This is what you said Scott Ruckh > I have the following configuration: > > /etc/openldap/ldap.conf > > BASE ou=LNXUSERS,dc=example,dc=com > URI ldap://1.1.1.1/ > HOST adsvr.example.com > TLS_REQCERT demand > TLS_CACERT /etc/openldap/cacerts/exampleCA.pem > > /etc/ldap.conf > > host adsvr.example.com > uri ldap://1.1.1.1 > scope sub > timelimit 30 > > binddn adlookup@xxxxxxxxxxx > bindpw secret > > tls_checkpeer no > ssl start_tls > > nss_base_passwd ou=LNXUSERS,dc=example,dc=com?sub > nss_base_shadow ou=LNXUSERS,dc=example,dc=com?sub > nss_base_group > ou=LNXUSERS,dc=example,dc=com?sub?&(objectCategory=group)(gidnumber=*) > nss_map_objectclass posixAccount user > nss_map_objectclass shadowAccount user > nss_map_objectclass posixGroup group > nss_map_attribute gecos name > nss_map_attribute homeDirectory unixHomeDirectory > > pam_password ad > > This configuration works without sending bind user's name and password > over the wire in clear text, and works for logging in from the local > console, but it does not work for ssh logins. > > It looks like the user authenticates, but then receives a connection > closed message. The /var/log/messages only shows a pam_krb5 message > stating, "authentication succeeds for 'aduser' (aduser@xxxxxxxxxxx)". > > As the active directory user can login from local console I assume > /etc/krb5.conf, /etc/nsswitch.conf, and /etc/pam.d/system-auth are > configured correctly. I am guessing there is a problem possibly with > /etc/pam.d/sshd or /etc/ssh/ssh_config file. > > Does anyone have any idea what is going on and how to get ssh logins > working? > > Thanks. By making the file /etc/pam.d/system-auth look like the following everything appears to work. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_krb5.so auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account [ignore=ignore success=done default=die] /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account sufficient /lib/security/$ISA/pam_krb5.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore authinfo_unavail=ignore] /lib/security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_krb5.so use_authtok password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_krb5.so session optional /lib/security/$ISA/pam_ldap.so I still need to do much more testing with this configuration to ensure everything works, but local and active directory users can log in from the local console and from ssh sessions with the above configuration. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
