Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello everybody!
I have a windows 2003 server running and want to connect some linux clients to it. The users of the linux clients don't have their user accounts in the /etc/passwd and /etc/shadow files but in the active directory. So I installed the ldap client to make authentication possible. After edting /etc/pam.d/system-auth , /etc/ldap.conf and /etc/nsswitch.conf (since I have fedore core 2 running I did everything with authconfig) I tried to logon with a user name I created on the windows server. I got the error message: login incorrect. A look into /var/log/messages:
linux login(pam_unix) [2367]: check pass; user unknown
linux login(pam_unix) [2367]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
pam_ldap: error trying to bind (invalid credentials)
The user I tried to log on with has admin rights! Any idea what this can be?
Originally posted by musicman_ace Is pam-kbr5 loaded. You'll need Kerberos security to authenicate to a Windows domain. Not sure that LDAP itself would do that for you.
Yes, it is loaded and Kerberos authentication works. I tried it with e.g. kinit <username> or ksu <username>.
I think the problem is ldap. I enter the command ' ldapsearch -x "" ' and get an output like:
# base <> with scope sub
# filter: (objectclass =*)
# requesting:
But authenticating is still not possible. Entering dmesg shows this line:
linux login: nss_ldap: could not search LDAP server - Operations error
And here's some additional output from /var/log/secure
Feb 9 08:48:31 linux login: nss_ldap: could not search LDAP server - Operations error
Feb 9 08:48:34 linux last message repeated 11 times
Feb 9 08:48:34 linux login(pam_unix)[26124]: check pass; user unknown
Feb 9 08:48:34 linux login(pam_unix)[26124]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
Feb 9 08:48:34 linux login[26124]: pam_ldap: ldap_search_s Operations error
Feb 9 08:48:36 linux login[26124]: FAILED LOGIN 1 FROM (null) FOR test2, Authentication failure
Originally posted by alex r Running in native 2003 mode. That 2003 mode is compatible to the ldap, isn't it?
It may not be. 2003 native mode doesn't even use the same ports as 2000. I ran into this problem trying to get Mac OS X to talk to our Active Directory. Lots of people are doing it, but they all are int 2000 mode. I'm in 2003 native and can't get it going. Many hours of research have lead to the discovery of significant differences. Whether or not that carries over to Linux as well, I can't say for sure.
Thanks for the articles, that was very kind of of you. I found out what the problem was.
I had to create a user with permissions to access user data on the AD (this user is called 'ldapuser' in my configuration).
Then adding a line to /etc/ldap.conf that looks like:
Of course the command in my previous post worked because the 'test2' user had access to ldap.
By the way, if you don't activate Kerberos in the authconfig menu, all of your passwords will be tranferred in plain text over the network. Just a thing to remember...
Anyway, I'm now facing a new problem:
Feb 11 04:46:58 linux login(pam_unix)[789]: check pass; user unknown
Feb 11 04:46:58 linux login(pam_unix)[789]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
Feb 11 04:47:00 linux login[789]: pam_krb5[789]: authentication succeeds for 'alex' (alex@company.com)
Feb 11 04:47:02 linux login(pam_unix)[789]: session opened for user alex
by LOGIN(uid=0)
Feb 11 04:47:02 linux -- alex[789]: LOGIN ON tty1 BY alex
Feb 11 04:47:02 linux login(pam_unix)[789]: session closed for user alex
Feb 11 04:47:02 linux init: open(/dev/pts/0): No such file or directory
Did you see it? Login and immediately logout. Any ideas about that?
Well, this problem's getting more and more weird. With some users the error described in the message above does not happen. But when I create a new user and try to log on, this will happen:
Feb 11 09:50:25 linux login(pam_unix)[1759]: check pass; user unknown
Feb 11 09:50:25 linux login(pam_unix)[1759]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
Feb 11 09:50:25 linux login[1759]: pam_krb5[1759]: error resolving user name 'labuser' to uid/gid pair
Feb 11 09:50:25 linux login[1759]: pam_krb5[1759]: error getting information about 'labuser'
Feb 11 09:50:25 linux login(pam_unix)[1759]: could not identify user (from getpwnam(labuser))
Feb 11 09:50:25 linux login[1759]: pam_krb5[1759]: error resolving user name 'labuser' to uid/gid pair
Feb 11 09:50:25 linux login[1759]: pam_krb5[1759]: error getting information about 'labuser'
Feb 11 09:50:25 linux login[1759]: User not known to the underlying authentication module
Feb 11 09:50:25 linux init: open(/dev/pts/0): No such file or directory
It's the MIT version 5 of Kerberos. Don't think it's because of the version because a 'kinit labuser' works perfectly. Also, another user 'test2' can authenticate but don't ask me what's that special with this user. I gave 'labuser' exactely the same permissions as 'test2' but that didn't help.
Ok, the problem's solved. There was an error in the ldap.conf file I assume. I took that document from Microsoft http://www.microsoft.com/technet/its...w/01wsdsu.mspx and did everything step by step. Now it works.
But one problem follows another... AD users don't have a home directory. When I entered 'getent passwd' everything worked fine, first I saw the unix accounts then the ldap accounts. Now I don't see the ldap accounts anymore, only the ones that got saved from former logins. And these don't have a home directory. Logging in results in:
No directory !
Logging in with home = '/'.
But I remember that the accounts that got listed by getent had a proper home directory. Any ideas anyone?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.