Find the answer to your Linux question:
Results 1 to 4 of 4
Hi, I finally got my Redhat 5.8 sandbox machine to successfully join our AD domain using kerberos and winbind. I can pull lists of users and groups (wbinfo –u wbinfo ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2012
    Posts
    3

    AD Domain-based authentication


    Hi,

    I finally got my Redhat 5.8 sandbox machine to successfully join our AD domain using kerberos and winbind. I can pull lists of users and groups (wbinfo –u wbinfo –g), I can verify accounts (getent passwd and getent group) and pretty much do everything else expected. When I run “smbclient -L localhost -U TESTUSERACCOUNT” I can verify that it can be authenticated successfully. HOWEVER, I still can't figure out why the system won’t accept login from a user such as TESTUSERACCOUNT. (HELP!)

    Interesting note: I can now login to the system using my local password OR my AD password. (I accidently typed my AD password and noticed it worked, then confirmed by opening two SSH shells simultaneously with the two different passwords)

    One other thing of note: When I look in the /var/log/secure file
    I will see output such as this:

    Code:
    Jul  5 09:57:20 HOSTNAME sshd[5376]: Connection from 10.10.10.10 port 49541
    Jul  5 09:57:26 HOSTNAME sshd[5376]: Invalid user TESTUSERACCOUNT#ADDOMAIN from 10.10.10.10
    Jul  5 09:57:26 HOSTNAME sshd[5377]: input_userauth_request: invalid user TESTUSERACCOUNT#ADDOMAIN 
    Jul  5 09:57:29 HOSTNAME sshd[5376]: pam_unix(sshd:auth): check pass; user unknown
    Jul  5 09:57:29 HOSTNAME sshd[5376]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.10
    Jul  5 09:57:29 HOSTNAME sshd[5376]: pam_succeed_if(sshd:auth): error retrieving information about user TESTUSERACCOUNT#ADDOMAIN
    Jul  5 09:57:31 HOSTNAME sshd[5376]: Failed password for invalid user TESTUSERACCOUNT#ADDOMAIN from 10.10.10.10 port 49541 ssh2
    
    (Replaced @ with # because the forum would not let me post with the @, it thought they were URLS :(
    Last edited by paladin732; 07-05-2012 at 03:08 PM. Reason: Fixed ambiguous text

  2. #2
    Linux Newbie
    Join Date
    Apr 2012
    Posts
    112
    Quote Originally Posted by paladin732 View Post
    Hi,

    I finally got my Redhat 5.8 sandbox machine to successfully join our AD domain using kerberos and winbind. I can pull lists of users and groups (wbinfo –u wbinfo –g), I can verify accounts (getent passwd and getent group) and pretty much do everything else expected. When I run “smbclient -L localhost -U TESTUSERACCOUNT” I can verify that it can be authenticated successfully. HOWEVER, I still can't figure out why the system won’t accept login from a user such as TESTUSERACCOUNT. (HELP!)

    Interesting note: I can now login to the system using my local password OR my AD password. (I accidently typed my AD password and noticed it worked, then confirmed by opening two SSH shells simultaneously with the two different passwords)

    One other thing of note: When I look in the /var/log/secure file
    I will see output such as this:

    Code:
    Jul  5 09:57:20 HOSTNAME sshd[5376]: Connection from 10.10.10.10 port 49541
    Jul  5 09:57:26 HOSTNAME sshd[5376]: Invalid user TESTUSERACCOUNT#ADDOMAIN from 10.10.10.10
    Jul  5 09:57:26 HOSTNAME sshd[5377]: input_userauth_request: invalid user TESTUSERACCOUNT#ADDOMAIN 
    Jul  5 09:57:29 HOSTNAME sshd[5376]: pam_unix(sshd:auth): check pass; user unknown
    Jul  5 09:57:29 HOSTNAME sshd[5376]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.10
    Jul  5 09:57:29 HOSTNAME sshd[5376]: pam_succeed_if(sshd:auth): error retrieving information about user TESTUSERACCOUNT#ADDOMAIN
    Jul  5 09:57:31 HOSTNAME sshd[5376]: Failed password for invalid user TESTUSERACCOUNT#ADDOMAIN from 10.10.10.10 port 49541 ssh2
    
    (Replaced @ with # because the forum would not let me post with the @, it thought they were URLS :(
    I think you need to look at your pam configuration (/etc/pam.d/sshd).

    I've written a couple of posts on how to join a domain for RHEL/CentOS 6.x for win2k3 and win2k8 domains, which might be of help.

    In essence, the authconfig command is what I've used, which more or less sets everything up for you.

    Not sure how applicable any of the above is to RHEL 5.x. We've only got a RHEL 5.x box but alas it's not joined to the domain.

  3. #3
    Just Joined!
    Join Date
    Jul 2012
    Posts
    3
    Thanks!

    I've tried looking into my PAM file and it seems fine.

    See below:

    Code:
    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth        required      pam_env.so
    auth        sufficient    pam_unix.so try_first_pass
    auth        requisite     pam_succeed_if.so uid >= 500 quiet
    auth        sufficient    pam_ldap.so use_first_pass
    auth        sufficient    pam_winbind.so use_first_pass
    auth        required      pam_deny.so
    
    account     required      pam_unix.so broken_shadow
    account     sufficient    pam_localuser.so
    account     sufficient    pam_succeed_if.so uid < 500 quiet
    account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
    account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
    account     required      pam_permit.so
    
    password    requisite     pam_cracklib.so retry=3 dcredit=-1 lcredit=-1 ocredit=-1 ucredit=-1 minlen=9
    password    sufficient    pam_unix.so md5 shadow try_first_pass use_authtok
    password    sufficient    pam_ldap.so use_authtok
    password    sufficient    pam_winbind.so use_authtok
    password    required      pam_deny.so
    "/etc/pam.d/system-auth" 29L, 1359C

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Jul 2012
    Posts
    3
    Quote Originally Posted by paladin732 View Post
    Thanks!

    I've tried looking into my PAM file and it seems fine.

    See below:

    Code:
    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth        required      pam_env.so
    auth        sufficient    pam_unix.so try_first_pass
    auth        requisite     pam_succeed_if.so uid >= 500 quiet
    auth        sufficient    pam_ldap.so use_first_pass
    auth        sufficient    pam_winbind.so use_first_pass
    auth        required      pam_deny.so
    
    account     required      pam_unix.so broken_shadow
    account     sufficient    pam_localuser.so
    account     sufficient    pam_succeed_if.so uid < 500 quiet
    account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
    account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
    account     required      pam_permit.so
    
    password    requisite     pam_cracklib.so retry=3 dcredit=-1 lcredit=-1 ocredit=-1 ucredit=-1 minlen=9
    password    sufficient    pam_unix.so md5 shadow try_first_pass use_authtok
    password    sufficient    pam_ldap.so use_authtok
    password    sufficient    pam_winbind.so use_authtok
    password    required      pam_deny.so
    "/etc/pam.d/system-auth" 29L, 1359C
    Whatever it is seems to be a login issue or account generation issue or something, since I can su between accounts... sorta

    For instance:

    I can't su to TESTUSER@AD
    but I can su to TESTUSER if I previously made the account via useradd and I use the AD password.

    FYI: I am accessing the box via SSH (its a remote hosted box)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •