cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP Problems

Fernando Jose P de Souz
Regular Advisor

LDAP Problems

Hi,

I would like to authenticate in my HP-UX 11.23 windows users.
AD Server: Windows 2003 Server
Domain: ldap.teste
user: teste1

Output of commands and files in attach.

Wait

Fernando.

3 REPLIES
Fernando Jose P de Souz
Regular Advisor

Re: LDAP Problems



hpux /etc # cat krb5.conf
# Kerberos configuration
#
# see krb5.conf(4) for more details
#
[libdefaults]
default_realm = LDAP.TESTE
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5
ccache_type = 2
[realms]
LDAP.TESTE = {
kdc = ad2003.ldap.teste:88
admin_server = ad2003.ldap.teste
}
[domain_realm]
.ldap.teste = LDAP.TESTE
#
# End of krb5.conf
hpux /etc #

===============================================================

hpux /etc # cat /etc/nsswitch.conf
#
# /etc/nsswitch.ldap:
#
# An example file that could be copied over to /etc/nsswitch.conf. It
# uses LDAP (Lightweight Directory Access Protocol) in conjunction with
# dns & files.
#

passwd: files
group: files
hosts: dns files
networks: files
protocols: files
rpc: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
hpux /etc #

===============================================================

hpux /etc # cat pam.conf
#
# PAM configuration
#
# This pam.conf file is intended as an example only.
# see pam.conf(4) for more details
#
#
################################################################
# This sample file will authenticate the user who belongs to #
# either Kerberos or Unix system. Using this configuration file#
# if the user is authenticated through Kerberos then the Unix #
# authentication will not be invoked. However,if the Kerberos #
# authentication fails for the user, then the fallback #
# authentication mechanism PAM-Unix will be invoked to #
# authenticate the user.The assumption is the user is either #
# present in Kerberos or in Unix system. #
# #
# In case, the administrator wants the password for all the #
# users to be synchronous between Kerberos and Unix systems, #
# then the control flag should to be set to "required" for all #
# the entries with use_first_pass option set for pam_unix. #
# If password synchronization is optional then try_first_pass #
# option need to be set for pam_unix, so that the user can #
# login using the appropriate passwords. #
# #
# The module pam_hpsec(5) is stacked as mandatory module above #
# all the modules for making security checks before #
# authentication. #
################################################################
#
#
# Authentication management
#
login auth required libpam_hpsec.so.1
login auth sufficient libpam_krb5.so.1 debug
login auth required libpam_unix.so.1 try_first_pass
su auth required libpam_hpsec.so.1
su auth sufficient libpam_krb5.so.1
su auth required libpam_unix.so.1 try_first_pass
dtlogin auth required libpam_hpsec.so.1
dtlogin auth sufficient libpam_krb5.so.1
dtlogin auth required libpam_unix.so.1 try_first_pass
dtaction auth required libpam_hpsec.so.1
dtaction auth sufficient libpam_krb5.so.1
dtaction auth required libpam_unix.so.1 try_first_pass
ftp auth required libpam_hpsec.so.1
ftp auth sufficient libpam_krb5.so.1
ftp auth required libpam_unix.so.1 try_first_pass
OTHER auth required libpam_unix.so.1
#
# Account management
#
login account required libpam_hpsec.so.1
login account sufficient libpam_krb5.so.1
login account required libpam_unix.so.1
su account required libpam_hpsec.so.1
su account sufficient libpam_krb5.so.1
su account required libpam_unix.so.1
dtlogin account required libpam_hpsec.so.1
dtlogin account sufficient libpam_krb5.so.1
dtlogin account required libpam_unix.so.1
dtaction account required libpam_hpsec.so.1
dtaction account sufficient libpam_krb5.so.1
dtaction account required libpam_unix.so.1
ftp account required libpam_hpsec.so.1
ftp account sufficient libpam_krb5.so.1
ftp account required libpam_unix.so.1
OTHER account required libpam_unix.so.1
#
# Session management
#
login session required libpam_hpsec.so.1
login session sufficient libpam_krb5.so.1
login session required libpam_unix.so.1
dtlogin session required libpam_hpsec.so.1
dtlogin session sufficient libpam_krb5.so.1
dtlogin session required libpam_unix.so.1
dtaction session required libpam_hpsec.so.1
dtaction session sufficient libpam_krb5.so.1
dtaction session required libpam_unix.so.1
OTHER session required libpam_unix.so.1
#
# Password management
#
login password required libpam_updbe.so.1
login password required libpam_hpsec.so.1
login password required libpam_krb5.so.1 debug
login password required libpam_unix.so.1
#
##login password required libpam_hpsec.so.1
##login password sufficient libpam_krb5.so.1
##login password required libpam_unix.so.1
passwd password required libpam_hpsec.so.1
passwd password sufficient libpam_krb5.so.1
passwd password required libpam_unix.so.1
dtlogin password required libpam_hpsec.so.1
dtlogin password sufficient libpam_krb5.so.1
dtlogin password required libpam_unix.so.1
dtaction password required libpam_hpsec.so.1
dtaction password sufficient libpam_krb5.so.1
dtaction password required libpam_unix.so.1
OTHER password required libpam_unix.so.1
hpux /etc #

================================================================

hpux /etc # cat pam_user.conf
#
# This file defines PAM configuration for a user. The configuration
# here overrides pam.conf.
#
# The format for each entry is:
# user_name module_type module_path options
#
# For example:
#
# user_a auth /usr/lib/security/$ISA/libpam_unix.so.1 debug
# user_a auth /usr/lib/security/$ISA/libpam_dce.so.1 try_first_pass
# user_a password /usr/lib/security/$ISA/libpam_unix.so.1 debug
#
# user_b auth /usr/lib/security/$ISA/libpam_unix.so.1 debug use_psd
# user_b password /usr/lib/security/$ISA/libpam_unix.so.1 debug use_psd
#
#
# Note: For PA applications /usr/lib/security/.so.1
# should be a symbolic link to an appropriate PA PAM module.
#
# See the pam_user.conf(4) manual page for more information
#
root auth /usr/lib/security/libpam_krb5.so.1 ignore
root password /usr/lib/security/libpam_krb5.so.1 ignore
hpux /etc #

=================================================================

hpux /etc # kinit teste1
Password for teste1@LDAP.TESTE:

hpux /etc # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: teste1@LDAP.TESTE

Valid starting Expires Service principal
12/07/08 10:33:58 12/07/08 20:33:58 krbtgt/LDAP.TESTE@LDAP.TESTE
hpux /etc #

==================================================================

hpux /etc # swlist -l bundle | grep -i krb
KRB5CLIENT D.1.6.2 Kerberos V5 Client Version 1.6.2
hpux /etc #

==================================================================

hpux /etc # ll /etc/krb5.keytab
-rw------- 1 root sys 72 Dec 4 18:32 /etc/krb5.keytab

hpux /etc # strings /etc/krb5.keytab
LDAP.TESTE
host
hpux.ldap.teste
6GEJP
hpux /etc #

==================================================================

syslog.log

Dec 5 16:37:47 hpux sshd[7555]: Invalid user teste1 from 100.100.100.161
Dec 5 16:37:47 hpux sshd[7555]: Failed none for invalid user teste1 from 100.100.100.161 port 55197 ssh2
Dec 5 16:37:52 hpux sshd[7555]: error: PAM: No account present for user for illegal user teste1 from 100.100.100.161
Dec 5 16:37:52 hpux sshd[7555]: Failed keyboard-interactive/pam for invalid user teste1 from 100.100.100.161 port 55197 ssh2
Dec 5 16:38:08 hpux sshd[7555]: error: PAM: No account present for user for illegal user teste1 from 100.100.100.161
Dec 5 16:38:08 hpux sshd[7555]: Failed keyboard-interactive/pam for invalid user teste1 from 100.100.100.161 port 55197 ssh2
Dec 5 15:58:22 hpux login: [No account present for user] Password not valid
Dec 5 17:16:58 hpux sshd[13657]: Did not receive identification string from UNKNOWN
Dec 5 17:20:48 hpux sshd[14158]: Invalid user teste1 from 100.100.100.161
Dec 5 17:20:48 hpux sshd[14158]: Failed none for invalid user teste1 from 100.100.100.161 port 39946 ssh2
Dec 5 17:20:53 hpux sshd[14158]: error: PAM: No account present for user for illegal user teste1 from 100.100.100.161
Dec 5 17:20:53 hpux sshd[14158]: Failed keyboard-interactive/pam for invalid user teste1 from 100.100.100.161 port 39946 ssh2

===================================================================

hpux / # swlist -l product| grep -i kerb
KRB5-Client B.11.23 Kerberos V5 Client Version 1.0
PAM-Kerberos C.01.24 PAM-Kerberos Version 1.24
krb5client D.1.6.2 Kerberos V5 Client Version 1.6.2
hpux / #

===================================================================

Noe M Hoyos
Occasional Visitor

Re: LDAP Problems

Fernando,
Did you get feedback on this issue? I am facing a similar problem and I am interested in a possible solution.
Johnson Punniyalingam
Honored Contributor

Re: LDAP Problems

Hi Fernando

http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1381465


The above link contains links to manuals, a cookbook whitepaper on setting it up, notes on Kerberos / pam configuration, and notes about Windows (release, rights and so on).

Might be of use.

Thanks,
Johnson
Problems are common to all, but attitude makes the difference