Authenticate against AD: Access denied when "User must change password at next logon" is set
Kenneth Holter
kenneho.ndu at gmail.com
Mon Jul 25 08:05:44 UTC 2011
Hi all,
I posted this question on the RHEL 5 mailing list, but didn't get any
replies. Then I came across pam-list, and this may be a more
appropriate place to post this question. This is the case:
I'm working on setting up our RHEL servers to authenticate against
Active Directory 2008. With my current setup, users can log in and
most everything looks good. But one issue I'm having is that when the
"User must change password at next logon" box on AD i checked, I'm
denied access to the linux box. First, this is my setup:
###### /etc/ldap.conf ##########
uri ldaps://ldap.example.com
base dc=example,dc=com
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute userPassword msSFU30Password
pam_password_prohibit_message Your password could not be changed
pam_password ad
ssl on
tls_checkpeer no
bind_timelimit 120
idle_timelimit 3600
bind_policy soft
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
binddn cn=serviceuser,ou=accounts,dc=example,dc=com
bindpw secret
TLS_REQCERT allow
###### /etc/pam.d/system-auth ###########
#%PAM-1.0
# /etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
account required pam_access.so
accessfile=/etc/security/access.custom.conf
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel umask=077
####### /etc/nsswitch.conf ####################
-- snip --
passwd: ldap compat
shadow: ldap compat
group: ldap compat
-- snip --
So when I issue for example "ssh kenneth at server" to log into my RHEL
server, this is what /var/log/secure tells me:
## output start ##
2011-07-22T13:37:21.140807+02:00 server sshd[11172]:
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=server.example.com user=kenneth
2011-07-22T13:37:22.888911+02:00 server sshd[11172]: pam_ldap: error
trying to bind as user "CN=kenneth,OU=Users,DC=example,DC=com"
(Invalid credentials)
2011-07-22T13:37:24.694597+02:00 server sshd[11172]: Failed password
for kenneth from 1.2.3.4 port 45352 ssh2
## output end ##
I've tried to google this issue, but haven't come across any
information that have helped me resolve this issue. Does anyone here
know what may be causing it? Any help will be greatly appreciated.
Best regards,
Kenneth Holter
More information about the Pam-list
mailing list