Active directory integration - password incorrect

Installing, Configuring, Troubleshooting server daemons such as Web and Mail
Post Reply
user2016
Posts: 4
Joined: 2017/01/10 07:48:45

Active directory integration - password incorrect

Post by user2016 » 2017/01/23 04:00:18

Example:
[user@server ~]# id username
uid=100001(username) gid=100(users) groups=100(users),10000(sudo)

but when I try su username it says password incorrect
[user@server ~]# su username
su: incorrect password

/var/log/secure

Code: Select all

Jan 23 05:52:52 Server001 su: pam_unix(su:auth): authentication failure; logname=shell_username uid=12 euid=0 tty=pts/0 ruser=shell_username rhost= user=my_username
Jan 23 05:52:52 Server001 su: pam_krb5[16895]: authentication fails for 'my_username' (my_usernmae@example.com)
I checked wireshark and for some reason AD resets the connection after entering the password, I don't see it the password being sent to the AD, I think it resets before accepting/checking password or something like that.

Its like password is being checked locally
It had to be something to do with ldap.conf because AD used to reset connection whenever I tried "id username" but after modifying ldap.conf "id username" works. Any idea what could be wrong in the ldap.conf?


ldap.conf

Code: Select all

base dc=example,dc=com
uri ldap://example.com
ssl no
binddn cn=Ldap Bind,cn=Users,dc=example,dc=com
bindpw bind_password_here
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus

scope sub
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))

nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute gecos         name
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute loginShell loginShell
pam_login_attribute sAMAccountName
pam_filter objectclass=User
nss_base_password cn=Users,dc=example,dc=com
nss_base_shadow cn=Users,dc=example,dc=com
nss_base_group cn=Users,dc=example,dc=com
#pam_password example
referrals       no
filter shadow (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map shadow uid sAMAccountName
filter group (&(objectClass=group)(gidNumber=*))
~

/etc/pam.d/system-auth-ac

Code: Select all

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so
#auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

#account     required      pam_unix.so broken_shadow
account     required      pam_unix.so
#account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
#account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
#password    sufficient    pam_krb5.so use_authtok
#password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
#session     optional      pam_krb5.so
#session     optional      pam_ldap.so

session     required      pam_mkhomedir.so skel=/etc/skel umask=0077

Post Reply