Active directory integration - password incorrect

Installing, Configuring, Troubleshooting server daemons such as Web and Mail
Posts: 4
Joined: 2017/01/10 07:48:45

Active directory integration - password incorrect

Postby user2016 » 2017/01/23 04:00:18

[user@server ~]# id username
uid=100001(username) gid=100(users) groups=100(users),10000(sudo)

but when I try su username it says password incorrect
[user@server ~]# su username
su: incorrect password


Code: Select all

Jan 23 05:52:52 Server001 su: pam_unix(su:auth): authentication failure; logname=shell_username uid=12 euid=0 tty=pts/0 ruser=shell_username rhost= user=my_username
Jan 23 05:52:52 Server001 su: pam_krb5[16895]: authentication fails for 'my_username' (

I checked wireshark and for some reason AD resets the connection after entering the password, I don't see it the password being sent to the AD, I think it resets before accepting/checking password or something like that.

Its like password is being checked locally
It had to be something to do with ldap.conf because AD used to reset connection whenever I tried "id username" but after modifying ldap.conf "id username" works. Any idea what could be wrong in the ldap.conf?


Code: Select all

base dc=example,dc=com
uri ldap://
ssl no
binddn cn=Ldap Bind,cn=Users,dc=example,dc=com
bindpw bind_password_here
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus

scope sub
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))

nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute gecos         name
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute loginShell loginShell
pam_login_attribute sAMAccountName
pam_filter objectclass=User
nss_base_password cn=Users,dc=example,dc=com
nss_base_shadow cn=Users,dc=example,dc=com
nss_base_group cn=Users,dc=example,dc=com
#pam_password example
referrals       no
filter shadow (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map shadow uid sAMAccountName
filter group (&(objectClass=group)(gidNumber=*))


Code: Select all

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 500 quiet
auth        sufficient
#auth        sufficient use_first_pass
auth        required

#account     required broken_shadow
account     required
#account     sufficient
account     sufficient uid < 500 quiet
#account     [default=bad success=ok user_unknown=ignore]
account     [default=bad success=ok user_unknown=ignore]
account     required

password    requisite try_first_pass retry=3
password    sufficient md5 shadow nullok try_first_pass use_authtok
#password    sufficient use_authtok
#password    sufficient use_authtok
password    required

session     optional revoke
session     required
session     [success=1 default=ignore] service in crond quiet use_uid
session     required
#session     optional
#session     optional

session     required skel=/etc/skel umask=0077