Authentication/Login using Windows 2003 R2 Active Directory

[Scott Ruckh]

I have the following configuration:

/etc/openldap/ldap.conf

BASE            ou=LNXUSERS,dc=example,dc=com
URI             ldap://1.1.1.1/
HOST            adsvr.example.com
TLS_REQCERT demand
TLS_CACERT /etc/openldap/cacerts/exampleCA.pem

/etc/ldap.conf

host            adsvr.example.com
uri             ldap://1.1.1.1
scope           sub
timelimit       30

binddn adlookup at example.com
bindpw secret

tls_checkpeer no
ssl start_tls

nss_base_passwd         ou=LNXUSERS,dc=example,dc=com?sub
nss_base_shadow         ou=LNXUSERS,dc=example,dc=com?sub
nss_base_group         
ou=LNXUSERS,dc=example,dc=com?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount        user
nss_map_objectclass shadowAccount       user
nss_map_objectclass posixGroup          group
nss_map_attribute gecos                 name
nss_map_attribute homeDirectory         unixHomeDirectory

pam_password ad

This configuration works without sending bind user's name and password
over the wire in clear text, and works for logging in from the local
console, but it does not work for ssh logins.

It looks like the user authenticates, but then receives a connection
closed message.  The /var/log/messages only shows a pam_krb5 message
stating, "authentication succeeds for 'aduser' (aduser at EXAMPLE.COM)".

As the active directory user can login from local console I assume
/etc/krb5.conf, /etc/nsswitch.conf, and /etc/pam.d/system-auth are
configured correctly.  I am guessing there is a problem possibly with
/etc/pam.d/sshd or /etc/ssh/ssh_config file.

Does anyone have any idea what is going on and how to get ssh logins working?

Thanks.

--