,ou=Users,ou=Managed,dc=child,dc=test,dc=ad
bindpw Password123
scope sub
ssl no
nss_base_passwd dc=child,dc=test,dc=ad?sub
nss_base_shadow dc=child,dc=test,dc=ad?sub
nss_base_group dc=child,dc=test,dc=ad?sub? &(objectCategory=group) (gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute loginShell loginShell
nss_map_attribute gecos cn
nss_map_attribute userPassword msSFUPassword
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute cn cn
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
/etc/openldap/ldap.conf
Code:
BASE dc=child,dc=test,dc=ad
URI ldap://192.168.0.1/
/etc/krb5.conf
Code:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CHILD.TEST.AD
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
CHILD.TEST.AD = {
kdc = dc.child.test.ad:88
admin_server = dc.child.test.ad:749
default_domain = child.test.ad
}
[domain_realm]
.nl.mdb-lab.com = CHILD.TEST.AD
nl.mdb-lab.com = CHILD.TEST.AD
/etc/pam.d/password-auth
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_krb5.so use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_krb5.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_krb5.so use_authtok
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_mkhomedir.so
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
/etc/nsswitch.conf
Code:
passwd: files ldap
shadow: files ldap
group: files ldap
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
I'm not sure what should go in /etc/sssd.conf.
Time/date is synchronised with the domain controller, and all host names can be resolved without issue.
I realise this thread is quite old, but any pointers would be greatly received :-)
Many thanks,
-Mark