RHEL5.6 issues with LDAP/KRB5 authentication

[bomahony]

So i have set up a RHEL5.6 VM as a basic system.

I have upgraded a Win2003 Server to 2003 RC2, and installed the Unix services on it.

Using system > Administration > Authentication from the desktop, I have configured LDAP under "User Information". I am not using TLS to encrypt, and set the ldap server as
dc=domain,dc=com
ldap://dubious.mydomain.com

On the "Authentication" tab i have Configured Kerberos. I have manually entered the Realm, KDC and Admin Servers. I have also ticked both boxes "Use DNS to resolve...."

If i run:
ldapsearch -x dubious -b "CN=Users,dc=domain,dc=com" -D "CNLDAPadmin,CN=Users,DC=domain,CN=com" -W I get loads of replies, then Size limit exceeded. As you would expect.

If i run kinit as LDAPadmin, put in the password, and then run klist, everything seems to be ok, as i get a token. I then used kdestroy to get rid of the token

I have edited /etc/ldap.conf and added:
binddn CN=LDAPAdmin,CN=Users,CN=domain,CN=com
bindpw password
nss_map_objectclass posixAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute homeDirectoy unixHomeDirectory

If i run "getent passwd" it returns users from Active Directory that have a UID associated in the "Unix Attributes" tab. I can also su to these users, and it creates the home directory,a dn when i run "id" i am getting the values that I inserted in ADS for GID and UID.

However i cannot SSH as the user, not log in at the desktop as the user. when i try to ssh as the user, it hangs for a few secs, then asks for the password. Once the password is entered, it hangs for a while (i am assuming until the timeout is reached) and then says Permission Denied.

[This is being done in a test network, that can be a little slow, so i wouldnt be too worried about the initial hang while it looks up the ssh user]

So from what I am seeing, to me it looks like the system is connecting to LDAP, but i have no idea where it is all going pear shaped......

[atreyu]

Is there anything helpful in /var/log/messages or /var/log/secure?

Check out this how-to for more hints, it is Samba/LDAP oriented but might be helpful.

[bomahony]

There is nothing in messages, Here is secure:
Oct 27 11:14:55 rhelads sshd[4190]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.165.122 user=ipillion
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: configured realm 'MYDOMAIN.COM'
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flags: forwardable
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flag: no ignore_afs
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flag: user_check
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flag: no krb4_convert
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flag: krb4_convert_524
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flag: krb4_use_as_req
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: will try previously set password first
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: will let libkrb5 ask questions
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flag: no use_shmem
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flag: no external
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flag: no multiple_ccaches
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flag: validate
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flag: warn
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: ticket lifetime: 36000
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: renewable lifetime: 36000
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: banner: Kerberos 5
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: ccache dir: /tmp
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: keytab: FILE:/etc/krb5.keytab
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: called to authenticate 'ipillion', realm 'MYDOMAIN.COM'
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: authenticating 'ipillion@MYDOMAIN.COM'
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: trying previously-entered password for 'ipillion', allowing libkrb5 to prompt for more
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: authenticating 'ipillion@MYDOMAIN.COM' to 'krbtgt/MYDOMAIN.COM@MYDOMAIN.COM'
Oct 27 11:14:56 rhelads sshd[4190]: pam_krb5[4190]: krb5_get_init_creds_password(krbtgt/MYDOMAIN.COM@MYDOMAIN.COM) returned 0 (Success)
Oct 27 11:14:56 rhelads sshd[4190]: pam_krb5[4190]: validating credentials
Oct 27 11:15:16 rhelads sshd[4190]: pam_krb5[4190]: error guessing name of local host principal
Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: TGT failed verification using keytab: Hostname cannot be canonicalized
Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: got result 0 (Success)
Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: authentication fails for 'ipillion' (ipillion@MYDOMAIN.COM): Authentication failure (Success)
Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: pam_authenticate returning 7 (Authentication failure)
Oct 27 11:15:38 rhelads sshd[4190]: Failed password for ipillion from 172.16.165.122 port 57518 ssh2
Oct 27 11:15:40 rhelads sshd[4193]: Connection closed by 172.16.165.122

Im looking at the link you posted but most of that is for setting as a Directory Master from what i can see......

from secure, should it show "krb5_get_init_creds_password(krbtgt/MYDOMAIN.COM@MYDOMAIN.COM) returned 0 (Success)" -- ie should there be two MYDOMAIN.COM there?

And from this: Appendix D: Kerberos and LDAP Troubleshooting Tips

DNS-related Error Messages

Investigate DNS issues if you are experiencing error messages similar to those listed as follows:

Host name cannot be canonicalized.


So i tried to add the system to the domain, created the smb.conf file with:
workgroup = ITD2
realm = mydomain.com
security = ads
user kerberos keytab = true


There was some strange errors with Sama-3.0, so i reinstalled 3.3 (both on the RHEL dvd).

now i am getting the following error when i try to join the domain:
libads/sasl.c:ads_sasl_spengo_bind(819)
kinit suceeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Failed to join domain: failed to connect to AD: Invalid credentials


I have also seen the following error when i was mucking about:
Failed to join the domain: failed to join domain 'MYDOMAIN.COM' over rpc: NT code 0xc00002a7

[djpm05]

in /etc/krb5.conf add:

validate = false in the [appdefaults] section.

[bomahony]

in /etc/krb5.conf add:

validate = false in the [appdefaults] section.

Apologies. Over christmas, we had downtime, and rebooting all the servers seemed to fix this. I can now log in with any account that has a UID in Active Directory.

HOWEVER, when i use getent passwd, i only get a user list of users created before July 2008. This was when a win2k3R2 server was added to the directory tree (US logon server). So the AD schema would have changed then.

Anyone know how to get the getent returning all users?