LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 04-02-2009, 05:30 PM   #1
sbabcock23
Member
 
Registered: Aug 2006
Location: Mississauga, Ontario, Canada
Distribution: RHEL 5, CentOS 5
Posts: 64

Rep: Reputation: 15
Exclamation Linux Authenticating against Windows 2003 Server: su error


Let's start with the setup:
box1: Red Hat 5.2
box2: Windows 2003 SP2 (NOT Windows 2003 R2)

root: local linux account
testuser: Windows AD Account
testuser2: Windows AD Account

I have setup authentication using ldap/kerberos so that I can authenticate users against my Windows Domain Server.

I can ssh and login to the box by either testuser, testuser2 or root.
If I login to root first I can su - testuser and that works too.

If I ssh to the box and login as testuser and then try to "su - " I get the following error:
su: pam_krb5[19014]: authentication fails for 'root' (root@DOMAIN.COM): User not known to the underlying authentication module (Client not found in Kerberos database)

If I try to su to another AD account (ex. testuser2), I get a password failed (su: incorrect password). I do not see any errors in the secure log file. In the messages log file I see the following:
Apr 2 17:25:09 hugorhel5 pcscd: winscard.c:304:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 2 17:25:09 hugorhel5 last message repeated 3 times
Apr 2 17:25:09 hugorhel5 su: pam_krb5[19538]: authentication succeeds for 'testuser2' (testuser2@DOMAIN.COM)

in /var/log/audit/audit.log I see the following error too:
type=USER_AUTH msg=audit(1238714712.015:296): user pid=19538 uid=10000 auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="testuser2" : exe="/bin/su" (hostname=?, addr=?, terminal=pts/3 res=failed)'

I have not touched my PAM configuration. I used the GUI to enable ldap and kerberos authentication and thus my nsswitch.conf file looks like:
passwd: files ldap
shadow: files ldap
group: files ldap

So at the end of the day I can only login directly as a user but I cannot su to any other user if I am a user in AD. Any suggestions or ideas?
 
Old 04-04-2009, 01:57 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
Hmm, so essentially you aren't able to authenticate to local accounts via su? have you possibly tried a noddy local account as another combination of factors? I think that this has to be PAM related, and initially I'd think it shoudl be something in the /etc/pam.d/su file, as it also seems su specific so far, and su appears to be directly hitting krb5, bypassing pam_unix. Having said that though I can't see why that should be able to be incorrect, as it should be going via system-auth for generic authentication. what does the pam su file say?
 
Old 04-06-2009, 08:52 AM   #3
sbabcock23
Member
 
Registered: Aug 2006
Location: Mississauga, Ontario, Canada
Distribution: RHEL 5, CentOS 5
Posts: 64

Original Poster
Rep: Reputation: 15
If you think PAM is hitting the krb authentication module and not hitting the pam_unix, why is it possible to su from a local account to a local account? Also, why is it NOT possible to su from an AD account to an AD account?

Thanks
 
Old 04-06-2009, 08:56 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
well pam uses a central system-auth file in conjunction with specific configuration for each service via an include or the stack module. so the config is partially common, partially specific. so what does /etc/pam.d/su say?
 
Old 04-07-2009, 03:36 PM   #5
sbabcock23
Member
 
Registered: Aug 2006
Location: Mississauga, Ontario, Canada
Distribution: RHEL 5, CentOS 5
Posts: 64

Original Poster
Rep: Reputation: 15
If I login as a local user, I can su to any other local account fine and su to an ldap user (and then the fun stops). Once I get into a ldap user I can't su anymore.

My system-auth file looks like this:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
session optional pam_ldap.so



My su file looks like this:
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so


Any ideas? It seems like it should use system-auth.
 
Old 04-08-2009, 02:10 PM   #6
sbabcock23
Member
 
Registered: Aug 2006
Location: Mississauga, Ontario, Canada
Distribution: RHEL 5, CentOS 5
Posts: 64

Original Poster
Rep: Reputation: 15
I figured it out, it was the PAM su module that was modified without me knowing. Thanks for your help and guidance.
 
Old 04-08-2009, 02:26 PM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
I presume it was the wheel line? Sorry, I didn't get a chance to think about this today.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Running linux(CentOS) as virtual server on Windows 2003 server? manoj.maniraj Linux - Server 3 03-26-2009 04:08 AM
Making Redhat Linux server work with Windows Server 2000 & 2003 vietdiesel Linux - Newbie 1 04-28-2006 12:36 AM
Problem authenticating OpenBSD to a Windows 2003 Server blood_omen *BSD 1 04-25-2006 02:40 PM
Authenticating Linux against Windows 2003 Active Directory Builder Linux - Enterprise 26 08-30-2005 03:56 AM
Red Hat Linux 9 + Windows Server 2003 + Windows XP + Fedora in same domain wolfy339 Linux - Networking 5 03-02-2005 06:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 10:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration