Login or Register to Ask a Question and Join Our Community


Cybersecurity

LDAP and PAM Configurations for Windows 2008 R2 ADS and Cubox Ubuntu client

Login or Register to Reply

 
Thread Tools Search this Thread
Special Forums Cybersecurity LDAP and PAM Configurations for Windows 2008 R2 ADS and Cubox Ubuntu client
# 1  
Old 08-08-2012
LDAP and PAM Configurations for Windows 2008 R2 ADS and Cubox Ubuntu client
Please I am having problem to login using Windows 2008 R2 Active Directory Services accounts on a cubox ubuntu (2.6.32.9-dove-5.4.2 #46). "getent passwd" only shows local users, however I can querry ADS users using ldapsearch command.
I have 2 systems, one that does not use gdm can login with all users (local and ADS) but the one that uses gdm allows only local users to login but not ADS users and I am getting the following error messages using Ctrl+Alt+F4 keys from /var/log/auth.log:
pam_unix(login:auth): check pass; user unknown
pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty4 ruser= rhost=
pam_unix(login:account): could not identify user (from getpwnam(gokopwin))
User not known to the underlying authentication module

And when login from Login Window /var/log/auth.log gave similar gdm errors as above:
pam_unix(gdm:auth): check pass; user unknown
pam_unix(gdm:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty4 ruser= rhost=
pam_unix(gdm:account): could not identify user (from getpwnam(gokopwin))


On the login prompt the error says:
You must be a member of cn=ldapusers,cn=users,dc=myDomain,dc=net to login

My configuration files are:

/
etc/nsswitch.conf:
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns mdns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/ldap.conf:
host MYHOSTNAME (FQ)
base dc=MYDOMAIN,dc=net
uri ldap://SERVER.MYDOMAIN.net
ldap_version 3
rootbinddn cn=ldap admin,cn=users,dc=MYDOMAIN,dc=net
scope sub
timelimit 30
bind_timelimit 30
bind_policy soft
idle_timelimit 3600
network timeout 20
referrals on
pam_filter objectCategory=User
pam_login_attribute sAMAccountName
pam_groupdn cn=ldapusers,cn=Users,dc=MYDOMAIN,dc=net
pam_member_attribute member
pam_password ad
nss_base_passwd dc=qcri,dc=qa?Sub?&(objectClass=User)(uidNumber=*)
nss_base_shadow dc=qcri,dc=qa?Sub?&(objectClass=User)(uidNumber=*)
nss_base_group dc=qcri,dc=qa?Sub?&(objectClass=Group)(gidNumber=*)
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute cn sAMAccountName
nss_map_attribute uniqueMember member
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute gecos name
nss_map_objectclass posixGroup Group
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,bind,couchdb,daemon,dbus,games,gdm,gnats,haldaemon,hplip,irc,kernoops,ldap,libuuid,list,lp,mail,mailman,man,messagebus,myLocalUser,mysql,named,news,ntp,nz,openldap,polkituser,proxy,pulse,radiusd,radvd,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,tomcat,usbmux,uucp,www-data
/etc/pam.d/*:
common-account:
account sufficient pam_ldap.so
account required pam_unix.so
common-auth:
auth sufficient pam_unix.so nullok_secure
auth sufficient pam_ldap.so use_first_pass
common-session:
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
common-session-noninteractive:
session required pam_unix.so
common-password:
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure md5
passwd:
@include common-password
login:
auth optional pam_faildelay.so delay=3000000
auth required pam_securetty.so
auth requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard
@include common-account
@include common-session
@include common-password
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
gdm:
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
@include common-password

Any help is wellcome as I have spent almost a week on this. I thought it is simple as I succeeded in the first system, but for the cubox using gdm is proving to be a daunting task. I have google......gooogled a lot and used many materials.

Regards
Powell
# 2  
Old 08-08-2012
Duplicate thread. Closed.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Solaris

LDAP Client not connecting to LDAP server

I have very limited knowledge on LDAP configuration and have been trying fix one issue, but unsuccessful. The server, I am working on, is Solaris-10 zone. sudoers is configured on LDAP (its not on local server). I have access to login directly on server with root, but somehow sudo is not working... (9 Replies)
Discussion started by: solaris_1977
9 Replies

2. OS X (Apple)

Mac OS X LDAP client not accepting ssh or console logins (PAM error)

Hi Folks, I've install 389 Directory Server on a Centos 7.0 server. Over the last two days I've been trying to connect a MacBook running 10.10.5 to the server as a client and I'm having only partial success. I've "Joined" to my network Account Server, and set my LDAP Mappings to... (2 Replies)
Discussion started by: jlh
2 Replies

3. IP Networking

Unable to SSH from Windows client to Ubuntu Server

I'm trying to setup a small home network environment as a pet project. These are physical machines nothing virtual. Any help or ideas is greatly appreciated. I can ping between both machines and I have Samba established and can read/write different shares. When I try to SSH from Windows 8.1... (10 Replies)
Discussion started by: lombardi4851
10 Replies

4. Shell Programming and Scripting

LDAP and PAM Configurations for Windows 2008 R2 ADS and Cubox Ubuntu client

Please I am having problem to login using Active Directory Services 2008 R2 accounts on a cubox ubuntu (2.6.32.9-dove-5.4.2 #46). "getent passwd" only shows local users, however I can querry ADS users using ldapsearch command. I have 2 systems, one that does not use gdm can login with all users... (0 Replies)
Discussion started by: powelltallen
0 Replies

5. Solaris

LDAP, PAM or SSHD?

Hi, I´m trying to make Solaris authenticate users in AD. NTP is working, nsswitch.ldap is listed above, DNS is Ok and I made something different in pam.conf, krb5.conf and sshd_config (see above) nsswitch.ldap: passwd: files ldap group: files ldap hosts: files dns ipnodes: ... (0 Replies)
Discussion started by: mpcavalcanti
0 Replies

6. UNIX and Linux Applications

Problems Hooking Sudoers into PAM/LDAP

Greetings!! I am attempting to solve a rather thorny issue and I was hoping that someone might have some insight into what is going on here.. At this point I have an openLDAP server that is working quite splendidly! :) I have a working directory with users able to authenticate it and TLS... (2 Replies)
Discussion started by: bluethundr
2 Replies

7. Windows & DOS: Issues & Discussions

Using ADS Ldap from Linux

Hello, We're about to identify our Linux users against AD/Ldap. Our Linux test server is domain Member, winbind ,kerberos and Samba SSO are working fine. Next step is to read user attributes from active directory and at this point we suck. We have created a functional user for ldap... (0 Replies)
Discussion started by: demwz
0 Replies

8. UNIX for Advanced & Expert Users

Finding LDAP server configurations

Hi, I'm using debian etch in my server and have a preconfigured LDAP server. I want to know which configuration can I use to configure libnss-ldap. My main questions is: Does the LDAP database require login? Special LDAP privileges for root? Make the configuration file readable/writeable by... (1 Reply)
Discussion started by: mjdousti
1 Replies

9. UNIX for Advanced & Expert Users

PAM LDAP Passwort

Hallo miteinander, ich bin gerade dabei ein eigenes C-Programm zuschreiben um mich über PAM auf einen LDAP Server zu authentifizieren. ... (2 Replies)
Discussion started by: saschaLin
2 Replies

10. UNIX for Advanced & Expert Users

pam ldap limit authentication

I have a linux machine which authenticate users to ldap, this is working fine. But I would like to limit users that logon to the machines to just the system admins. The machines hosts different web sites which users accessed from there home directory like http://foo.mdx.ac.uk/~username At the... (0 Replies)
Discussion started by: hassan1
0 Replies
Login or Register to Ask a Question