LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 02-08-2005, 05:55 AM   #1
alex r
LQ Newbie
 
Registered: Feb 2005
Posts: 26

Rep: Reputation: 15
Active Directory vs LDAP


Hello everybody!
I have a windows 2003 server running and want to connect some linux clients to it. The users of the linux clients don't have their user accounts in the /etc/passwd and /etc/shadow files but in the active directory. So I installed the ldap client to make authentication possible. After edting /etc/pam.d/system-auth , /etc/ldap.conf and /etc/nsswitch.conf (since I have fedore core 2 running I did everything with authconfig) I tried to logon with a user name I created on the windows server. I got the error message: login incorrect. A look into /var/log/messages:

linux login(pam_unix) [2367]: check pass; user unknown
linux login(pam_unix) [2367]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
pam_ldap: error trying to bind (invalid credentials)

The user I tried to log on with has admin rights! Any idea what this can be?


Thanks!
Alex
 
Old 02-08-2005, 06:12 AM   #2
musicman_ace
Senior Member
 
Registered: May 2001
Location: Indiana
Distribution: Gentoo, Debian, RHEL, Slack
Posts: 1,555

Rep: Reputation: 46
Is pam-kbr5 loaded. You'll need Kerberos security to authenicate to a Windows domain. Not sure that LDAP itself would do that for you.
 
Old 02-08-2005, 06:35 AM   #3
alex r
LQ Newbie
 
Registered: Feb 2005
Posts: 26

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by musicman_ace
Is pam-kbr5 loaded. You'll need Kerberos security to authenicate to a Windows domain. Not sure that LDAP itself would do that for you.
Yes, it is loaded and Kerberos authentication works. I tried it with e.g. kinit <username> or ksu <username>.

I think the problem is ldap. I enter the command ' ldapsearch -x "" ' and get an output like:

# base <> with scope sub
# filter: (objectclass =*)
# requesting:

result: 1 operations error
text: 00000000: Ldap Err: DSID-0C090SFF

[...]

same with the command ' ldapsearch -x '. Any idea what this could be?
 
Old 02-08-2005, 10:49 AM   #4
Brian Knoblauch
Member
 
Registered: Jan 2005
Distribution: OpenSuse Tumbleweed
Posts: 288

Rep: Reputation: 39
Running Active Directory in 2000/NT compatibility mode, or native 2003 mode?
 
Old 02-08-2005, 09:50 PM   #5
alex r
LQ Newbie
 
Registered: Feb 2005
Posts: 26

Original Poster
Rep: Reputation: 15
Running in native 2003 mode. That 2003 mode is compatible to the ldap, isn't it?
 
Old 02-09-2005, 12:58 AM   #6
alex r
LQ Newbie
 
Registered: Feb 2005
Posts: 26

Original Poster
Rep: Reputation: 15
After asking google for hours I made it to create a working command that looks like this:

ldapsearch -x -D "cn=Administrator,cn=Users,dc=company,dc=com" -W "sAMAccountName"


But authenticating is still not possible. Entering dmesg shows this line:

linux login: nss_ldap: could not search LDAP server - Operations error


And here's some additional output from /var/log/secure

Feb 9 08:48:31 linux login: nss_ldap: could not search LDAP server - Operations error
Feb 9 08:48:34 linux last message repeated 11 times
Feb 9 08:48:34 linux login(pam_unix)[26124]: check pass; user unknown
Feb 9 08:48:34 linux login(pam_unix)[26124]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
Feb 9 08:48:34 linux login[26124]: pam_ldap: ldap_search_s Operations error
Feb 9 08:48:36 linux login[26124]: FAILED LOGIN 1 FROM (null) FOR test2, Authentication failure



Any ideas about that?

Last edited by alex r; 02-09-2005 at 03:31 AM.
 
Old 02-09-2005, 07:52 AM   #7
Brian Knoblauch
Member
 
Registered: Jan 2005
Distribution: OpenSuse Tumbleweed
Posts: 288

Rep: Reputation: 39
Quote:
Originally posted by alex r
Running in native 2003 mode. That 2003 mode is compatible to the ldap, isn't it?
It may not be. 2003 native mode doesn't even use the same ports as 2000. I ran into this problem trying to get Mac OS X to talk to our Active Directory. Lots of people are doing it, but they all are int 2000 mode. I'm in 2003 native and can't get it going. Many hours of research have lead to the discovery of significant differences. Whether or not that carries over to Linux as well, I can't say for sure.
 
Old 02-09-2005, 11:25 AM   #8
enigmasoldier
Member
 
Registered: Jul 2003
Location: Florence, Ky
Distribution: CentOS 3.3-4, OpenBSD 3.3, Fedora Core 4, Ubuntu, Novell Open Enterprise Server
Posts: 213

Rep: Reputation: 30
So you know, Active Directory IS AN LDAP implimentation by MS.

I included a links to a tutorials that will help

External Link:
http://www.microsoft.com/windowsserv.../ldapcomp.mspx
http://www.nwc.com/showArticle.jhtml?articleID=55301455 This is a great 3 page article detailing exactly what you need to do to get this working
http://sadms.sourceforge.net/en/index.html this looks promising.

Last edited by enigmasoldier; 02-09-2005 at 11:26 AM.
 
Old 02-11-2005, 12:02 AM   #9
alex r
LQ Newbie
 
Registered: Feb 2005
Posts: 26

Original Poster
Rep: Reputation: 15
Thanks for the articles, that was very kind of of you. I found out what the problem was.
I had to create a user with permissions to access user data on the AD (this user is called 'ldapuser' in my configuration).
Then adding a line to /etc/ldap.conf that looks like:

binddn "cn=ldapuser,cn=users,dn=company,dn=com"
bindpw MyNonSecretPassword

Of course the command in my previous post worked because the 'test2' user had access to ldap.
By the way, if you don't activate Kerberos in the authconfig menu, all of your passwords will be tranferred in plain text over the network. Just a thing to remember...


Anyway, I'm now facing a new problem:

Feb 11 04:46:58 linux login(pam_unix)[789]: check pass; user unknown
Feb 11 04:46:58 linux login(pam_unix)[789]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
Feb 11 04:47:00 linux login[789]: pam_krb5[789]: authentication succeeds for 'alex' (alex@company.com)
Feb 11 04:47:02 linux login(pam_unix)[789]: session opened for user alex
by LOGIN(uid=0)
Feb 11 04:47:02 linux -- alex[789]: LOGIN ON tty1 BY alex
Feb 11 04:47:02 linux login(pam_unix)[789]: session closed for user alex
Feb 11 04:47:02 linux init: open(/dev/pts/0): No such file or directory


Did you see it? Login and immediately logout. Any ideas about that?

Last edited by alex r; 02-11-2005 at 12:14 AM.
 
Old 02-13-2005, 10:05 PM   #10
alex r
LQ Newbie
 
Registered: Feb 2005
Posts: 26

Original Poster
Rep: Reputation: 15
Well, this problem's getting more and more weird. With some users the error described in the message above does not happen. But when I create a new user and try to log on, this will happen:

Feb 11 09:50:25 linux login(pam_unix)[1759]: check pass; user unknown
Feb 11 09:50:25 linux login(pam_unix)[1759]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
Feb 11 09:50:25 linux login[1759]: pam_krb5[1759]: error resolving user name 'labuser' to uid/gid pair
Feb 11 09:50:25 linux login[1759]: pam_krb5[1759]: error getting information about 'labuser'
Feb 11 09:50:25 linux login(pam_unix)[1759]: could not identify user (from getpwnam(labuser))
Feb 11 09:50:25 linux login[1759]: pam_krb5[1759]: error resolving user name 'labuser' to uid/gid pair
Feb 11 09:50:25 linux login[1759]: pam_krb5[1759]: error getting information about 'labuser'
Feb 11 09:50:25 linux login[1759]: User not known to the underlying authentication module
Feb 11 09:50:25 linux init: open(/dev/pts/0): No such file or directory


Again: any ideas?
 
Old 02-13-2005, 10:11 PM   #11
musicman_ace
Senior Member
 
Registered: May 2001
Location: Indiana
Distribution: Gentoo, Debian, RHEL, Slack
Posts: 1,555

Rep: Reputation: 46
what release of kerberos is loaded? Is it heimdal or MIT's version?

My guess would be that authentication is failing cause it wants MIT's version 5.
 
Old 02-14-2005, 01:43 AM   #12
alex r
LQ Newbie
 
Registered: Feb 2005
Posts: 26

Original Poster
Rep: Reputation: 15
It's the MIT version 5 of Kerberos. Don't think it's because of the version because a 'kinit labuser' works perfectly. Also, another user 'test2' can authenticate but don't ask me what's that special with this user. I gave 'labuser' exactely the same permissions as 'test2' but that didn't help.
 
Old 02-16-2005, 03:38 AM   #13
alex r
LQ Newbie
 
Registered: Feb 2005
Posts: 26

Original Poster
Rep: Reputation: 15
Ok, the problem's solved. There was an error in the ldap.conf file I assume. I took that document from Microsoft http://www.microsoft.com/technet/its...w/01wsdsu.mspx and did everything step by step. Now it works.

But one problem follows another... AD users don't have a home directory. When I entered 'getent passwd' everything worked fine, first I saw the unix accounts then the ldap accounts. Now I don't see the ldap accounts anymore, only the ones that got saved from former logins. And these don't have a home directory. Logging in results in:

No directory !
Logging in with home = '/'.

But I remember that the accounts that got listed by getent had a proper home directory. Any ideas anyone?
 
Old 02-16-2005, 06:05 AM   #14
alex r
LQ Newbie
 
Registered: Feb 2005
Posts: 26

Original Poster
Rep: Reputation: 15
error found

ok, now this was a real annoying mistake! In ldap.conf there were these lines

nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute homeDirectory msSFU30HomeDirectory

wrongly written. I forgot to type 30 into the attribute. Very annoying!
After putting this line into /etc/pam.d/system-auth and /etc/pam.d/gdm

session optional /lib/security/$ISA/mkhomedir.so skel=/etc/skel umask=0022

it's now working. Also 'getent passwd' is now showing up data correctly
 
Old 02-16-2005, 07:57 AM   #15
musicman_ace
Senior Member
 
Registered: May 2001
Location: Indiana
Distribution: Gentoo, Debian, RHEL, Slack
Posts: 1,555

Rep: Reputation: 46
Congrats. Now that you've went through all that, have you thought of writing a how-to? Possibly the LinuxQuestions Answer?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LDAP and Active Directory Ecalvam Linux - Networking 5 11-10-2005 08:53 AM
Postfix LDAP lookups with Active Directory paul_mat Linux - Networking 1 11-02-2005 08:44 PM
Active Directory, Kerberos, LDAP, PAM, and nsswitch PenguinPwrdBox Linux - Security 1 06-04-2005 09:56 PM
samba ldap winbindd kerberos with active directory errors xtrusion Linux - Software 0 03-21-2005 04:24 PM
migration from windows active directory to linux ldap spyghost Linux - Networking 1 08-01-2004 12:26 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 02:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration