Re: LDAPUX and Active Directory

Neil Camp_6 · ‎11-13-2002

Hello all,

I have tried to get an HPUX client to authenticate with an AD server. I fell like I have followed the instructions from J4269-90017 (installing and Administering LDAP-UX Client Service with Microsoft Windows 2000 Active Directory Edition 3) to the letter. I login with a dummy user as follows...

login: hpuser1
Password:
System Password:

and is says login incorrect and I get this in my debug log (I have turned login up to try and figure this out)

Nov 13 17:15:46 edi login: pam_krb5: pam_sm_authenticate() begin
Nov 13 17:15:46 edi login: username [hpuser1] obtained
Nov 13 17:15:49 edi login: when parsing name [hpuser1]
Nov 13 17:15:49 edi login: [No account present for user] Password not valid
Nov 13 17:15:49 edi login: pam_krb5: pam_sm_authenticate() end, retval = 13
Nov 13 17:15:49 edi login: pam_authenticate: error No account present for user

The user does exist on the AD server, and I did a generic ldapsearch for the user and it returned the user info. I am stumpped at this point. Does anyone have any suggestions?

Michael Elleby III_1 · ‎11-14-2002

Hello Neil-

It's funny, I'm working on the same exact type of issue.

Couple of questions:

1. Review your pam.conf file. What is pam using to authenticate your user? Is it configured to use LDAP?

2. Is your /etc/nsswitch.conf file setup properly, i.e for passwd and group it is using a valid search order, i.e. LDAP, files?

Mike-

Knowledge Is Power

Neil Camp_6 · ‎11-14-2002

The nsswitch.conf was files ldap for passwd and group. I did switch it but it did not make a differnce. the pam.conf has this example entry
login auth sufficient /usr/lib/security/libpam_krb5.1 debug
login auth required /usr/lib/security/libpam_unix.1 try_first_pass

What is the next step to be checking?

Michael Elleby III_1 · ‎11-14-2002

Hey Neil-

Ok, my next question. When was the last time you executed the /opt/ldapux/config/get_profile_entry to download the config profile from AD?

Mike-

Knowledge Is Power

Neil Camp_6 · ‎11-15-2002

I have updated the profile, but I still get the following in my logs...

Nov 15 14:01:39 edi pwgrd: pid:766 - getpwnam.c:430:ldapent_to_pwent(): Primary group id number missing or access denied.
Nov 15 16:01:39 edi login: pam_krb5: pam_sm_authenticate() begin
Nov 15 16:01:39 edi login: username [hpuser1] obtained
Nov 15 16:01:41 edi login: when parsing name [hpuser1]
Nov 15 16:01:41 edi login: [No account present for user] Password not valid
Nov 15 16:01:41 edi login: pam_krb5: pam_sm_authenticate() end, retval = 13
Nov 15 16:01:41 edi login: pam_authenticate: error No account present for user
Nov 15 16:01:45 edi login: pam_authenticate error
Nov 15 16:01:45 edi login: pam_krb5: pam_sm_acct_mgmt() begin
Nov 15 16:01:45 edi login: pam_krb5: pam_sm_acct_mgmt() end, retval = 0
Nov 15 16:01:45 edi login: pam_acct_mgmt: error No account present for user

What's the next step?

James Murtagh · ‎11-15-2002

Hi Neil,

I'm not sure if the installation guide mentions this but the hpux system is not in trusted mode is it? Trusted mode does not support LDAP-UX as it uses a proprietary database. To check if the system is trusted check for the existance of the /tcb directory using "ll -d /tcb". If the directory exists then the system is trusted. If you find it is and need to unconvert it use "/usr/lbin/tsconvert -r".

Regards,

James.

Michael Elleby III_1 · ‎11-18-2002

Neil-

I like the point that James made about the system being trusted, but with that,

You stated earlier if you did a standard ldap search, the user exists, but since the log you showed me points to Kerberos authentication...

Two things:

1 - Look at the /etc/krb5.conf file and confirm its configuration (i.e. location of the KDC server, if not the same host)

2 - Was your /etc/krb5.keytab file created correctly? (i.e. using the ktpass command?

Mike

Knowledge Is Power

Neil Camp_6 · ‎11-18-2002

The system in question is currently not trusted. I did not create the krb5.keytab, but I was assured (from the NT admin) that he used ktpass correctly. In any case, what should I be looking for if I create another key? The krb5.conf files does point to the same server (AD/LDAP and KDC). The keytab might be the problem, any other suggestions? I am new to kerberos. I do beleive that the problem is kerberos related since I can do an ldap lookup of the user with a returned result. For reference here is my keytab.conf (edited for security)

default_realm = DOMAIN
default_tgs_enctypes = DES-CBC-CRC
default_tkt_enctypes = DES-CBC-CRC
ccache_tpye = 2
[realms]
DOMAIN = {
kdc = 172.16.x.x:88
kpasswd_server = 172.16.x.x:464
}
[domain_realm]
domain = DOMAIN
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

domain is fully quallified.
Suggestions? Thanks for the help thus far, I just hope we can track this down.

Neil Camp_6 · ‎11-19-2002

I hope there is someone out there still reading. I have fiddled with the keytab and krb5.conf and now I have a new error, but at least it looks like it is trying to communicate with the KDC server now

Nov 19 16:14:04 edi login: username [hpuser1] obtained
Nov 19 16:14:09 edi login: [Decrypt integrity check failed] Unable to verify host ticket
Nov 19 16:14:09 edi login: [Decrypt integrity check failed] can't verify v5 ticket: ; keytab found, assuming failure
Nov 19 16:14:09 edi login: while verifying tgt[Unknown code ____ 255]
Nov 19 16:14:09 edi login: [Authentication failed] Password not valid
Nov 19 16:14:09 edi login: pam_krb5: pam_sm_authenticate() end, retval = 9
Nov 19 16:14:09 edi login: pam_authenticate: error Authentication failed

any ideas??

Doug Lamoureux_2 · ‎11-19-2002

I think you may have a couple of problems. The 1st problem I see is:

Nov 15 14:01:39 edi pwgrd: pid:766 - getpwnam.c:430:ldapent_to_pwent(): Primary group id number missing or access denied.

This tells me that NSS_LDAP is unable to retrieve gidNumber attribute from the users object.

AND:

Nov 13 17:15:49 edi login: pam_authenticate: error No account present for user

tells me that the PAM module can't find the users "passwd" entry (not the password)

Some questions:

Have you configured a Proxy User correctly?

Use:
/opt/ldapux/config/ldap_proxy_config -v
to verify.

Does pwget -n hpuser1 return anything? If not then LDAP-UX can not find the user

What version of SFU (Services for Unix) is installed on Active Directory? The LDAP-UX configuration profile needs to be "tweaked" to work with SFU 3.0 (Microsoft changed the "POSIX" Attribute names)

To verify Kerberos:

# kinit hpuser1

This will verify that a user can authenticate against the Win2K KDC(AD) using kerberos (assuming you use the correct password)

-> As root:
# kinit -k

This will verify that the "host" principal and keytab (/etc/krb5.keytab) have been created properly. Here's and example of what you should see:

# uname -a
HP-UX hpatcux1 B.11.00 U 9000/800 1144019648 unlimited-user license
# kinit dougl
Password for dougl@HPATC.HP.COM:
# klist
Ticket cache: /tmp/krb5cc_0
Default principal: dougl@HPATC.HP.COM

Valid starting Expires Service principal
11/19/02 17:33:28 11/19/02 18:30:46 krbtgt/HPATC.HP.COM@HPATC.HP.COM
# kdestroy
# kinit -k
# klist
Ticket cache: /tmp/krb5cc_0
Default principal: host/hpatcux1.xxx.com@HPATC.HP.COM

Valid starting Expires Service principal
11/19/02 17:33:40 11/19/02 18:30:56 krbtgt/HPATC.HP.COM@HPATC.HP.COM

If you have version 1.10 of Pam_Kerberos there is a tool:
/usr/sbin/pamkrbval
that you can use to validate your PAM Kerberos configuration:

# /usr/sbin/pamkrbval

Validating the pam configuration files
---------- --- --- ------------- -----

Validating the /etc/pam.conf file
[PASS] : The validation of config file: /etc/pam.conf passed

[NOTICE] : The validation of config file: /etc/pam_user.conf is not done
as libpam_updbe library is not configured

Validating the kerberos config file
---------- --- -------- ------ -----
[PASS] : Initialization of kerberos passed

Connecting to default Realm
---------- -- ------- -----
[PASS] : Default Realm is issuing tickets

Validating the keytab entry for the host service principal
---------- --- ------ ----- --- --- ---- ------- ---------
[PASS] : The keytab validation is successful

Michael Elleby III_1 · ‎11-20-2002

Neil-

Sorry I have not replied, but I've been busy with a disk in a stripe set that went belly up yesterday morning.

Mr. Lamoreaux pointed at what I started thinking about after your last message (Proxy User)

I'd like to also see the results from Mr. Lamoreaux's suggestions.

Mike-

Knowledge Is Power

Neil Camp_6 · ‎11-21-2002

Thanks for the suggestions. This has been sort of back-burnered for the moment. The 2000 server got hosed, and the admin I was working with on that side of the house has not had a chance to rebuild it. I will let you guys know how the new checklist goes as soon as I get a chance to work with it. Thanks guys. :)

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: LDAPUX and Active Directory

LDAPUX and Active Directory