Re: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: Thomas Keller <s2074135 [at] yahoo.com.au>, "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP
- Date: Tue, 31 May 2016 21:59:12 +0200
On Mon, 2016-05-30 at 16:20 +0000, Thomas Keller wrote:
> So far our AD users are not able to login to the Ubuntu boxes, unless
> I create a local user account on the Ubuntu client with the same name
> as the LDAP/AD user. The local user account password and ldap account
> passwords are different.
>
> If there is no local user account, the nslcd debug log tells me that
> I am using invalid credentials. If I create a local account on the
> Ubuntu client (with no passsword or a different password) the nslcd
> debug log tells me that authentication is successful and login is
> successful also.
[...]
> nslcd: [b0dc51] <passwd="testaduser"> CN=Test AD
> User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com:
> uidNumber: missing
This at least indicates why the getent passwd lookup is not working.
There is no uidNumber attribute in your AD. Unix accounts need a
numeric user id. If you don't have a numeric uid in AD you can have
nslcd derive one from the objectSid. See the sample nslcd.conf:
https://arthurdejong.org/git/nss-pam-ldapd/tree/nslcd.conf
> nslcd: [5558ec] <authc="testaduser"> DEBUG:
> nslcd_pam_authc("testaduser","sshd","***")
> nslcd: [5558ec] <authc="testaduser"> DEBUG:
> myldap_search(base="OU=2_ABCD,DC=abc,DC=example,DC=com",
> filter="(&(&(objectClass=user)(!(objectClass=computer)))(sAMAccountName=testaduser))")
> nslcd: [5558ec] DEBUG: ldap_result(): CN=Test AD
> User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com
> nslcd: [5558ec] <authc="testaduser"> DEBUG: myldap_search(base="CN=Test AD
> User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com",
> filter="(objectClass=*)")
[...]
> nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_simple_bind_s("CN=Test AD
> User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com","***")
> (uri="ldap://10.0.10.11";)
> nslcd: [5558ec] <authc="testaduser"> DEBUG: failed to bind to LDAP server
> ldap://10.0.10.11: Invalid credentials: 80090308: LdapErr: DSID-0C0903AA,
> comment: AcceptSecurityContext error, data 52e, v1772
The stuff after "Invalid credentials" is just diagnostic message from
AD.
I think I tried to have a local account and use authentication from
that while the user is also in LDAP but I don't think I ever tried it
the other way around.
> May 30 17:34:00 ubuntu14-lts sshd[2215]: pam_ldap(sshd:auth): nslcd
> authentication; user=testaduser
> May 30 17:34:00 ubuntu14-lts sshd[2215]: pam_ldap(sshd:auth): error opening
> connection to nslcd: No such file or directory
This seems to indicate that nslcd is not running as the error seems to
indicate that /var/run/nslcd/socket does not exist.
Hope this helps,
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ ----
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
