Authentication/Login using Windows 2003 R2 Active Directory
Scott Ruckh
sruckh at gemneye.org
Thu Aug 10 05:20:08 UTC 2006
This is what you said Scott Ruckh
> I have the following configuration:
>
> /etc/openldap/ldap.conf
>
> BASE ou=LNXUSERS,dc=example,dc=com
> URI ldap://1.1.1.1/
> HOST adsvr.example.com
> TLS_REQCERT demand
> TLS_CACERT /etc/openldap/cacerts/exampleCA.pem
>
> /etc/ldap.conf
>
> host adsvr.example.com
> uri ldap://1.1.1.1
> scope sub
> timelimit 30
>
> binddn adlookup at example.com
> bindpw secret
>
> tls_checkpeer no
> ssl start_tls
>
> nss_base_passwd ou=LNXUSERS,dc=example,dc=com?sub
> nss_base_shadow ou=LNXUSERS,dc=example,dc=com?sub
> nss_base_group
> ou=LNXUSERS,dc=example,dc=com?sub?&(objectCategory=group)(gidnumber=*)
> nss_map_objectclass posixAccount user
> nss_map_objectclass shadowAccount user
> nss_map_objectclass posixGroup group
> nss_map_attribute gecos name
> nss_map_attribute homeDirectory unixHomeDirectory
>
> pam_password ad
>
> This configuration works without sending bind user's name and password
> over the wire in clear text, and works for logging in from the local
> console, but it does not work for ssh logins.
>
> It looks like the user authenticates, but then receives a connection
> closed message. The /var/log/messages only shows a pam_krb5 message
> stating, "authentication succeeds for 'aduser' (aduser at EXAMPLE.COM)".
>
> As the active directory user can login from local console I assume
> /etc/krb5.conf, /etc/nsswitch.conf, and /etc/pam.d/system-auth are
> configured correctly. I am guessing there is a problem possibly with
> /etc/pam.d/sshd or /etc/ssh/ssh_config file.
>
> Does anyone have any idea what is going on and how to get ssh logins
> working?
>
> Thanks.
By making the file /etc/pam.d/system-auth look like the following
everything appears to work.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account [ignore=ignore success=done default=die]
/lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account sufficient /lib/security/$ISA/pam_krb5.so
account [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore authinfo_unavail=ignore] /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so
session optional /lib/security/$ISA/pam_ldap.so
I still need to do much more testing with this configuration to ensure
everything works, but local and active directory users can log in from the
local console and from ssh sessions with the above configuration.
More information about the redhat-list
mailing list