Assistance ldap kerberos auth against AD 2008 centos 5.8
Hello,
I hope you are all well.
I am in need of assistance, I have been trying to get our Centos 5.8 servers to authenticate against Active Directory 2008 servers.
I have no control over the AD server, just a bunch of linux servers running Centos5.8.
Previously ldap was setup and authenticating to the AD server with no tls certificate. Recently the AD people have started moving people away from our current domain to a new domain. And for the life of me I cannot get the servers to authenticate against the new domain.
i am not using windbind or samba for authentication.
If someone can have a look and see where I am going wrong/what I am missing I would greatly appreciate it.
my ldapsearch returns positive results.
authconfig --enablekrb5 --krb5realm=ABC.net --enablekrb5kdcdns --disbleldapauth --disablewinbindauth --disablewinbind --enableldap --ldapserver ldap://ldapsrv.ABC.net:3268 --ldapbasedn dc=ABC,dc=net --enablelocauthorize --disablesmbauth --updateall
Here are my files:
(santised version)
/etc/ldap.conf
host ABC.net
base dc=ABC,dc=net
binddn CN=USER1,OU=aa,OU=,pp,OU=blah,OU=moo,OU=blah,DC=ABC,DC=net
bindpw the_password
tls_cacertdir /etc/openldap/cacerts
tls_checkpeer no
ssl no
bind_policy soft
scope sub
timelimit 120
bind_timelimit 120
idle_timelimit 3600
pagesize 1000
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
referrals no
nss_schema rfc2307bis
nss_base_passwd dc=ABC,dc=net?sub?&(objectCategory=user)(uidnumber=*)
nss_base_shadow dc=ABC,dc=net?sub?&(objectCategory=user)(uidnumber=*)
nss_base_group dc=ABC,dc=net?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute gecos displayName
nss_map_attribute uniqueMember member
pam_member_attribute member
pam_login_attribute sAMAccountName
pam_password ad
uri ldap://ldapsrv.ABC.net:3268
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = abc.net
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 10h
forwardable = yes
renew_lifetime = 7d
[realms]
ABC.NET = {
kdc = abc.net
admin_server = abc.net
}
abc.net = {
kdc = abc.net
admin_server = abc.net
}
[domain_realm]
#.example.com = EXAMPLE.COM
#example.com = EXAMPLE.COM
abc.net = ABC.NET
.abc.net = ABC.NET
[appdefaults]
pam = {
debug = false
ticket_lifetime = 10h
renew_lifetime = 7d
forwardable = true
krb4_convert = false
}
/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[nss]
[pam]
# Example LDAP domain
[domain/LDAP]
id_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldap://ldapsrv.ABC.net:3269
ldap_search_base = dc=ABC,dc=net
ldap_default_bind_dn = CN=USER1,OU=aa,OU=,pp,OU=blah,OU=moo,OU=blah,DC=ABC,DC=net
ldap_default_authtok_type = password
ldap_default_authtok = the_passord
enumerate = false
cache_credentials = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_group_search_base = OU=GRP,OU=Data,DC=ABC,DC=net
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_user_name = sAMAccountName
ldap_group_member = member
ldap_group_nesting_level = 4
#ldap_user_objectsid = objectSid
#ldap_group_objectsid = objectSID
#ldap_id_mapping = True
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_force_upper_case_realm = true
;min_id = 0
;
krb5_server = ABC.net
krb5_realm = ABC.net
#debug
debug_level = 9
Last edited by shiden; 06-16-2013 at 08:13 PM.
|