Authenticate against AD: Access denied when "User must change password at next logon" is set
Rachel Polanskis
grove at zeta.org.au
Tue Jul 26 08:31:16 UTC 2011
Hi,
have a look at this site:
https://help.ubuntu.com/community/ActiveDirectoryHowto
It explains better than I can!
--
rachel polanskis
<r.polanskis at uws.edu.au>
<grove at zeta.org.au>
On 26/07/2011, at 17:27, Kenneth Holter <kenneho.ndu at gmail.com> wrote:
> Thank you very much for your reply.
>
> Could you please elaborate on which attribute mappings exactly are you
> referring to?
>
> I have tried adding these lines to my ldap.conf file, but without success:
>
> nss_map_objectclass posixAccount user
> nss_map_objectclass shadowAccount user
> nss_map_attribute uid sAMAccountName
> nss_map_attribute homeDirectory unixHomeDirectory
> nss_map_attribute shadowLastChange pwdLastSet
> nss_map_objectclass posixGroup group
> nss_map_attribute uniqueMember member
> pam_login_attribute sAMAccountName
> pam_filter objectclass=User
>
>
> Best regards,
> Kenneth
>
> On Tue, Jul 26, 2011 at 3:06 AM, <grove at zeta.org.au> wrote:
>> On Mon, 25 Jul 2011, Kenneth Holter wrote:
>>
>>
>> Are you mapping the shadowaccount Attribute along with Userpassword
>> Attribute?
>>
>> You must map both if you use shadow passwd entry like in RH or Solaris.
>>
>>
>> rachel
>>
>>
>>
>>
>>
>>> Hi all,
>>>
>>>
>>> I posted this question on the RHEL 5 mailing list, but didn't get any
>>> replies. Then I came across pam-list, and this may be a more
>>> appropriate place to post this question. This is the case:
>>>
>>> I'm working on setting up our RHEL servers to authenticate against
>>> Active Directory 2008. With my current setup, users can log in and
>>> most everything looks good. But one issue I'm having is that when the
>>> "User must change password at next logon" box on AD i checked, I'm
>>> denied access to the linux box. First, this is my setup:
>>>
>>> ###### /etc/ldap.conf ##########
>>>
>>> uri ldaps://ldap.example.com
>>> base dc=example,dc=com
>>>
>>> nss_map_attribute uniqueMember msSFU30PosixMember
>>> nss_map_attribute userPassword msSFU30Password
>>>
>>> pam_password_prohibit_message Your password could not be changed
>>> pam_password ad
>>> ssl on
>>> tls_checkpeer no
>>>
>>> bind_timelimit 120
>>> idle_timelimit 3600
>>> bind_policy soft
>>> nss_initgroups_ignoreusers
>>> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
>>>
>>> binddn cn=serviceuser,ou=accounts,dc=example,dc=com
>>> bindpw secret
>>>
>>> TLS_REQCERT allow
>>>
>>> ###### /etc/pam.d/system-auth ###########
>>> #%PAM-1.0
>>> # /etc/pam.d/system-auth
>>> auth required pam_env.so
>>> auth sufficient pam_unix.so nullok try_first_pass
>>> auth requisite pam_succeed_if.so uid >= 500 quiet
>>> auth sufficient pam_ldap.so use_first_pass
>>> auth required pam_deny.so
>>>
>>> account required pam_unix.so broken_shadow
>>> account sufficient pam_localuser.so
>>> account sufficient pam_succeed_if.so uid < 500 quiet
>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>> account required pam_permit.so
>>> account required pam_access.so
>>> accessfile=/etc/security/access.custom.conf
>>>
>>> password requisite pam_cracklib.so try_first_pass retry=3 type=
>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>>> use_authtok
>>> password sufficient pam_ldap.so use_authtok
>>> password required pam_deny.so
>>>
>>> session optional pam_keyinit.so revoke
>>> session required pam_limits.so
>>> session [success=1 default=ignore] pam_succeed_if.so service in
>>> crond quiet use_uid
>>> session required pam_unix.so
>>> session optional pam_ldap.so
>>> session required pam_mkhomedir.so skel=/etc/skel umask=077
>>>
>>>
>>> ####### /etc/nsswitch.conf ####################
>>> -- snip --
>>> passwd: ldap compat
>>> shadow: ldap compat
>>> group: ldap compat
>>> -- snip --
>>>
>>>
>>> So when I issue for example "ssh kenneth at server" to log into my RHEL
>>> server, this is what /var/log/secure tells me:
>>>
>>> ## output start ##
>>> 2011-07-22T13:37:21.140807+02:00 server sshd[11172]:
>>> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
>>> tty=ssh ruser= rhost=server.example.com user=kenneth
>>> 2011-07-22T13:37:22.888911+02:00 server sshd[11172]: pam_ldap: error
>>> trying to bind as user "CN=kenneth,OU=Users,DC=example,DC=com"
>>> (Invalid credentials)
>>> 2011-07-22T13:37:24.694597+02:00 server sshd[11172]: Failed password
>>> for kenneth from 1.2.3.4 port 45352 ssh2
>>> ## output end ##
>>>
>>> I've tried to google this issue, but haven't come across any
>>> information that have helped me resolve this issue. Does anyone here
>>> know what may be causing it? Any help will be greatly appreciated.
>>>
>>>
>>> Best regards,
>>> Kenneth Holter
>>>
>>> _______________________________________________
>>> Pam-list mailing list
>>> Pam-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pam-list
>>>
>>
>> --
>> Rachel Polanskis Kingswood, Greater Western Sydney,
>> Australia
>> grove at zeta.org.au http://www.zeta.org.au/~grove/grove.html
>> "The perversity of the Universe tends towards a maximum." - Finagle's Law
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/pam-list
>>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
More information about the Pam-list
mailing list