Re: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Dennis Leeuw <D.Leeuw [at] umcutrecht.nl>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP
Date: Tue, 31 May 2016 15:22:19 +0200

On 30-05-16 18:20, Thomas Keller wrote:

Hi
I am trying to make our company's Ubuntu 14.04 clients to authenticateagainst Active Directory 2008 using nss-pam-ldapd.
So far our AD users are not able to login to the Ubuntu boxes, unlessI create a local user account on the Ubuntu client with the same nameas the LDAP/AD user. The local user account password and ldap accountpasswords are different.
If there is no local user account, the nslcd debug log tells me that Iam using invalid credentials. If I create a local account on theUbuntu client (with no passsword or a different password) the nslcddebug log tells me that authentication is successful and login issuccessful also.
An ldapsearch against Active Directory with the bind user andlogging-in user is working
getent passwd is not working eg. only shows the /etc/passwd entries
Error in nslcd debug: Invalid credentials: 80090308: LdapErr:DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772
Does anyone know what the problem could be?

Thank you for any help.

Thomas


output of nslcd debug log
========================================

# nslcd -d
nslcd: [b0dc51] <passwd="testaduser"> DEBUG:myldap_search(base="ou=2_ABCD,dc=abc,dc=example,dc=com",filter="(&(&(objectClass=user)(!(objectClass=computer)))(sAMAccountName=testaduser))")nslcd: [b0dc51] <passwd="testaduser"> DEBUG: ldap_result(): CN=Test ADUser,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=comnslcd: [b0dc51] <passwd="testaduser"> CN=Test ADUser,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com:uidNumber: missingnslcd: [b0dc51] <passwd="testaduser"> DEBUG: ldap_result(): end ofresults (1 total)
nslcd: [495cff] DEBUG: connection from pid=2198 uid=0 gid=0
nslcd: [495cff] <passwd="testaduser"> DEBUG:myldap_search(base="OU=2_ABCD,DC=abc,DC=example,DC=com",filter="(&(&(objectClass=user)(!(objectClass=computer)))(sAMAccountName=testaduser))")nslcd: [495cff] <passwd="testaduser"> DEBUG:ldap_initialize(ldap://10.0.10.11)
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_set_rebind_proc()
nslcd: [495cff] <passwd="testaduser"> DEBUG:ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)nslcd: [495cff] <passwd="testaduser"> DEBUG:ldap_set_option(LDAP_OPT_DEREF,0)nslcd: [495cff] <passwd="testaduser"> DEBUG:ldap_set_option(LDAP_OPT_TIMELIMIT,0)nslcd: [495cff] <passwd="testaduser"> DEBUG:ldap_set_option(LDAP_OPT_TIMEOUT,0)nslcd: [495cff] <passwd="testaduser"> DEBUG:ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)nslcd: [495cff] <passwd="testaduser"> DEBUG:ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)nslcd: [495cff] <passwd="testaduser"> DEBUG:ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_start_tls_s()
nslcd: [495cff] <passwd="testaduser"> DEBUG:ldap_simple_bind_s("cn=binddn,ou=Int_Service,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com","***")(uri="ldap://10.0.10.11";)nslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_result(): CN=Test ADUser,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=comnslcd: [495cff] <passwd="testaduser"> CN=Test ADUser,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com:uidNumber: missingnslcd: [495cff] <passwd="testaduser"> DEBUG: ldap_result(): end ofresults (1 total)
nslcd: [e8944a] DEBUG: connection from pid=2198 uid=0 gid=0
nslcd: [e8944a] <passwd="testaduser"> DEBUG:myldap_search(base="OU=2_ABCD,DC=abc,DC=example,DC=com",filter="(&(&(objectClass=user)(!(objectClass=computer)))(sAMAccountName=testaduser))")nslcd: [e8944a] <passwd="testaduser"> DEBUG: ldap_result(): CN=Test ADUser,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=comnslcd: [e8944a] <passwd="testaduser"> CN=Test ADUser,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com:uidNumber: missingnslcd: [e8944a] <passwd="testaduser"> DEBUG: ldap_result(): end ofresults (1 total)
nslcd: [5558ec] DEBUG: connection from pid=2198 uid=0 gid=0
nslcd: [5558ec] <authc="testaduser"> DEBUG:nslcd_pam_authc("testaduser","sshd","***")nslcd: [5558ec] <authc="testaduser"> DEBUG:myldap_search(base="OU=2_ABCD,DC=abc,DC=example,DC=com",filter="(&(&(objectClass=user)(!(objectClass=computer)))(sAMAccountName=testaduser))")nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_result(): CN=Test ADUser,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=comnslcd: [5558ec] <authc="testaduser"> DEBUG:myldap_search(base="CN=Test ADUser,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com",filter="(objectClass=*)")nslcd: [5558ec] <authc="testaduser"> DEBUG:ldap_initialize(ldap://10.0.10.11)
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_set_rebind_proc()
nslcd: [5558ec] <authc="testaduser"> DEBUG:ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)nslcd: [5558ec] <authc="testaduser"> DEBUG:ldap_set_option(LDAP_OPT_DEREF,0)nslcd: [5558ec] <authc="testaduser"> DEBUG:ldap_set_option(LDAP_OPT_TIMELIMIT,0)nslcd: [5558ec] <authc="testaduser"> DEBUG:ldap_set_option(LDAP_OPT_TIMEOUT,0)nslcd: [5558ec] <authc="testaduser"> DEBUG:ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)nslcd: [5558ec] <authc="testaduser"> DEBUG:ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)nslcd: [5558ec] <authc="testaduser"> DEBUG:ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_start_tls_s()
nslcd: [5558ec] <authc="testaduser"> DEBUG:ldap_simple_bind_s("CN=Test ADUser,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com","***")(uri="ldap://10.0.10.11";)nslcd: [5558ec] <authc="testaduser"> DEBUG: failed to bind to LDAPserver ldap://10.0.10.11: Invalid credentials: 80090308: LdapErr:DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772
nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_unbind()
nslcd: [5558ec] <authc="testaduser"> CN=Test ADUser,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com:lookup failed: Invalid credentialsnslcd: [5558ec] <authc="testaduser"> DEBUG:myldap_search(base="OU=2_ABCD,DC=abc,DC=example,DC=com",filter="(&(&(objectClass=user)(!(objectClass=computer)))(sAMAccountName=testaduser))")nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_result(): CN=Test ADUser,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=comnslcd: [5558ec] <authc="testaduser"> CN=Test ADUser,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com:pwdLastSet: password changed in the future
Pam debug (/var/log/auth.log)
============================================
May 30 17:33:54 ubuntu14-lts sshd[2215]: Invalid user testaduser from10.0.10.151May 30 17:33:54 ubuntu14-lts sshd[2215]: input_userauth_request:invalid user testaduser [preauth]May 30 17:34:00 ubuntu14-lts sshd[2215]: pam_unix(sshd:auth): checkpass; user unknownMay 30 17:34:00 ubuntu14-lts sshd[2215]: pam_unix(sshd:auth):authentication failure; logname= uid=0 euid=0 tty=ssh ruser=rhost=10.0.10.199May 30 17:34:00 ubuntu14-lts sshd[2215]: pam_ldap(sshd:auth): nslcdauthentication; user=testaduserMay 30 17:34:00 ubuntu14-lts sshd[2215]: pam_ldap(sshd:auth): erroropening connection to nslcd: No such file or directoryMay 30 17:34:02 ubuntu14-lts sshd[2215]: Failed password for invaliduser testaduser from 10.0.10.199 port 50143 ssh2
nslcd.conf configuration
===============================================

# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://10.0.10.11

# The search base that will be used for all queries.
base ou=2_ABCD,dc=abc,dc=example,dc=com

# The LDAP protocol version to use.
ldap_version 3

# The DN to bind with for normal lookups.
binddncn=binddn,ou=Int_Service,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com
bindpw blabla

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
ssl start_tls
tls_reqcert never

# The search scope.
scope sub

# Active Directory

pagesize 30000
referrals off
idle_timelimit 800
#filter passwd(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
filter passwd (&(objectClass=user)(!(objectClass=computer)))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    "/home/$uid"
map    passwd gecos            displayName
map    passwd loginShell       "/bin/bash"
#filter shadow(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)
filter shadow (&(objectClass=user)(!(objectClass=computer)))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (objectClass=group)


Pam configuration
=======================================

ubuntu14-lts:/# cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth  [success=2 default=ignore]      pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000use_first_pass debug
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets asuccess code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_cap.so
# end of pam-auth-update config


NSS switch config
============================================

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat ldap
group:  compat ldap
shadow: compat ldap

hosts:  files dns
networks: files

protocols:  db files
services: db files
ethers: db files
rpc:  db files

netgroup: nis

Maybe I am missing something, but... isn't AD a combination of Kerberosand LDAP, where the password is stored in Kerberos? So shouldn't youalso configure some kind of kerberos realm?


Greetings,

Dennis Leeuw

--
Integratie Specialist
DBG-ICT
UMC Utrecht


------------------------------------------------------------------------------

De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht
ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct
te informeren door het bericht te retourneren. Het Universitair Medisch
Centrum Utrecht is een publiekrechtelijke rechtspersoon in de zin van de W.H.W.
(Wet Hoger Onderwijs en Wetenschappelijk Onderzoek) en staat geregistreerd bij
de Kamer van Koophandel voor Midden-Nederland onder nr. 30244197.

Denk s.v.p aan het milieu voor u deze e-mail afdrukt.

------------------------------------------------------------------------------

This message may contain confidential information and is intended exclusively
for the addressee. If you receive this message unintentionally, please do not
use the contents but notify the sender immediately by return e-mail. University
Medical Center Utrecht is a legal person by public law and is registered at
the Chamber of Commerce for Midden-Nederland under no. 30244197.

Please consider the environment before printing this e-mail.
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP, Thomas Keller
- Re: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP, Dennis Leeuw
- Re: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP, Arthur de Jong
  - Re: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP, Thomas Keller

Prev by Date: Re: Using the initial letter in the home directory
Next by Date: Re: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP
Previous by thread: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP
Next by thread: Re: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP