[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Authenticate against AD: Access denied when "User must change password at next logon" is set



Hi,
have a look at this site:

https://help.ubuntu.com/community/ActiveDirectoryHowto


It explains better than I can!

--
rachel polanskis 
<r polanskis uws edu au> 
<grove zeta org au>

On 26/07/2011, at 17:27, Kenneth Holter <kenneho ndu gmail com> wrote:

> Thank you very much for your reply.
> 
> Could you please elaborate on which attribute mappings exactly are you
> referring to?
> 
> I have tried adding these lines to my ldap.conf file, but without success:
> 
> nss_map_objectclass posixAccount user
> nss_map_objectclass shadowAccount user
> nss_map_attribute uid sAMAccountName
> nss_map_attribute homeDirectory unixHomeDirectory
> nss_map_attribute shadowLastChange pwdLastSet
> nss_map_objectclass posixGroup group
> nss_map_attribute uniqueMember member
> pam_login_attribute sAMAccountName
> pam_filter objectclass=User
> 
> 
> Best regards,
> Kenneth
> 
> On Tue, Jul 26, 2011 at 3:06 AM,  <grove zeta org au> wrote:
>> On Mon, 25 Jul 2011, Kenneth Holter wrote:
>> 
>> 
>> Are you mapping the shadowaccount Attribute along with Userpassword
>> Attribute?
>> 
>> You must map both if you use shadow passwd entry like in RH or Solaris.
>> 
>> 
>> rachel
>> 
>> 
>> 
>> 
>> 
>>> Hi all,
>>> 
>>> 
>>> I posted this question on the RHEL 5 mailing list, but didn't get any
>>> replies. Then I came across pam-list, and this may be a more
>>> appropriate place to post this question. This is the case:
>>> 
>>> I'm working on setting up our RHEL servers to authenticate against
>>> Active Directory 2008. With my current setup, users can log in and
>>> most everything looks good. But one issue I'm having is that when the
>>> "User must change password at next logon" box on AD i checked, I'm
>>> denied access to the linux box. First, this is my setup:
>>> 
>>> ###### /etc/ldap.conf ##########
>>> 
>>> uri ldaps://ldap.example.com
>>> base dc=example,dc=com
>>> 
>>> nss_map_attribute uniqueMember msSFU30PosixMember
>>> nss_map_attribute userPassword msSFU30Password
>>> 
>>> pam_password_prohibit_message Your password could not be changed
>>> pam_password ad
>>> ssl on
>>> tls_checkpeer no
>>> 
>>> bind_timelimit 120
>>> idle_timelimit 3600
>>> bind_policy soft
>>> nss_initgroups_ignoreusers
>>> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
>>> 
>>> binddn cn=serviceuser,ou=accounts,dc=example,dc=com
>>> bindpw secret
>>> 
>>> TLS_REQCERT allow
>>> 
>>> ###### /etc/pam.d/system-auth ###########
>>> #%PAM-1.0
>>> # /etc/pam.d/system-auth
>>> auth        required      pam_env.so
>>> auth        sufficient    pam_unix.so nullok try_first_pass
>>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>>> auth        sufficient    pam_ldap.so use_first_pass
>>> auth        required      pam_deny.so
>>> 
>>> account     required      pam_unix.so broken_shadow
>>> account     sufficient    pam_localuser.so
>>> account     sufficient    pam_succeed_if.so uid < 500 quiet
>>> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>> account     required      pam_permit.so
>>> account     required      pam_access.so
>>> accessfile=/etc/security/access.custom.conf
>>> 
>>> password    requisite     pam_cracklib.so try_first_pass retry=3 type=
>>> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
>>> use_authtok
>>> password    sufficient    pam_ldap.so use_authtok
>>> password    required      pam_deny.so
>>> 
>>> session     optional      pam_keyinit.so revoke
>>> session     required      pam_limits.so
>>> session     [success=1 default=ignore] pam_succeed_if.so service in
>>> crond quiet use_uid
>>> session     required      pam_unix.so
>>> session     optional      pam_ldap.so
>>> session     required      pam_mkhomedir.so skel=/etc/skel umask=077
>>> 
>>> 
>>> ####### /etc/nsswitch.conf ####################
>>> -- snip --
>>> passwd:     ldap compat
>>> shadow:     ldap compat
>>> group:      ldap compat
>>> -- snip --
>>> 
>>> 
>>> So when I issue for example "ssh kenneth server" to log into my RHEL
>>> server, this is what /var/log/secure tells me:
>>> 
>>> ## output start ##
>>> 2011-07-22T13:37:21.140807+02:00 server sshd[11172]:
>>> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
>>> tty=ssh ruser= rhost=server.example.com  user=kenneth
>>> 2011-07-22T13:37:22.888911+02:00 server sshd[11172]: pam_ldap: error
>>> trying to bind as user "CN=kenneth,OU=Users,DC=example,DC=com"
>>> (Invalid credentials)
>>> 2011-07-22T13:37:24.694597+02:00 server sshd[11172]: Failed password
>>> for kenneth from 1.2.3.4 port 45352 ssh2
>>> ## output end ##
>>> 
>>> I've tried to google this issue, but haven't come across any
>>> information that have helped me resolve this issue. Does anyone here
>>> know what may be causing it? Any help will be greatly appreciated.
>>> 
>>> 
>>> Best regards,
>>> Kenneth Holter
>>> 
>>> _______________________________________________
>>> Pam-list mailing list
>>> Pam-list redhat com
>>> https://www.redhat.com/mailman/listinfo/pam-list
>>> 
>> 
>> --
>> Rachel Polanskis                 Kingswood, Greater Western Sydney,
>> Australia
>> grove zeta org au                http://www.zeta.org.au/~grove/grove.html
>>   "The perversity of the Universe tends towards a maximum." - Finagle's Law
>> 
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list redhat com
>> https://www.redhat.com/mailman/listinfo/pam-list
>> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list redhat com
> https://www.redhat.com/mailman/listinfo/pam-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]