Linux-AD Integration With Windows Server 2003 R2

Anything that used “” angle brackets in the message above is invisible. I assume due to being interpreted as HTML tags.

after rkt should be the name of the keytab file that was copied from Windows server to Linux server.

In the pam_ldap error the correct information from AD is returned for CN, OU, and DC.

Thanks.
Scott

I tried the following with ktpass:

ktpass -princ host/[email protected] -mapuser RUCKH\VMLNX01$ -crypto DES-CBC-MD5 -pass * -p type KRB5_NT_PRINCIPAL -out vmlnx01.keytab

Targeting domain controller: gemneyedc.ruckh.net
Successfully mapped host/vmlnx01.ruckh.net to VMLNX01$.
Type the password for host/vmlnx01.ruckh.net:
Type the password again to confirm:
WARNING: Account VMLNX01$ is not a user account (uacflags=0×1021).
WARNING: Resetting VMLNX01$’s password may cause authentication problems if VMLNX01$ is being used as a server.

Reset VMLNX01$’s password [y/n]? y
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to vmlnx01.keytab:
Keytab version: 0×502
keysize 59 host/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 2 etype 0×3 (DES-CBC-MD5) keylength 8 (0x73465d2376587a5e)

Are those errors correct?

Then on the linux side:

ktutil
ktutil: rkt /home/sruckh/vmlnx01.keytab
ktutil: list
slot KVNO Principal
—- —- ———————————————————————
1 2 host/[email protected]
ktutil: wkt /etc/krb5.keytab
ktutil: q

My comment about the krb5.keytab file was that your instructions do not say to append the contents to the /etc/krb5.keytab file but to copy the file created by keypass to the /etc/krb5.keytab file. If you have several linux machines you would just be over writing the /etc/krb5.keytab file. Is that correct? I thought the the above method was correct for adding additional servers to the keytab file?

The “cn” value in my Active Directory for the account I am testing is the full name, “First Middle-initial Last”. The actually account I am trying to log in with shows up in AD as msSFU30Name, sAmAccountName and uid.

I am still trying to wrap my head around all this stuff. Especially the kerberos stuff. I have been able to do simple LDAP queries with the LDAP tools. I obviously do not have the login stuff working, although I know the query is happening, and the correct account is being found.

Thanks.
Scott

if I run:

ldapsearch -x -W -D “cn=scout,cn=Users,dc=ruckh,dc=net ” -LLL “(sAMAccountName=lnxacct)”

(where the user scout is the account created to browse the AD for my LDAP searches, and lnxacct is the account set up in AD for Unix authorization)

I get a whole bunch of LDAP information returned from AD about the account lnxacct. All which appears to be the correct information.

When I try ssh lnxacct@localhost, I get prompted for password, I type in correct password and receive the Access denied error.

I can see that the user scout was successfully logged into AD from the Windows security logs, and it obviously retrieved some information from AD because the pam_LDAP error contains information (dn and cn for the account lnxacct) from AD for the account lnxacct which could only be received from AD.

I assume that this means LDAP is at least partially working.

This leads me to believe that the most likely problem is with my nss_map statements in my /etc/ldap.conf.

Your guide is one of very few which I have seen for Win2k3 R2. I am curious where you found which nss_map directives are necessary. Did you use the one straight from the RFC-2307 section of the /etc/ldap.conf file? As they are significantly different then ones used when using Win2k/2k3 w/SFU 3.5, I am just wondering if I am missing anything.

I see in your /etc/ldap.conf file you have:

nss_map_attribute uniqueMember member

I will not pretend to understand LDAP, and these nss_map statements, but I have no field, member, in my AD database. The closest field I see is memberOf.

I do not understand the nss_map_objectclass directives. Is that somehow using the objectClass field in AD schema? If so I do have user in that field and that would make some sense.

I assume I am very close, but yet not close enough.

Do you have any suggestions?

The bind account seems to be working fine. As I mentioned before when I attempt to log in from a Linux box using AD account configured for authentication I see the bind user successfully loggin in by way of looking at the Windows’ Security Logs.

The error returned in /var/log/messages is:

Aug 3 11:17:49 lnxhost sshd[9148]: pam_ldap: error trying to bind as user “CN=First M. Last,OU=LNXUSERS_USERS,OU=LNXUSERS,DC=my,DC=domain” (Invalid credentials)

Obviously the bind account went out to AD and found the correct account. That information about the OUs could only be obtained from talking to AD. My assumption then is that the bind account is working, and pam_ldap is at least talking to AD.

I can also issue:

ldapsearch -x -D “cn=scout,cn=Users,dc=ruckh,dc=net” -w secretpasswd

and all of the information about the user, “scout”, is returned.

Again, this appears to be a good sign. It looks like my Linux box and AD are at least having a conversation and are commuicating properly.

Now the question, is why is the authentication not working.

The error states Invalid Credentials. I have tried many times with different passwords but the results stay the same. I have reset passwords for the User who is configured for authentication and for the bind account. Again, the results remain the same.

The commands `getent passwd’ and ‘id username’ do not work, or better state,do not work for LDAP user(s).

my /etc/ldap.conf looks like the following:

host x.x.x.x
base ou=myOu,dc=my,dc=domain
uri ldap://host.my.domain/
binddn [email protected]
bindpw myPassword
scope sub
ssl no
nss_base_passwd dc=my,dc=domain?sub
nss_base_shadow dc=my,dc=domain?sub
nss_base_group dc=my,dc=domain?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos name
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
pam_password ad
nss_map_attribute userPassword authPassword

Slightly different then what you had, but I believe I had a version which was more or less identical to yours, and I had the same results.

I am using nss_ldap-226-10 on CentOS 4.3 i386.

My clock synchronization is not perfect (Virtual Machine problem), but AD server and Linux machine are within a minute of one another.

I am using pam_mkhomedir.so, but I do not think I am making it that far. It looks like the password I type in via SSH does not match whatever information is received from AD.

I am sure I am close, but I can not readily locate the error.

Thanks for your time and help.

scott,

I installed the Server for NIS, but I didn’t do anything with it, and when I go to the “Unix Attributes”, everything is greyed out until I select sso (which is my domain and I guess NIS name). Is it merely a formality so you can access everything else below, or is NIS somehow actually involved in this?

You say:

“After all the user accounts have been configured, then we are ready to perform the additional tasks within Active Directory and on the Linux server that will enable the authentication.”

Should each of my accounts have the same “10000″ value or do I just make up new numbers arbitrarily for each of them?
Should I leave the “Primary Group name/GID” blank in all of them (if my limited linux knowledge is correct this GID setting is often set to the same value as the UID)?

Thanks,

Ron

I have the following configuration:

/etc/openldap/ldap.conf

BASE ou=LNXUSERS,dc=example,dc=com
URI ldap://1.1.1.1/
HOST adsvr.example.com
TLS_REQCERT demand
TLS_CACERT /etc/openldap/cacerts/exampleCA.pem

/etc/ldap.conf

host adsrv.example.com
uri ldap://1.1.1.1
scope sub
timelimit 30

binddn [email protected]
bindpw secret

tls_checkpeer no
ssl start_tls

nss_base_passwd ou=LNXUSERS,dc=example,dc=com?sub
nss_base_shadow ou=LNXUSERS,dc=example,dc=com?sub
nss_base_group ou=LNXUSERS,dc=example,dc=com?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos name
nss_map_attribute homeDirectory unixHomeDirectory

pam_password ad

This configuration works without sending bind user’s name and password over the wire in clear text, and works for logging in from the local console, but it does not work for ssh logins.

It looks like the user authenticates, but then receives a connection closed message. The /var/log/messages only shows a pam_krb5 message stating, “authentication succeeds for ‘aduser’ ([email protected])”.

Does anyone have any idea what is going on and how to get ssh logins working?

The following actually resolved the issue, but I am not sure what negative impact might be a side effect from the setting.

The default pam_unix line in /etc/pam.d/system-auth was changed to the following (everything on a single line).

account [ignore=ignore success=done default=die] /lib/security/$ISA/pam_unix.so broken_shadow

To answer your question, yes `id aduser’ and `getent passwd ad user’ worked correctly.

What I have in place is fuctionally working, but I need to do much more testing, and understand what ill effects the system-auth change might have.

I will post all the configs once I run this setup through some proper testing.

Thanks.

Okay
all the steps work, however seems that account to bind to LDAP has to be a memeber of admin group otherwise new accounts are not getting into the system properly.
This is the odd part, ldapsearch returns exact same info either it’s a mamber of admin group or not… however id “user” start working only if the ldapsearch account has been added to an admin group.

am i diong something wrong here? cause i would hate to leave ldap.conf with info that part of admin group.

thanks

Slowe,
originally i had 2000 domain, which was (i think properly) upgrqaded to 2003 and then 2000 domain con troller was dismissed. As i mentioned, ldapserach return *exact* results if i bind as a guest or as admin.
but for some reason… if i configure linux box to bind as user that has guest priviliges – ldapserach give all info back, however id “user” or getent “password” does not pulling coorect info.
once i change to bind as “admin” then id and getent works fine.

Also, i don’t think i have performed any specific lockdowns on AD in general.

thank you for your help.

Kiryl

Alright…. after spending many hours of trying to narrow down the issue i have end up with the following…. Fedora Core 3 boxes can authenticate with no problems at all, and they all can do “id USERNMAE” and get a proper result. The problem i’m having is with FC6 boxes. (note that firewall and selinux are disabled). Here is a funky part a user that belong to only one group in AD can be perfectly identified on the FC6 boxes, as soon as i make a user in Active directory to belong to more than one group, then FC6 boxes starting to act funky.
Again FC3 doing just fine…. and this is what happens on FC6:
#: id kiryl – get a proper response
#: id kiryl – get a proper response
#: id kiryl – Hanging

basically i do 3 requests one after another one and the third one hangs. This is very unusual and kinda funny to me. At first i was thinking that my AD was not set up properly but then i have noticed that FC3 boxes doing just fine and only FC6 boxes are funky. then i thought okay maybe setup on FC6 was wrong… yet this strange behaivour occurs…. may be there is something different in FC6 libraries or a bug?

On the AD, when i installed the “Unix Attributes” tab, everything there is greyed out, and i can only select NIS Domain to “”. What can i do ?

Sorry to post two in a row but here is another version of the same error

groupadd: /build/buildd/openldap2-2.1.30/libraries/liblber/sockbuf.c:82: ber_sockbuf_ctrl: Assertion `( (sb)->sb_opts.lbo_valid == 0×3 )’ failed.
addgroup: `/usr/sbin/groupadd -g 1001 test’ exited from signal 6. Exiting.

any help would be graetly apreciatted