Linux Authenticating against Windows 2003 Server: su error
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Linux Authenticating against Windows 2003 Server: su error
Let's start with the setup:
box1: Red Hat 5.2
box2: Windows 2003 SP2 (NOT Windows 2003 R2)
root: local linux account
testuser: Windows AD Account
testuser2: Windows AD Account
I have setup authentication using ldap/kerberos so that I can authenticate users against my Windows Domain Server.
I can ssh and login to the box by either testuser, testuser2 or root.
If I login to root first I can su - testuser and that works too.
If I ssh to the box and login as testuser and then try to "su - " I get the following error:
su: pam_krb5[19014]: authentication fails for 'root' (root@DOMAIN.COM): User not known to the underlying authentication module (Client not found in Kerberos database)
If I try to su to another AD account (ex. testuser2), I get a password failed (su: incorrect password). I do not see any errors in the secure log file. In the messages log file I see the following:
Apr 2 17:25:09 hugorhel5 pcscd: winscard.c:304:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 2 17:25:09 hugorhel5 last message repeated 3 times
Apr 2 17:25:09 hugorhel5 su: pam_krb5[19538]: authentication succeeds for 'testuser2' (testuser2@DOMAIN.COM)
in /var/log/audit/audit.log I see the following error too:
type=USER_AUTH msg=audit(1238714712.015:296): user pid=19538 uid=10000 auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="testuser2" : exe="/bin/su" (hostname=?, addr=?, terminal=pts/3 res=failed)'
I have not touched my PAM configuration. I used the GUI to enable ldap and kerberos authentication and thus my nsswitch.conf file looks like:
passwd: files ldap
shadow: files ldap
group: files ldap
So at the end of the day I can only login directly as a user but I cannot su to any other user if I am a user in AD. Any suggestions or ideas?
Hmm, so essentially you aren't able to authenticate to local accounts via su? have you possibly tried a noddy local account as another combination of factors? I think that this has to be PAM related, and initially I'd think it shoudl be something in the /etc/pam.d/su file, as it also seems su specific so far, and su appears to be directly hitting krb5, bypassing pam_unix. Having said that though I can't see why that should be able to be incorrect, as it should be going via system-auth for generic authentication. what does the pam su file say?
If you think PAM is hitting the krb authentication module and not hitting the pam_unix, why is it possible to su from a local account to a local account? Also, why is it NOT possible to su from an AD account to an AD account?
well pam uses a central system-auth file in conjunction with specific configuration for each service via an include or the stack module. so the config is partially common, partially specific. so what does /etc/pam.d/su say?
If I login as a local user, I can su to any other local account fine and su to an ldap user (and then the fun stops). Once I get into a ldap user I can't su anymore.
My su file looks like this:
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
Any ideas? It seems like it should use system-auth.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.