Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP
[Date Prev][Date Next] [Thread Prev][Thread Next]Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP
- From: Thomas Keller <s2074135 [at] yahoo.com.au>
- To: "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Reply-to: Thomas Keller <s2074135 [at] yahoo.com.au>
- Subject: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP
- Date: Mon, 30 May 2016 16:20:28 +0000 (UTC)
Hi
I am trying to make our company's Ubuntu 14.04 clients to authenticate against Active Directory 2008 using nss-pam-ldapd.
So far our AD users are not able to login to the Ubuntu boxes, unless I create a local user account on the Ubuntu client with the same name as the LDAP/AD user. The local user account password and ldap account passwords are different.
If there is no local user account, the nslcd debug log tells me that I am using invalid credentials. If I create a local account on the Ubuntu client (with no passsword or a different password) the nslcd debug log tells me that authentication is successful and login is successful also.
An ldapsearch against Active Directory with the bind user and logging-in user is working
getent passwd is not working eg. only shows the /etc/passwd entries
Error in nslcd debug: Invalid credentials: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772
Does anyone know what the problem could be?
Thank you for any help.
Thomas
output of nslcd debug log
========================================
# nslcd -d
nslcd: [b0dc51] <passwd="testaduser"> DEBUG: myldap_search(base="ou=2_ABCD,dc=abc,dc=example,dc=com", filter="(&(&(objectClass=user)(!(objectClass=computer)))(sAMAccountName=testaduser))")
nslcd: [b0dc51] <passwd="testaduser"> DEBUG: ldap_result(): CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com
nslcd: [b0dc51] <passwd="testaduser"> CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com: uidNumber: missing
nslcd: [b0dc51] <passwd="testaduser"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [495cff] DEBUG: connection from pid=2198 uid=0 gid=0
nslcd: [495cff] <passwd="testaduser"> DEBUG: myldap_search(base="OU=2_ABCD,DC=abc,DC=example,DC=com", filter="(&(&(objectClass=user)(!(objectClass=computer)))(sAMAccountName=testaduser))")
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_initialize(ldap://10.0.10.11)
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_set_rebind_proc()
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_start_tls_s()
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_simple_bind_s("cn=binddn,ou=Int_Service,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com","***") (uri="ldap://10.0.10.11")
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_result(): CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com
nslcd: [495cff] <passwd="testaduser"> CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com: uidNumber: missing
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [e8944a] DEBUG: connection from pid=2198 uid=0 gid=0
nslcd: [e8944a] <passwd="testaduser"> DEBUG: myldap_search(base="OU=2_ABCD,DC=abc,DC=example,DC=com", filter="(&(&(objectClass=user)(!(objectClass=computer)))(sAMAccountName=testaduser))")
nslcd: [e8944a] <passwd="testaduser"> DEBUG: ldap_result(): CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com
nslcd: [e8944a] <passwd="testaduser"> CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com: uidNumber: missing
nslcd: [e8944a] <passwd="testaduser"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [5558ec] DEBUG: connection from pid=2198 uid=0 gid=0
nslcd: [5558ec] <authc="testaduser"> DEBUG: nslcd_pam_authc("testaduser","sshd","***")
nslcd: [5558ec] <authc="testaduser"> DEBUG: myldap_search(base="OU=2_ABCD,DC=abc,DC=example,DC=com", filter="(&(&(objectClass=user)(!(objectClass=computer)))(sAMAccountName=testaduser))")
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_result(): CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com
nslcd: [5558ec] <authc="testaduser"> DEBUG: myldap_search(base="CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com", filter="(objectClass=*)")
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_initialize(ldap://10.0.10.11)
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_set_rebind_proc()
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_start_tls_s()
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_simple_bind_s("CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com","***") (uri="ldap://10.0.10.11")
nslcd: [5558ec] <authc="testaduser"> DEBUG: failed to bind to LDAP server ldap://10.0.10.11: Invalid credentials: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_unbind()
nslcd: [5558ec] <authc="testaduser"> CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com: lookup failed: Invalid credentials
nslcd: [5558ec] <authc="testaduser"> DEBUG: myldap_search(base="OU=2_ABCD,DC=abc,DC=example,DC=com", filter="(&(&(objectClass=user)(!(objectClass=computer)))(sAMAccountName=testaduser))")
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_result(): CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com
nslcd: [5558ec] <authc="testaduser"> CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com: pwdLastSet: password changed in the future
Pam debug (/var/log/auth.log)
============================================
May 30 17:33:54 ubuntu14-lts sshd[2215]: Invalid user testaduser from 10.0.10.151
May 30 17:33:54 ubuntu14-lts sshd[2215]: input_userauth_request: invalid user testaduser [preauth]
May 30 17:34:00 ubuntu14-lts sshd[2215]: pam_unix(sshd:auth): check pass; user unknown
May 30 17:34:00 ubuntu14-lts sshd[2215]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.10.199
May 30 17:34:00 ubuntu14-lts sshd[2215]: pam_ldap(sshd:auth): nslcd authentication; user=testaduser
May 30 17:34:00 ubuntu14-lts sshd[2215]: pam_ldap(sshd:auth): error opening connection to nslcd: No such file or directory
May 30 17:34:02 ubuntu14-lts sshd[2215]: Failed password for invalid user testaduser from 10.0.10.199 port 50143 ssh2
nslcd.conf configuration
===============================================
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://10.0.10.11
# The search base that will be used for all queries.
base ou=2_ABCD,dc=abc,dc=example,dc=com
# The LDAP protocol version to use.
ldap_version 3
# The DN to bind with for normal lookups.
binddn cn=binddn,ou=Int_Service,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com
bindpw blabla
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
ssl start_tls
tls_reqcert never
# The search scope.
scope sub
# Active Directory
pagesize 30000
referrals off
idle_timelimit 800
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
filter passwd (&(objectClass=user)(!(objectClass=computer)))
map passwd uid sAMAccountName
map passwd homeDirectory "/home/$uid"
map passwd gecos displayName
map passwd loginShell "/bin/bash"
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)
filter shadow (&(objectClass=user)(!(objectClass=computer)))
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
filter group (objectClass=group)
Pam configuration
=======================================
ubuntu14-lts:/# cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass debug
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
NSS switch config
============================================
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users/
- Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP, Thomas Keller
- Prev by Date: Re: Using the initial letter in the home directory
- Next by Date: Re: Centos ldap authentication via pam_ldap slow, how to debug?
- Previous by thread: Re: Centos ldap authentication via pam_ldap slow, how to debug?
- Next by thread: Re: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP