HPE Community
Operating System - Linux
1823113 Members
3370 Online
109646 Solutions
New Discussion юеВ

Linux PAM and Active Directory Integration issue

 
Vijaya Kumar_3
Respected Contributor

тАО12-07-2003 09:24 PM

тАО12-07-2003 09:24 PM

Linux PAM and Active Directory Integration issue

I am planning to authenticate my linux systems through Active directory. I have planned to use PAM_LDAP and NSS_LDAP. I thing i made good progress. I edited my /etc/pam.d/system-auth and /etc/ldap.conf

I am using a Redhat Linux System 7.2.

Here is my /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so

account required /lib/security/pam_unix.so
account required /lib/security/pam_ldap.so

password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/pam_ldap.so nullok use_authtok
password required /lib/security/pam_deny.so

session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so


I got this error when i trying to login using an LDAP user account:

Dec 8 14:48:19 ht68f5 login(pam_unix)[5241]: check pass; user unknown
Dec 8 14:48:19 ht68f5 login(pam_unix)[5241]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=
Dec 8 14:48:19 ht68f5 login[5241]: pam_ldap: ldap_search_s Referral
Dec 8 14:48:21 ht68f5 login[5241]: FAILED LOGIN 1 FROM (null) FOR vij3347, Authentication failure


Any idea?

Thanks
Vijay
Known is a drop, unknown is ocean - visit me at http://vijay.theunixplace.com
0 Kudos
Reply
11 REPLIES 11
Huc_1
Honored Contributor

тАО12-07-2003 09:36 PM

тАО12-07-2003 09:36 PM

Re: Linux PAM and Active Directory Integration issue

Hi, Vijay

Sorry, but, You did do a slapadd for vij3347 ?
and this user is known .


J-P
Smile I will feel the difference
0 Kudos
Reply
Vijaya Kumar_3
Respected Contributor

тАО12-07-2003 09:39 PM

тАО12-07-2003 09:39 PM

Re: Linux PAM and Active Directory Integration issue

I for got to mention, i have NSS_LDAP installed.

My /etc/nsswitch.conf says
passwd: files ldap
shadow: files ldap
group: files ldap
.....

My /etc/ldap.conf is having LDAP configuration.

Do u mean to say that my ID is not getting authenticated?

Thanks
Vijay
Known is a drop, unknown is ocean - visit me at http://vijay.theunixplace.com
0 Kudos
Reply
Vijaya Kumar_3
Respected Contributor

тАО12-07-2003 09:42 PM

тАО12-07-2003 09:42 PM

Re: Linux PAM and Active Directory Integration issue

my exact question is

Why my pam_ldap returns this error?

Dec 8 16:10:54 ht68f5 login[982]: pam_ldap: ldap_search_s Referral

Thanks
Vijay
Known is a drop, unknown is ocean - visit me at http://vijay.theunixplace.com
0 Kudos
Reply
Huc_1
Honored Contributor

тАО12-07-2003 09:49 PM

тАО12-07-2003 09:49 PM

Re: Linux PAM and Active Directory Integration issue

Dec 8 14:48:21 ht68f5 login[5241]: FAILED LOGIN 1 FROM (null) FOR vij3347

No what I mean is there an entry for vij3347,
is this seen ?

and perhaps there are more messages in var/log

like var/log/security ?

J-P
Smile I will feel the difference
0 Kudos
Reply
Vijaya Kumar_3
Respected Contributor

тАО12-07-2003 09:57 PM

тАО12-07-2003 09:57 PM

Re: Linux PAM and Active Directory Integration issue

Thanks Huc for reminding me...

i tried with /var/log/messages. there is one more file /var/log/secure.

it says...

Dec 8 16:13:48 ht68f5 login: pam_ldap: ldap_search_s Referral
Dec 8 16:13:48 ht68f5 login: User not known to the underlying authentication module
Dec 8 16:17:25 ht68f5 login: nss_ldap: could not search LDAP server - Referral

I think i have check my ldap configurations... here is my ldap configuration, /etc/ldap.conf

# Your LDAP server. Must be resolvable without using LDAP.
host 10.168.145.10
ldap_version 3
base dc=doma.hex.local,dc=hex.local
binddn vij3347@domainjp02.hex.local
scope sub
ssl no
pam_filter objectclass=user
pam_login_attribute sAMAccountName
pam_password ad

nss_base_passwd ou=users,ou=hex.local,dc=hex.local,dc=local?one
nss_base_shadow ou=users,ou=hex.local,dc=hex.local,dc=local?one
nss_base_group ou=group,ou=hex.local,dc=hex.local,dc=local?one

#nss_map_objectclass posixAccount User
#nss_map_attribute uid sAMAccountName
#nss_map_attribute uniqueMember Member
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn sAMAccountName

I am able to ping the LDAP server.
Even I am able to telnet 389 .

any clues,

Thanks
Vijay
Known is a drop, unknown is ocean - visit me at http://vijay.theunixplace.com
0 Kudos
Reply
Vijaya Kumar_3
Respected Contributor

тАО12-07-2003 10:00 PM

тАО12-07-2003 10:00 PM

Re: Linux PAM and Active Directory Integration issue

btw, i am having that account in my active directory.

Thanks
Vijay
Known is a drop, unknown is ocean - visit me at http://vijay.theunixplace.com
0 Kudos
Reply
Huc_1
Honored Contributor

тАО12-07-2003 10:15 PM

тАО12-07-2003 10:15 PM

Re: Linux PAM and Active Directory Integration issue

Vijay,

I would like to help you now but I have got to leave for appointment, I have open my openldap doc and will try to futher help is I am able when I return.

J-P

Smile I will feel the difference
0 Kudos
Reply
Huc_1
Honored Contributor

тАО12-09-2003 12:21 AM

тАО12-09-2003 12:21 AM

Re: Linux PAM and Active Directory Integration issue

Vijay,

Have you made any progres on this, or is this still a problem ?

J-P
Smile I will feel the difference
0 Kudos
Reply
Vijaya Kumar_3
Respected Contributor

тАО12-09-2003 03:36 PM

тАО12-09-2003 03:36 PM

Re: Linux PAM and Active Directory Integration issue

Not yet...

Can u help me? I installed OpenLDAP locally and trying to authenticate...

So i think i will make some points. I would really appreciate your help.

Thanks
Vijay
Known is a drop, unknown is ocean - visit me at http://vijay.theunixplace.com
0 Kudos
Reply
Huc_1
Honored Contributor

тАО12-09-2003 07:56 PM

тАО12-09-2003 07:56 PM

Re: Linux PAM and Active Directory Integration issue

In the my previous reply the doc I talked about is the following.

http://www.openldap.org/doc/admin20/guide.html#A%20Quick-Start%20Guide

I am no expert in ldap ( but there is more in 2 heads then one ), just always hope to get around using it one day.

Seem that the problem is identification by pam modules of the "string" it is passed...
it get to that point so I suppose the network part is good ...

one of the thing that I do when I have this kind of problems is

modify /etc/syslog.conf with the following line to get all messages to screen

*.* /dev/console

You have to "# service syslogd restart " to get this active (make sure this does not disrupt your enviroment)

I then invoke the command

#xconsole &

from gui xterm login (su -) as root

This open a window where all messages that go to /var/log/* are redirected.

this allowes me to test and see messages/error in as they happen !

I will read your reply this late afternoon, when I return..

Hope this helps

J-P
Smile I will feel the difference
0 Kudos
Reply
Vijaya Kumar_3
Respected Contributor

тАО12-09-2003 10:06 PM

тАО12-09-2003 10:06 PM

Re: Linux PAM and Active Directory Integration issue

Good point.

I tried with auth.* /dev/console before. I hope thats not enough.

Let me try with *.* /dev/console and post the output.

Thanks for your help
Vijay
Known is a drop, unknown is ocean - visit me at http://vijay.theunixplace.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.