[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Google
  Web www.spinics.net

Re: Authenticate against AD: Access denied when "User must change password at next logon" is set



If I understand you correctly, you suggest I add these two lines to
/etc/ldap.conf:

nss_map_objectclass shadowAccount User
nss_map_attribute userPassword msSFU30Password

I tried adding these, but the issue remains unsolved. Any ideas on
what to try next? Thanks in advance.



Regards,
Kenneth

On Tue, Jul 26, 2011 at 10:31 AM, Rachel Polanskis <grove@xxxxxxxxxxx> wrote:
> Hi,
> have a look at this site:
>
> https://help.ubuntu.com/community/ActiveDirectoryHowto
>
>
> It explains better than I can!
>
> --
> rachel polanskis
> <r.polanskis@xxxxxxxxxx>
> <grove@xxxxxxxxxxx>
>
> On 26/07/2011, at 17:27, Kenneth Holter <kenneho.ndu@xxxxxxxxx> wrote:
>
>> Thank you very much for your reply.
>>
>> Could you please elaborate on which attribute mappings exactly are you
>> referring to?
>>
>> I have tried adding these lines to my ldap.conf file, but without success:
>>
>> nss_map_objectclass posixAccount user
>> nss_map_objectclass shadowAccount user
>> nss_map_attribute uid sAMAccountName
>> nss_map_attribute homeDirectory unixHomeDirectory
>> nss_map_attribute shadowLastChange pwdLastSet
>> nss_map_objectclass posixGroup group
>> nss_map_attribute uniqueMember member
>> pam_login_attribute sAMAccountName
>> pam_filter objectclass=User
>>
>>
>> Best regards,
>> Kenneth
>>
>> On Tue, Jul 26, 2011 at 3:06 AM,  <grove@xxxxxxxxxxx> wrote:
>>> On Mon, 25 Jul 2011, Kenneth Holter wrote:
>>>
>>>
>>> Are you mapping the shadowaccount Attribute along with Userpassword
>>> Attribute?
>>>
>>> You must map both if you use shadow passwd entry like in RH or Solaris.
>>>
>>>
>>> rachel
>>>
>>>
>>>
>>>
>>>
>>>> Hi all,
>>>>
>>>>
>>>> I posted this question on the RHEL 5 mailing list, but didn't get any
>>>> replies. Then I came across pam-list, and this may be a more
>>>> appropriate place to post this question. This is the case:
>>>>
>>>> I'm working on setting up our RHEL servers to authenticate against
>>>> Active Directory 2008. With my current setup, users can log in and
>>>> most everything looks good. But one issue I'm having is that when the
>>>> "User must change password at next logon" box on AD i checked, I'm
>>>> denied access to the linux box. First, this is my setup:
>>>>
>>>> ###### /etc/ldap.conf ##########
>>>>
>>>> uri ldaps://ldap.example.com
>>>> base dc=example,dc=com
>>>>
>>>> nss_map_attribute uniqueMember msSFU30PosixMember
>>>> nss_map_attribute userPassword msSFU30Password
>>>>
>>>> pam_password_prohibit_message Your password could not be changed
>>>> pam_password ad
>>>> ssl on
>>>> tls_checkpeer no
>>>>
>>>> bind_timelimit 120
>>>> idle_timelimit 3600
>>>> bind_policy soft
>>>> nss_initgroups_ignoreusers
>>>> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
>>>>
>>>> binddn cn=serviceuser,ou=accounts,dc=example,dc=com
>>>> bindpw secret
>>>>
>>>> TLS_REQCERT allow
>>>>
>>>> ###### /etc/pam.d/system-auth ###########
>>>> #%PAM-1.0
>>>> # /etc/pam.d/system-auth
>>>> auth        required      pam_env.so
>>>> auth        sufficient    pam_unix.so nullok try_first_pass
>>>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>>>> auth        sufficient    pam_ldap.so use_first_pass
>>>> auth        required      pam_deny.so
>>>>
>>>> account     required      pam_unix.so broken_shadow
>>>> account     sufficient    pam_localuser.so
>>>> account     sufficient    pam_succeed_if.so uid < 500 quiet
>>>> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>>> account     required      pam_permit.so
>>>> account     required      pam_access.so
>>>> accessfile=/etc/security/access.custom.conf
>>>>
>>>> password    requisite     pam_cracklib.so try_first_pass retry=3 type=
>>>> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
>>>> use_authtok
>>>> password    sufficient    pam_ldap.so use_authtok
>>>> password    required      pam_deny.so
>>>>
>>>> session     optional      pam_keyinit.so revoke
>>>> session     required      pam_limits.so
>>>> session     [success=1 default=ignore] pam_succeed_if.so service in
>>>> crond quiet use_uid
>>>> session     required      pam_unix.so
>>>> session     optional      pam_ldap.so
>>>> session     required      pam_mkhomedir.so skel=/etc/skel umask=077
>>>>
>>>>
>>>> ####### /etc/nsswitch.conf ####################
>>>> -- snip --
>>>> passwd:     ldap compat
>>>> shadow:     ldap compat
>>>> group:      ldap compat
>>>> -- snip --
>>>>
>>>>
>>>> So when I issue for example "ssh kenneth@server" to log into my RHEL
>>>> server, this is what /var/log/secure tells me:
>>>>
>>>> ## output start ##
>>>> 2011-07-22T13:37:21.140807+02:00 server sshd[11172]:
>>>> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
>>>> tty=ssh ruser= rhost=server.example.com  user=kenneth
>>>> 2011-07-22T13:37:22.888911+02:00 server sshd[11172]: pam_ldap: error
>>>> trying to bind as user "CN=kenneth,OU=Users,DC=example,DC=com"
>>>> (Invalid credentials)
>>>> 2011-07-22T13:37:24.694597+02:00 server sshd[11172]: Failed password
>>>> for kenneth from 1.2.3.4 port 45352 ssh2
>>>> ## output end ##
>>>>
>>>> I've tried to google this issue, but haven't come across any
>>>> information that have helped me resolve this issue. Does anyone here
>>>> know what may be causing it? Any help will be greatly appreciated.
>>>>
>>>>
>>>> Best regards,
>>>> Kenneth Holter
>>>>
>>>> _______________________________________________
>>>> Pam-list mailing list
>>>> Pam-list@xxxxxxxxxx
>>>> https://www.redhat.com/mailman/listinfo/pam-list
>>>>
>>>
>>> --
>>> Rachel Polanskis                 Kingswood, Greater Western Sydney,
>>> Australia
>>> grove@xxxxxxxxxxx                http://www.zeta.org.au/~grove/grove.html
>>>   "The perversity of the Universe tends towards a maximum." - Finagle's Law
>>>
>>> _______________________________________________
>>> Pam-list mailing list
>>> Pam-list@xxxxxxxxxx
>>> https://www.redhat.com/mailman/listinfo/pam-list
>>>
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list@xxxxxxxxxx
>> https://www.redhat.com/mailman/listinfo/pam-list
>
> _______________________________________________
> Pam-list mailing list
> Pam-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/pam-list
>

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list



[Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

Add to Google Powered by Linux