Find the answer to your Linux question:
Results 1 to 5 of 5
So i have set up a RHEL5.6 VM as a basic system. I have upgraded a Win2003 Server to 2003 RC2, and installed the Unix services on it. Using system ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2008
    Posts
    47

    RHEL5.6 issues with LDAP/KRB5 authentication


    So i have set up a RHEL5.6 VM as a basic system.

    I have upgraded a Win2003 Server to 2003 RC2, and installed the Unix services on it.

    Using system > Administration > Authentication from the desktop, I have configured LDAP under "User Information". I am not using TLS to encrypt, and set the ldap server as
    dc=domain,dc=com
    ldap://dubious.mydomain.com

    On the "Authentication" tab i have Configured Kerberos. I have manually entered the Realm, KDC and Admin Servers. I have also ticked both boxes "Use DNS to resolve...."

    If i run:
    ldapsearch -x dubious -b "CN=Users,dc=domain,dc=com" -D "CNLDAPadmin,CN=Users,DC=domain,CN=com" -W I get loads of replies, then Size limit exceeded. As you would expect.

    If i run kinit as LDAPadmin, put in the password, and then run klist, everything seems to be ok, as i get a token. I then used kdestroy to get rid of the token

    I have edited /etc/ldap.conf and added:
    binddn CN=LDAPAdmin,CN=Users,CN=domain,CN=com
    bindpw password
    nss_map_objectclass posixAccount User
    nss_map_objectclass posixGroup Group
    nss_map_attribute homeDirectoy unixHomeDirectory

    If i run "getent passwd" it returns users from Active Directory that have a UID associated in the "Unix Attributes" tab. I can also su to these users, and it creates the home directory,a dn when i run "id" i am getting the values that I inserted in ADS for GID and UID.

    However i cannot SSH as the user, not log in at the desktop as the user. when i try to ssh as the user, it hangs for a few secs, then asks for the password. Once the password is entered, it hangs for a while (i am assuming until the timeout is reached) and then says Permission Denied.

    [This is being done in a test network, that can be a little slow, so i wouldnt be too worried about the initial hang while it looks up the ssh user]

    So from what I am seeing, to me it looks like the system is connecting to LDAP, but i have no idea where it is all going pear shaped......

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,307
    Is there anything helpful in /var/log/messages or /var/log/secure?

    Check out this how-to for more hints, it is Samba/LDAP oriented but might be helpful.

  3. #3
    Just Joined!
    Join Date
    Mar 2008
    Posts
    47
    There is nothing in messages, Here is secure:
    Oct 27 11:14:55 rhelads sshd[4190]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.165.122 user=ipillion
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: configured realm 'MYDOMAIN.COM'
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flags: forwardable
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flag: no ignore_afs
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flag: user_check
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flag: no krb4_convert
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flag: krb4_convert_524
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flag: krb4_use_as_req
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: will try previously set password first
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: will let libkrb5 ask questions
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flag: no use_shmem
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flag: no external
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flag: no multiple_ccaches
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flag: validate
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: flag: warn
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: ticket lifetime: 36000
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: renewable lifetime: 36000
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: banner: Kerberos 5
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: ccache dir: /tmp
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: keytab: FILE:/etc/krb5.keytab
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: called to authenticate 'ipillion', realm 'MYDOMAIN.COM'
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: authenticating 'ipillion@MYDOMAIN.COM'
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: trying previously-entered password for 'ipillion', allowing libkrb5 to prompt for more
    Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: authenticating 'ipillion@MYDOMAIN.COM' to 'krbtgt/MYDOMAIN.COM@MYDOMAIN.COM'
    Oct 27 11:14:56 rhelads sshd[4190]: pam_krb5[4190]: krb5_get_init_creds_password(krbtgt/MYDOMAIN.COM@MYDOMAIN.COM) returned 0 (Success)
    Oct 27 11:14:56 rhelads sshd[4190]: pam_krb5[4190]: validating credentials
    Oct 27 11:15:16 rhelads sshd[4190]: pam_krb5[4190]: error guessing name of local host principal
    Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: TGT failed verification using keytab: Hostname cannot be canonicalized
    Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: got result 0 (Success)
    Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: authentication fails for 'ipillion' (ipillion@MYDOMAIN.COM): Authentication failure (Success)
    Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: pam_authenticate returning 7 (Authentication failure)
    Oct 27 11:15:38 rhelads sshd[4190]: Failed password for ipillion from 172.16.165.122 port 57518 ssh2
    Oct 27 11:15:40 rhelads sshd[4193]: Connection closed by 172.16.165.122

    Im looking at the link you posted but most of that is for setting as a Directory Master from what i can see......

    from secure, should it show "krb5_get_init_creds_password(krbtgt/MYDOMAIN.COM@MYDOMAIN.COM) returned 0 (Success)" -- ie should there be two MYDOMAIN.COM there?

    And from this: Appendix D: Kerberos and LDAP Troubleshooting Tips

    DNS-related Error Messages

    Investigate DNS issues if you are experiencing error messages similar to those listed as follows:

    Host name cannot be canonicalized.


    So i tried to add the system to the domain, created the smb.conf file with:
    workgroup = ITD2
    realm = mydomain.com
    security = ads
    user kerberos keytab = true


    There was some strange errors with Sama-3.0, so i reinstalled 3.3 (both on the RHEL dvd).

    now i am getting the following error when i try to join the domain:
    libads/sasl.c:ads_sasl_spengo_bind(819)
    kinit suceeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
    Failed to join domain: failed to connect to AD: Invalid credentials


    I have also seen the following error when i was mucking about:
    Failed to join the domain: failed to join domain 'MYDOMAIN.COM' over rpc: NT code 0xc00002a7

  4. #4
    Just Joined!
    Join Date
    Jan 2012
    Posts
    1
    in /etc/krb5.conf add:

    validate = false in the [appdefaults] section.

  5. #5
    Just Joined!
    Join Date
    Mar 2008
    Posts
    47
    Quote Originally Posted by djpm05 View Post
    in /etc/krb5.conf add:

    validate = false in the [appdefaults] section.
    Apologies. Over christmas, we had downtime, and rebooting all the servers seemed to fix this. I can now log in with any account that has a UID in Active Directory.

    HOWEVER, when i use getent passwd, i only get a user list of users created before July 2008. This was when a win2k3R2 server was added to the directory tree (US logon server). So the AD schema would have changed then.

    Anyone know how to get the getent returning all users?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •