[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Authentication/Login using Windows 2003 R2 Active Directory

This is what you said Scott Ruckh
> I have the following configuration:
> /etc/openldap/ldap.conf
> BASE            ou=LNXUSERS,dc=example,dc=com
> URI             ldap://
> HOST            adsvr.example.com
> TLS_REQCERT demand
> TLS_CACERT /etc/openldap/cacerts/exampleCA.pem
> /etc/ldap.conf
> host            adsvr.example.com
> uri             ldap://
> scope           sub
> timelimit       30
> binddn adlookup example com
> bindpw secret
> tls_checkpeer no
> ssl start_tls
> nss_base_passwd         ou=LNXUSERS,dc=example,dc=com?sub
> nss_base_shadow         ou=LNXUSERS,dc=example,dc=com?sub
> nss_base_group
> ou=LNXUSERS,dc=example,dc=com?sub?&(objectCategory=group)(gidnumber=*)
> nss_map_objectclass posixAccount        user
> nss_map_objectclass shadowAccount       user
> nss_map_objectclass posixGroup          group
> nss_map_attribute gecos                 name
> nss_map_attribute homeDirectory         unixHomeDirectory
> pam_password ad
> This configuration works without sending bind user's name and password
> over the wire in clear text, and works for logging in from the local
> console, but it does not work for ssh logins.
> It looks like the user authenticates, but then receives a connection
> closed message.  The /var/log/messages only shows a pam_krb5 message
> stating, "authentication succeeds for 'aduser' (aduser EXAMPLE COM)".
> As the active directory user can login from local console I assume
> /etc/krb5.conf, /etc/nsswitch.conf, and /etc/pam.d/system-auth are
> configured correctly.  I am guessing there is a problem possibly with
> /etc/pam.d/sshd or /etc/ssh/ssh_config file.
> Does anyone have any idea what is going on and how to get ssh logins
> working?
> Thanks.

By making the file /etc/pam.d/system-auth look like the following
everything appears to work.

auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

account [ignore=ignore success=done default=die]
/lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account sufficient /lib/security/$ISA/pam_krb5.so
account [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore authinfo_unavail=ignore] /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so
session optional /lib/security/$ISA/pam_ldap.so

I still need to do much more testing with this configuration to ensure
everything works, but local and active directory users can log in from the
local console and from ssh sessions with the above configuration.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]