Authenticate against AD: Access denied when "User must change password at next logon" is set
grove at zeta.org.au
grove at zeta.org.au
Tue Jul 26 01:06:25 UTC 2011
On Mon, 25 Jul 2011, Kenneth Holter wrote:
Are you mapping the shadowaccount Attribute along with Userpassword Attribute?
You must map both if you use shadow passwd entry like in RH or Solaris.
rachel
> Hi all,
>
>
> I posted this question on the RHEL 5 mailing list, but didn't get any
> replies. Then I came across pam-list, and this may be a more
> appropriate place to post this question. This is the case:
>
> I'm working on setting up our RHEL servers to authenticate against
> Active Directory 2008. With my current setup, users can log in and
> most everything looks good. But one issue I'm having is that when the
> "User must change password at next logon" box on AD i checked, I'm
> denied access to the linux box. First, this is my setup:
>
> ###### /etc/ldap.conf ##########
>
> uri ldaps://ldap.example.com
> base dc=example,dc=com
>
> nss_map_attribute uniqueMember msSFU30PosixMember
> nss_map_attribute userPassword msSFU30Password
>
> pam_password_prohibit_message Your password could not be changed
> pam_password ad
> ssl on
> tls_checkpeer no
>
> bind_timelimit 120
> idle_timelimit 3600
> bind_policy soft
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
>
> binddn cn=serviceuser,ou=accounts,dc=example,dc=com
> bindpw secret
>
> TLS_REQCERT allow
>
> ###### /etc/pam.d/system-auth ###########
> #%PAM-1.0
> # /etc/pam.d/system-auth
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
> account required pam_access.so
> accessfile=/etc/security/access.custom.conf
>
> password requisite pam_cracklib.so try_first_pass retry=3 type=
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> session optional pam_ldap.so
> session required pam_mkhomedir.so skel=/etc/skel umask=077
>
>
> ####### /etc/nsswitch.conf ####################
> -- snip --
> passwd: ldap compat
> shadow: ldap compat
> group: ldap compat
> -- snip --
>
>
> So when I issue for example "ssh kenneth at server" to log into my RHEL
> server, this is what /var/log/secure tells me:
>
> ## output start ##
> 2011-07-22T13:37:21.140807+02:00 server sshd[11172]:
> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=server.example.com user=kenneth
> 2011-07-22T13:37:22.888911+02:00 server sshd[11172]: pam_ldap: error
> trying to bind as user "CN=kenneth,OU=Users,DC=example,DC=com"
> (Invalid credentials)
> 2011-07-22T13:37:24.694597+02:00 server sshd[11172]: Failed password
> for kenneth from 1.2.3.4 port 45352 ssh2
> ## output end ##
>
> I've tried to google this issue, but haven't come across any
> information that have helped me resolve this issue. Does anyone here
> know what may be causing it? Any help will be greatly appreciated.
>
>
> Best regards,
> Kenneth Holter
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
--
Rachel Polanskis Kingswood, Greater Western Sydney, Australia
grove at zeta.org.au http://www.zeta.org.au/~grove/grove.html
"The perversity of the Universe tends towards a maximum." - Finagle's Law
More information about the Pam-list
mailing list