Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
|
02-08-2005, 05:55 AM
|
#1
|
LQ Newbie
Registered: Feb 2005
Posts: 26
Rep:
|
Active Directory vs LDAP
Hello everybody!
I have a windows 2003 server running and want to connect some linux clients to it. The users of the linux clients don't have their user accounts in the /etc/passwd and /etc/shadow files but in the active directory. So I installed the ldap client to make authentication possible. After edting /etc/pam.d/system-auth , /etc/ldap.conf and /etc/nsswitch.conf (since I have fedore core 2 running I did everything with authconfig) I tried to logon with a user name I created on the windows server. I got the error message: login incorrect. A look into /var/log/messages:
linux login(pam_unix) [2367]: check pass; user unknown
linux login(pam_unix) [2367]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
pam_ldap: error trying to bind (invalid credentials)
The user I tried to log on with has admin rights! Any idea what this can be?
Thanks!
Alex
|
|
|
02-08-2005, 06:12 AM
|
#2
|
Senior Member
Registered: May 2001
Location: Indiana
Distribution: Gentoo, Debian, RHEL, Slack
Posts: 1,555
Rep:
|
Is pam-kbr5 loaded. You'll need Kerberos security to authenicate to a Windows domain. Not sure that LDAP itself would do that for you.
|
|
|
02-08-2005, 06:35 AM
|
#3
|
LQ Newbie
Registered: Feb 2005
Posts: 26
Original Poster
Rep:
|
Quote:
Originally posted by musicman_ace
Is pam-kbr5 loaded. You'll need Kerberos security to authenicate to a Windows domain. Not sure that LDAP itself would do that for you.
|
Yes, it is loaded and Kerberos authentication works. I tried it with e.g. kinit <username> or ksu <username>.
I think the problem is ldap. I enter the command ' ldapsearch -x "" ' and get an output like:
# base <> with scope sub
# filter: (objectclass =*)
# requesting:
result: 1 operations error
text: 00000000: Ldap Err: DSID-0C090SFF
[...]
same with the command ' ldapsearch -x '. Any idea what this could be?
|
|
|
02-08-2005, 10:49 AM
|
#4
|
Member
Registered: Jan 2005
Distribution: OpenSuse Tumbleweed
Posts: 288
Rep:
|
Running Active Directory in 2000/NT compatibility mode, or native 2003 mode?
|
|
|
02-08-2005, 09:50 PM
|
#5
|
LQ Newbie
Registered: Feb 2005
Posts: 26
Original Poster
Rep:
|
Running in native 2003 mode. That 2003 mode is compatible to the ldap, isn't it?
|
|
|
02-09-2005, 12:58 AM
|
#6
|
LQ Newbie
Registered: Feb 2005
Posts: 26
Original Poster
Rep:
|
After asking google for hours I made it to create a working command that looks like this:
ldapsearch -x -D "cn=Administrator,cn=Users,dc=company,dc=com" -W "sAMAccountName"
But authenticating is still not possible. Entering dmesg shows this line:
linux login: nss_ldap: could not search LDAP server - Operations error
And here's some additional output from /var/log/secure
Feb 9 08:48:31 linux login: nss_ldap: could not search LDAP server - Operations error
Feb 9 08:48:34 linux last message repeated 11 times
Feb 9 08:48:34 linux login(pam_unix)[26124]: check pass; user unknown
Feb 9 08:48:34 linux login(pam_unix)[26124]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
Feb 9 08:48:34 linux login[26124]: pam_ldap: ldap_search_s Operations error
Feb 9 08:48:36 linux login[26124]: FAILED LOGIN 1 FROM (null) FOR test2, Authentication failure
Any ideas about that?
Last edited by alex r; 02-09-2005 at 03:31 AM.
|
|
|
02-09-2005, 07:52 AM
|
#7
|
Member
Registered: Jan 2005
Distribution: OpenSuse Tumbleweed
Posts: 288
Rep:
|
Quote:
Originally posted by alex r
Running in native 2003 mode. That 2003 mode is compatible to the ldap, isn't it?
|
It may not be. 2003 native mode doesn't even use the same ports as 2000. I ran into this problem trying to get Mac OS X to talk to our Active Directory. Lots of people are doing it, but they all are int 2000 mode. I'm in 2003 native and can't get it going. Many hours of research have lead to the discovery of significant differences. Whether or not that carries over to Linux as well, I can't say for sure. 
|
|
|
02-11-2005, 12:02 AM
|
#9
|
LQ Newbie
Registered: Feb 2005
Posts: 26
Original Poster
Rep:
|
Thanks for the articles, that was very kind of of you. I found out what the problem was.
I had to create a user with permissions to access user data on the AD (this user is called 'ldapuser' in my configuration).
Then adding a line to /etc/ldap.conf that looks like:
binddn "cn=ldapuser,cn=users,dn=company,dn=com"
bindpw MyNonSecretPassword
Of course the command in my previous post worked because the 'test2' user had access to ldap.
By the way, if you don't activate Kerberos in the authconfig menu, all of your passwords will be tranferred in plain text over the network. Just a thing to remember...
Anyway, I'm now facing a new problem:
Feb 11 04:46:58 linux login(pam_unix)[789]: check pass; user unknown
Feb 11 04:46:58 linux login(pam_unix)[789]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
Feb 11 04:47:00 linux login[789]: pam_krb5[789]: authentication succeeds for 'alex' (alex@company.com)
Feb 11 04:47:02 linux login(pam_unix)[789]: session opened for user alex
by LOGIN(uid=0)
Feb 11 04:47:02 linux -- alex[789]: LOGIN ON tty1 BY alex
Feb 11 04:47:02 linux login(pam_unix)[789]: session closed for user alex
Feb 11 04:47:02 linux init: open(/dev/pts/0): No such file or directory
Did you see it? Login and immediately logout. Any ideas about that?
Last edited by alex r; 02-11-2005 at 12:14 AM.
|
|
|
02-13-2005, 10:05 PM
|
#10
|
LQ Newbie
Registered: Feb 2005
Posts: 26
Original Poster
Rep:
|
Well, this problem's getting more and more weird. With some users the error described in the message above does not happen. But when I create a new user and try to log on, this will happen:
Feb 11 09:50:25 linux login(pam_unix)[1759]: check pass; user unknown
Feb 11 09:50:25 linux login(pam_unix)[1759]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
Feb 11 09:50:25 linux login[1759]: pam_krb5[1759]: error resolving user name 'labuser' to uid/gid pair
Feb 11 09:50:25 linux login[1759]: pam_krb5[1759]: error getting information about 'labuser'
Feb 11 09:50:25 linux login(pam_unix)[1759]: could not identify user (from getpwnam(labuser))
Feb 11 09:50:25 linux login[1759]: pam_krb5[1759]: error resolving user name 'labuser' to uid/gid pair
Feb 11 09:50:25 linux login[1759]: pam_krb5[1759]: error getting information about 'labuser'
Feb 11 09:50:25 linux login[1759]: User not known to the underlying authentication module
Feb 11 09:50:25 linux init: open(/dev/pts/0): No such file or directory
Again: any ideas? 
|
|
|
02-13-2005, 10:11 PM
|
#11
|
Senior Member
Registered: May 2001
Location: Indiana
Distribution: Gentoo, Debian, RHEL, Slack
Posts: 1,555
Rep:
|
what release of kerberos is loaded? Is it heimdal or MIT's version?
My guess would be that authentication is failing cause it wants MIT's version 5.
|
|
|
02-14-2005, 01:43 AM
|
#12
|
LQ Newbie
Registered: Feb 2005
Posts: 26
Original Poster
Rep:
|
It's the MIT version 5 of Kerberos. Don't think it's because of the version because a 'kinit labuser' works perfectly. Also, another user 'test2' can authenticate but don't ask me what's that special with this user. I gave 'labuser' exactely the same permissions as 'test2' but that didn't help.
|
|
|
02-16-2005, 03:38 AM
|
#13
|
LQ Newbie
Registered: Feb 2005
Posts: 26
Original Poster
Rep:
|
Ok, the problem's solved. There was an error in the ldap.conf file I assume. I took that document from Microsoft http://www.microsoft.com/technet/its...w/01wsdsu.mspx and did everything step by step. Now it works.
But one problem follows another... AD users don't have a home directory. When I entered 'getent passwd' everything worked fine, first I saw the unix accounts then the ldap accounts. Now I don't see the ldap accounts anymore, only the ones that got saved from former logins. And these don't have a home directory. Logging in results in:
No directory !
Logging in with home = '/'.
But I remember that the accounts that got listed by getent had a proper home directory. Any ideas anyone?
|
|
|
02-16-2005, 06:05 AM
|
#14
|
LQ Newbie
Registered: Feb 2005
Posts: 26
Original Poster
Rep:
|
error found
ok, now this was a real annoying mistake! In ldap.conf there were these lines
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute homeDirectory msSFU30HomeDirectory
wrongly written. I forgot to type 30 into the attribute. Very annoying! 
After putting this line into /etc/pam.d/system-auth and /etc/pam.d/gdm
session optional /lib/security/$ISA/mkhomedir.so skel=/etc/skel umask=0022
it's now working. Also 'getent passwd' is now showing up data correctly 
|
|
|
02-16-2005, 07:57 AM
|
#15
|
Senior Member
Registered: May 2001
Location: Indiana
Distribution: Gentoo, Debian, RHEL, Slack
Posts: 1,555
Rep:
|
Congrats. Now that you've went through all that, have you thought of writing a how-to? Possibly the LinuxQuestions Answer?
|
|
|
All times are GMT -5. The time now is 07:51 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|