Oct 16 02:24:38 krypton imaplogin: nss_ldap: reconnected to LDAP server ldap://192.168.90.254 after 1 attempt
Oct 16 02:25:37 krypton imaplogin: nss_ldap: could not connect to any LDAP server as cn=binder,ou=test,dc=ad,dc=harmony,dc=lan - Can’t contact LDAP server
Oct 16 02:25:37 krypton imaplogin: nss_ldap: failed to bind to LDAP server ldap://=: Can’t contact LDAP server
Oct 16 02:25:37 krypton imaplogin: nss_ldap: reconnected to LDAP server ldap://192.168.90.254
Oct 16 02:25:37 krypton imaplogin: nss_ldap: reconnecting to LDAP server…
Oct 16 02:25:38 krypton imaplogin: nss_ldap: reconnected to LDAP server ldap://192.168.90.254 after 1 attempt
Oct 16 02:25:38 krypton imaplogin: nss_ldap: reconnecting to LDAP server…
Oct 16 02:25:38 krypton imaplogin: nss_ldap: reconnected to LDAP server ldap://192.168.90.254 after 1 attempt

I have found that nscd is also causing lots of performance problems. I’m wondering if anyone else has these issues?

Excellent post!

I have used your instructions as the basis for our Centos 5.2 / 2k3R2 SSO solution and it works like a charm.

We do not actually join the linux clients to our domain. I vaguely remember you toying with this idea in one of your posts, but I cannot find the information. Just interested in the significance of this step?

We have a samba server (serving home directories) that I have joined to the AD so that winbind can perform the appropriate mappings (Note: idmap backend = ad works very well), but I don’t understand the need to join for our Centos 5.2 workstations (clients).

Regards,

John Zivkovic

I edited the line:

debug = true

inside the stanza named:

[appdefaults]

….. but when I go to /var/log/ there are not files there. Any idea how I can get verbose output of the kerberos or PAM actions/activity?

Thanks so much.

Any one cn jabber or email me at jason at sjobeck dot com.

Thanks so much again.

Cheers

Peace

Jason Sjobeck

Not sure if its just my environment or what but I was able to get password changing to work.

pam_krb5.so provides for all four pam sections. auth, account, password and session. Session destroys the ticket on logout. Not sure if this is a good thing or not? I guess I don’t really see the point for the session part because we don’t get a ticket…

Password is what provides the password changing. all you have to do is add a line for that. Also, you will need to make sure that the password for pam_unix.so is sufficient or at least not required.

It seems that if both modules are sufficient then it will use the correct one based on what type of account. Root can change the password of an AD user.. but you still need to know that persons current password. so no resetting of forgotten passwords.

Oh, and you use the “passwd” command for this. don’t use kpasswd.

Here is what I have in my pam.d/system-auth file
password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
password sufficient pam_krb5.so use_first_pass

The use_first_pass or try_first_pass should make it so the current user doesn’t need to provide the current password to change the password. But it doesn’t seem to work. Not sure why at this point. (maybe because we don’t get a tgt?)

Has anybody else done this? i’m using Gentoo…

Linux = Fedora 9 64-bit (all updates completed)
Windows = Server 2003 SP2 w/ SFU 3.5 (all updates completed)
Functionallity Level = 2003
Domain name has been changed to ‘ name ‘ using the same capitalization as the configs have.

—–krb5.conf—–

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = NAME.ORG
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
NAME.ORG = {
kdc = school-server.name.org:88
admin_server = school-server.name.org:749
default_domain = name.org
}

[domain_realm]
.name.org = NAME.ORG
name.org = NAME.ORG

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

——ldap.conf—–

host 192.168.0.7
base dc=name,dc=org
binddn dirsearch@name.org
bindpw p@ssw0rd
scope sub
ssl no
referrals no
nss_base_passwd dc=name,dc=org?sub
nss_base_shadow dc=name,dc=org?sub
nss_base_group dc=name,dc=org?sub
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute uid msSFU30Name
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn

—–system-auth—–

auth sufficient pam_krb5.so
auth required pam_deny.so

account sufficient pam_unix.so
account sufficient pam_krb5.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_deny.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so nullok use_authtok md5 shadow
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so

—–nsswitch.conf—–

passwd: files ldap
shadow: files ldap
group: files ldap

hosts: files dns

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files

netgroup: nisplus

publickey: nisplus

automount: files nisplus
aliases: files nisplus

—–smb.conf—–

[global]
workgroup = NAME
server string = Name File Server
log file = /var/log/samba/log.%m
max log size = 50
security = ads
realm = NAME.ORG
use kerberos keytab = true
password server = school-server

—-TESTING Commands—–

[root@fedora9fs ~]# kinit Administrator@NAME.ORG
Password for Administrator@NAME.ORG:

[root@fedora9fs ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@NAME.ORG

Valid starting Expires Service principal
08/07/08 13:49:30 08/07/08 23:45:15 krbtgt/NAAME.ORG@NAME.ORG
renew until 08/08/08 13:49:30

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

[root@fedora9fs ~]# getent passwd Administrator
Administrator:ABCD!efgh12345$67890:0:10004:Administrator:/home/Administrator:/bin/sh

[root@fedora9fs ~]# net ads join -U Administrator
Enter Administrator’s password:
Failed to join domain: failed to create kerberos keytab

This problem has been very frustrating. I have reinstalled Fedora 9 and completed everything again and the same thing happens. If you have anything for me to try please, please help. This how-to is AWESOME and I’m sure it is something small and stupid that I am missing.

Thanks in advance,
~Josh

?????

Active Directory propagation delay. The host would get created, but then I couldn’t create the kerberos ticket because the Active Directory kerberos server didn’t yet know about the host. Solution: use the same server to create the host and create the key. Now I try to kerberos authenticate ssh from one host to another, delegating the TGT. Doesn’t work. Wireshark shows the kerberos server telling me there is no SPN host/fqdn - but an AD search shows HOST/fqdn right there. Obvious case mismatch (not). How do I tell the kerberos server to ignore case on the SPN? Nothing (it already does): just wait for that other KDC to get updated with the new KDC entry.

It asks for my password and returns expected information, but when I attempt to do a getent passwd [user@DOMAIN] it returns nothing. In /var/log/messages it gives me the following:
getent: nss_ldap: could not search LDAP server - Operations error

I’m kinda stumped as all of the ancilary tests appear to work, but I can’t do a getent. Is there a way to get nss_ldap to dump more info about the problem that it’s having?

If you set your client system to fully use AD managed DNS, the A records of the root domain (company.com) are all set to the AD servers. If you then spec just the root domain in the LDAP conn URI, it will get one of these servers. Not sure which, but always one of them.

And this is what can muck up referrals as well. If a referral happens, AD returns a URI that contains JUST the root domain name assuming you have the config above (yes, even if you queried a specific LDAP/AD server initially). If you don’t use AD managed DNS and you have not put a value in your hosts file for the root domain, the referral will fail.

Also, if you initially query an AD server that is a GC and do so on port 3268, it won’t ever do a referral.