On Mon, 25 Jul 2011, Kenneth Holter wrote: Are you mapping the shadowaccount Attribute along with Userpassword Attribute? You must map both if you use shadow passwd entry like in RH or Solaris. rachel
Hi all, I posted this question on the RHEL 5 mailing list, but didn't get any replies. Then I came across pam-list, and this may be a more appropriate place to post this question. This is the case: I'm working on setting up our RHEL servers to authenticate against Active Directory 2008. With my current setup, users can log in and most everything looks good. But one issue I'm having is that when the "User must change password at next logon" box on AD i checked, I'm denied access to the linux box. First, this is my setup: ###### /etc/ldap.conf ########## uri ldaps://ldap.example.com base dc=example,dc=com nss_map_attribute uniqueMember msSFU30PosixMember nss_map_attribute userPassword msSFU30Password pam_password_prohibit_message Your password could not be changed pam_password ad ssl on tls_checkpeer no bind_timelimit 120 idle_timelimit 3600 bind_policy soft nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman binddn cn=serviceuser,ou=accounts,dc=example,dc=com bindpw secret TLS_REQCERT allow ###### /etc/pam.d/system-auth ########### #%PAM-1.0 # /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so account required pam_access.so accessfile=/etc/security/access.custom.conf password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so session required pam_mkhomedir.so skel=/etc/skel umask=077 ####### /etc/nsswitch.conf #################### -- snip -- passwd: ldap compat shadow: ldap compat group: ldap compat -- snip -- So when I issue for example "ssh kenneth@server" to log into my RHEL server, this is what /var/log/secure tells me: ## output start ## 2011-07-22T13:37:21.140807+02:00 server sshd[11172]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=server.example.com user=kenneth 2011-07-22T13:37:22.888911+02:00 server sshd[11172]: pam_ldap: error trying to bind as user "CN=kenneth,OU=Users,DC=example,DC=com" (Invalid credentials) 2011-07-22T13:37:24.694597+02:00 server sshd[11172]: Failed password for kenneth from 1.2.3.4 port 45352 ssh2 ## output end ## I've tried to google this issue, but haven't come across any information that have helped me resolve this issue. Does anyone here know what may be causing it? Any help will be greatly appreciated. Best regards, Kenneth Holter _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
-- Rachel Polanskis Kingswood, Greater Western Sydney, Australia grove@xxxxxxxxxxx http://www.zeta.org.au/~grove/grove.html "The perversity of the Universe tends towards a maximum." - Finagle's Law _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
