[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Authenticate against AD: Access denied when "User must change password at next logon" is set



Thank you very much for your reply.

Could you please elaborate on which attribute mappings exactly are you
referring to?

I have tried adding these lines to my ldap.conf file, but without success:

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User


Best regards,
Kenneth

On Tue, Jul 26, 2011 at 3:06 AM,  <grove zeta org au> wrote:
> On Mon, 25 Jul 2011, Kenneth Holter wrote:
>
>
> Are you mapping the shadowaccount Attribute along with Userpassword
> Attribute?
>
> You must map both if you use shadow passwd entry like in RH or Solaris.
>
>
> rachel
>
>
>
>
>
>> Hi all,
>>
>>
>> I posted this question on the RHEL 5 mailing list, but didn't get any
>> replies. Then I came across pam-list, and this may be a more
>> appropriate place to post this question. This is the case:
>>
>> I'm working on setting up our RHEL servers to authenticate against
>> Active Directory 2008. With my current setup, users can log in and
>> most everything looks good. But one issue I'm having is that when the
>> "User must change password at next logon" box on AD i checked, I'm
>> denied access to the linux box. First, this is my setup:
>>
>> ###### /etc/ldap.conf ##########
>>
>> uri ldaps://ldap.example.com
>> base dc=example,dc=com
>>
>> nss_map_attribute uniqueMember msSFU30PosixMember
>> nss_map_attribute userPassword msSFU30Password
>>
>> pam_password_prohibit_message Your password could not be changed
>> pam_password ad
>> ssl on
>> tls_checkpeer no
>>
>> bind_timelimit 120
>> idle_timelimit 3600
>> bind_policy soft
>> nss_initgroups_ignoreusers
>> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
>>
>> binddn cn=serviceuser,ou=accounts,dc=example,dc=com
>> bindpw secret
>>
>> TLS_REQCERT allow
>>
>> ###### /etc/pam.d/system-auth ###########
>> #%PAM-1.0
>> # /etc/pam.d/system-auth
>> auth        required      pam_env.so
>> auth        sufficient    pam_unix.so nullok try_first_pass
>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>> auth        sufficient    pam_ldap.so use_first_pass
>> auth        required      pam_deny.so
>>
>> account     required      pam_unix.so broken_shadow
>> account     sufficient    pam_localuser.so
>> account     sufficient    pam_succeed_if.so uid < 500 quiet
>> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
>> account     required      pam_permit.so
>> account     required      pam_access.so
>> accessfile=/etc/security/access.custom.conf
>>
>> password    requisite     pam_cracklib.so try_first_pass retry=3 type=
>> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
>> use_authtok
>> password    sufficient    pam_ldap.so use_authtok
>> password    required      pam_deny.so
>>
>> session     optional      pam_keyinit.so revoke
>> session     required      pam_limits.so
>> session     [success=1 default=ignore] pam_succeed_if.so service in
>> crond quiet use_uid
>> session     required      pam_unix.so
>> session     optional      pam_ldap.so
>> session     required      pam_mkhomedir.so skel=/etc/skel umask=077
>>
>>
>> ####### /etc/nsswitch.conf ####################
>> -- snip --
>> passwd:     ldap compat
>> shadow:     ldap compat
>> group:      ldap compat
>> -- snip --
>>
>>
>> So when I issue for example "ssh kenneth server" to log into my RHEL
>> server, this is what /var/log/secure tells me:
>>
>> ## output start ##
>> 2011-07-22T13:37:21.140807+02:00 server sshd[11172]:
>> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
>> tty=ssh ruser= rhost=server.example.com  user=kenneth
>> 2011-07-22T13:37:22.888911+02:00 server sshd[11172]: pam_ldap: error
>> trying to bind as user "CN=kenneth,OU=Users,DC=example,DC=com"
>> (Invalid credentials)
>> 2011-07-22T13:37:24.694597+02:00 server sshd[11172]: Failed password
>> for kenneth from 1.2.3.4 port 45352 ssh2
>> ## output end ##
>>
>> I've tried to google this issue, but haven't come across any
>> information that have helped me resolve this issue. Does anyone here
>> know what may be causing it? Any help will be greatly appreciated.
>>
>>
>> Best regards,
>> Kenneth Holter
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list redhat com
>> https://www.redhat.com/mailman/listinfo/pam-list
>>
>
> --
> Rachel Polanskis                 Kingswood, Greater Western Sydney,
> Australia
> grove zeta org au                http://www.zeta.org.au/~grove/grove.html
>   "The perversity of the Universe tends towards a maximum." - Finagle's Law
>
> _______________________________________________
> Pam-list mailing list
> Pam-list redhat com
> https://www.redhat.com/mailman/listinfo/pam-list
>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]