Re: Authenticate against AD: Access denied when "User must change password at next logon" is set

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,
have a look at this site:

https://help.ubuntu.com/community/ActiveDirectoryHowto


It explains better than I can!

--
rachel polanskis 
<r.polanskis@xxxxxxxxxx> 
<grove@xxxxxxxxxxx>

On 26/07/2011, at 17:27, Kenneth Holter <kenneho.ndu@xxxxxxxxx> wrote:

> Thank you very much for your reply.
> 
> Could you please elaborate on which attribute mappings exactly are you
> referring to?
> 
> I have tried adding these lines to my ldap.conf file, but without success:
> 
> nss_map_objectclass posixAccount user
> nss_map_objectclass shadowAccount user
> nss_map_attribute uid sAMAccountName
> nss_map_attribute homeDirectory unixHomeDirectory
> nss_map_attribute shadowLastChange pwdLastSet
> nss_map_objectclass posixGroup group
> nss_map_attribute uniqueMember member
> pam_login_attribute sAMAccountName
> pam_filter objectclass=User
> 
> 
> Best regards,
> Kenneth
> 
> On Tue, Jul 26, 2011 at 3:06 AM,  <grove@xxxxxxxxxxx> wrote:
>> On Mon, 25 Jul 2011, Kenneth Holter wrote:
>> 
>> 
>> Are you mapping the shadowaccount Attribute along with Userpassword
>> Attribute?
>> 
>> You must map both if you use shadow passwd entry like in RH or Solaris.
>> 
>> 
>> rachel
>> 
>> 
>> 
>> 
>> 
>>> Hi all,
>>> 
>>> 
>>> I posted this question on the RHEL 5 mailing list, but didn't get any
>>> replies. Then I came across pam-list, and this may be a more
>>> appropriate place to post this question. This is the case:
>>> 
>>> I'm working on setting up our RHEL servers to authenticate against
>>> Active Directory 2008. With my current setup, users can log in and
>>> most everything looks good. But one issue I'm having is that when the
>>> "User must change password at next logon" box on AD i checked, I'm
>>> denied access to the linux box. First, this is my setup:
>>> 
>>> ###### /etc/ldap.conf ##########
>>> 
>>> uri ldaps://ldap.example.com
>>> base dc=example,dc=com
>>> 
>>> nss_map_attribute uniqueMember msSFU30PosixMember
>>> nss_map_attribute userPassword msSFU30Password
>>> 
>>> pam_password_prohibit_message Your password could not be changed
>>> pam_password ad
>>> ssl on
>>> tls_checkpeer no
>>> 
>>> bind_timelimit 120
>>> idle_timelimit 3600
>>> bind_policy soft
>>> nss_initgroups_ignoreusers
>>> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
>>> 
>>> binddn cn=serviceuser,ou=accounts,dc=example,dc=com
>>> bindpw secret
>>> 
>>> TLS_REQCERT allow
>>> 
>>> ###### /etc/pam.d/system-auth ###########
>>> #%PAM-1.0
>>> # /etc/pam.d/system-auth
>>> auth        required      pam_env.so
>>> auth        sufficient    pam_unix.so nullok try_first_pass
>>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>>> auth        sufficient    pam_ldap.so use_first_pass
>>> auth        required      pam_deny.so
>>> 
>>> account     required      pam_unix.so broken_shadow
>>> account     sufficient    pam_localuser.so
>>> account     sufficient    pam_succeed_if.so uid < 500 quiet
>>> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>> account     required      pam_permit.so
>>> account     required      pam_access.so
>>> accessfile=/etc/security/access.custom.conf
>>> 
>>> password    requisite     pam_cracklib.so try_first_pass retry=3 type=
>>> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
>>> use_authtok
>>> password    sufficient    pam_ldap.so use_authtok
>>> password    required      pam_deny.so
>>> 
>>> session     optional      pam_keyinit.so revoke
>>> session     required      pam_limits.so
>>> session     [success=1 default=ignore] pam_succeed_if.so service in
>>> crond quiet use_uid
>>> session     required      pam_unix.so
>>> session     optional      pam_ldap.so
>>> session     required      pam_mkhomedir.so skel=/etc/skel umask=077
>>> 
>>> 
>>> ####### /etc/nsswitch.conf ####################
>>> -- snip --
>>> passwd:     ldap compat
>>> shadow:     ldap compat
>>> group:      ldap compat
>>> -- snip --
>>> 
>>> 
>>> So when I issue for example "ssh kenneth@server" to log into my RHEL
>>> server, this is what /var/log/secure tells me:
>>> 
>>> ## output start ##
>>> 2011-07-22T13:37:21.140807+02:00 server sshd[11172]:
>>> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
>>> tty=ssh ruser= rhost=server.example.com  user=kenneth
>>> 2011-07-22T13:37:22.888911+02:00 server sshd[11172]: pam_ldap: error
>>> trying to bind as user "CN=kenneth,OU=Users,DC=example,DC=com"
>>> (Invalid credentials)
>>> 2011-07-22T13:37:24.694597+02:00 server sshd[11172]: Failed password
>>> for kenneth from 1.2.3.4 port 45352 ssh2
>>> ## output end ##
>>> 
>>> I've tried to google this issue, but haven't come across any
>>> information that have helped me resolve this issue. Does anyone here
>>> know what may be causing it? Any help will be greatly appreciated.
>>> 
>>> 
>>> Best regards,
>>> Kenneth Holter
>>> 
>>> _______________________________________________
>>> Pam-list mailing list
>>> Pam-list@xxxxxxxxxx
>>> https://www.redhat.com/mailman/listinfo/pam-list
>>> 
>> 
>> --
>> Rachel Polanskis                 Kingswood, Greater Western Sydney,
>> Australia
>> grove@xxxxxxxxxxx                http://www.zeta.org.au/~grove/grove.html
>>   "The perversity of the Universe tends towards a maximum." - Finagle's Law
>> 
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list@xxxxxxxxxx
>> https://www.redhat.com/mailman/listinfo/pam-list
>> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list


[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux