Re: Authenticate against AD: Access denied when "User must change password at next logon" is set

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 25 Jul 2011, Kenneth Holter wrote:


Are you mapping the shadowaccount Attribute along with Userpassword Attribute?

You must map both if you use shadow passwd entry like in RH or Solaris.


rachel





Hi all,


I posted this question on the RHEL 5 mailing list, but didn't get any
replies. Then I came across pam-list, and this may be a more
appropriate place to post this question. This is the case:

I'm working on setting up our RHEL servers to authenticate against
Active Directory 2008. With my current setup, users can log in and
most everything looks good. But one issue I'm having is that when the
"User must change password at next logon" box on AD i checked, I'm
denied access to the linux box. First, this is my setup:

###### /etc/ldap.conf ##########

uri ldaps://ldap.example.com
base dc=example,dc=com

nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute userPassword msSFU30Password

pam_password_prohibit_message Your password could not be changed
pam_password ad
ssl on
tls_checkpeer no

bind_timelimit 120
idle_timelimit 3600
bind_policy soft
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman

binddn cn=serviceuser,ou=accounts,dc=example,dc=com
bindpw secret

TLS_REQCERT allow

###### /etc/pam.d/system-auth ###########
#%PAM-1.0
# /etc/pam.d/system-auth
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
account     required      pam_access.so
accessfile=/etc/security/access.custom.conf

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
session     required      pam_mkhomedir.so skel=/etc/skel umask=077


####### /etc/nsswitch.conf ####################
-- snip --
passwd:     ldap compat
shadow:     ldap compat
group:      ldap compat
-- snip --


So when I issue for example "ssh kenneth@server" to log into my RHEL
server, this is what /var/log/secure tells me:

## output start ##
2011-07-22T13:37:21.140807+02:00 server sshd[11172]:
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=server.example.com  user=kenneth
2011-07-22T13:37:22.888911+02:00 server sshd[11172]: pam_ldap: error
trying to bind as user "CN=kenneth,OU=Users,DC=example,DC=com"
(Invalid credentials)
2011-07-22T13:37:24.694597+02:00 server sshd[11172]: Failed password
for kenneth from 1.2.3.4 port 45352 ssh2
## output end ##

I've tried to google this issue, but haven't come across any
information that have helped me resolve this issue. Does anyone here
know what may be causing it? Any help will be greatly appreciated.


Best regards,
Kenneth Holter

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list


--
Rachel Polanskis                 Kingswood, Greater Western Sydney, Australia
grove@xxxxxxxxxxx                http://www.zeta.org.au/~grove/grove.html
   "The perversity of the Universe tends towards a maximum." - Finagle's Law

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list


[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux