lists.arthurdejong.org
RSS feed

Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP

[Date Prev][Date Next] [Thread Prev][Thread Next]

Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP



Hi

I am trying to make our company's Ubuntu 14.04 clients to authenticate against Active Directory 2008 using nss-pam-ldapd.

So far our AD users are not able to login to the Ubuntu boxes, unless I create a local user account on the Ubuntu client with the same name as the LDAP/AD user. The local user account password and ldap account passwords are different.

If there is no local user account, the nslcd debug log tells me that I am using invalid credentials. If I create a local account on the Ubuntu client (with no passsword or a different password) the nslcd debug log tells me that authentication is successful and login is successful also.

An ldapsearch against Active Directory with the bind user and logging-in user is working
getent passwd is not working eg. only shows the /etc/passwd entries
Error in nslcd debug: Invalid credentials: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772

Does anyone know what the problem could be?

Thank you for any help.

Thomas


output of nslcd debug log 
========================================

# nslcd -d
nslcd: [b0dc51] <passwd="testaduser"> DEBUG: myldap_search(base="ou=2_ABCD,dc=abc,dc=example,dc=com", filter="(&(&(objectClass=user)(!(objectClass=computer)))(sAMAccountName=testaduser))")
nslcd: [b0dc51] <passwd="testaduser"> DEBUG: ldap_result(): CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com
nslcd: [b0dc51] <passwd="testaduser"> CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com: uidNumber: missing
nslcd: [b0dc51] <passwd="testaduser"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [495cff] DEBUG: connection from pid=2198 uid=0 gid=0
nslcd: [495cff] <passwd="testaduser"> DEBUG: myldap_search(base="OU=2_ABCD,DC=abc,DC=example,DC=com", filter="(&(&(objectClass=user)(!(objectClass=computer)))(sAMAccountName=testaduser))")
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_initialize(ldap://10.0.10.11)
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_set_rebind_proc()
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_start_tls_s()
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_simple_bind_s("cn=binddn,ou=Int_Service,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com","***") (uri="ldap://10.0.10.11")
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_result(): CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com
nslcd: [495cff] <passwd="testaduser"> CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com: uidNumber: missing
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [e8944a] DEBUG: connection from pid=2198 uid=0 gid=0
nslcd: [e8944a] <passwd="testaduser"> DEBUG: myldap_search(base="OU=2_ABCD,DC=abc,DC=example,DC=com", filter="(&(&(objectClass=user)(!(objectClass=computer)))(sAMAccountName=testaduser))")
nslcd: [e8944a] <passwd="testaduser"> DEBUG: ldap_result(): CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com
nslcd: [e8944a] <passwd="testaduser"> CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com: uidNumber: missing
nslcd: [e8944a] <passwd="testaduser"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [5558ec] DEBUG: connection from pid=2198 uid=0 gid=0
nslcd: [5558ec] <authc="testaduser"> DEBUG: nslcd_pam_authc("testaduser","sshd","***")
nslcd: [5558ec] <authc="testaduser"> DEBUG: myldap_search(base="OU=2_ABCD,DC=abc,DC=example,DC=com", filter="(&(&(objectClass=user)(!(objectClass=computer)))(sAMAccountName=testaduser))")
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_result(): CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com
nslcd: [5558ec] <authc="testaduser"> DEBUG: myldap_search(base="CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com", filter="(objectClass=*)")
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_initialize(ldap://10.0.10.11)
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_set_rebind_proc()
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_start_tls_s()
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_simple_bind_s("CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com","***") (uri="ldap://10.0.10.11")
nslcd: [5558ec] <authc="testaduser"> DEBUG: failed to bind to LDAP server ldap://10.0.10.11: Invalid credentials: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_unbind()
nslcd: [5558ec] <authc="testaduser"> CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com: lookup failed: Invalid credentials
nslcd: [5558ec] <authc="testaduser"> DEBUG: myldap_search(base="OU=2_ABCD,DC=abc,DC=example,DC=com", filter="(&(&(objectClass=user)(!(objectClass=computer)))(sAMAccountName=testaduser))")
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_result(): CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com
nslcd: [5558ec] <authc="testaduser"> CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com: pwdLastSet: password changed in the future


Pam debug (/var/log/auth.log)
============================================

May 30 17:33:54 ubuntu14-lts sshd[2215]: Invalid user testaduser from 10.0.10.151
May 30 17:33:54 ubuntu14-lts sshd[2215]: input_userauth_request: invalid user testaduser [preauth]
May 30 17:34:00 ubuntu14-lts sshd[2215]: pam_unix(sshd:auth): check pass; user unknown
May 30 17:34:00 ubuntu14-lts sshd[2215]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.10.199
May 30 17:34:00 ubuntu14-lts sshd[2215]: pam_ldap(sshd:auth): nslcd authentication; user=testaduser
May 30 17:34:00 ubuntu14-lts sshd[2215]: pam_ldap(sshd:auth): error opening connection to nslcd: No such file or directory
May 30 17:34:02 ubuntu14-lts sshd[2215]: Failed password for invalid user testaduser from 10.0.10.199 port 50143 ssh2


nslcd.conf configuration
===============================================

# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://10.0.10.11

# The search base that will be used for all queries.
base ou=2_ABCD,dc=abc,dc=example,dc=com

# The LDAP protocol version to use.
ldap_version 3

# The DN to bind with for normal lookups.
binddn cn=binddn,ou=Int_Service,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com
bindpw blabla

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
ssl start_tls
tls_reqcert never

# The search scope.
scope sub

# Active Directory

pagesize 30000
referrals off
idle_timelimit 800
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
filter passwd (&(objectClass=user)(!(objectClass=computer)))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    "/home/$uid"
map    passwd gecos            displayName
map    passwd loginShell       "/bin/bash"
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)
filter shadow (&(objectClass=user)(!(objectClass=computer)))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (objectClass=group)


Pam configuration
=======================================

ubuntu14-lts:/# cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 use_first_pass debug
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_cap.so
# end of pam-auth-update config


NSS switch config
============================================

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/