Hi,
I�m trying to make Solaris authenticate users in AD. NTP is working, nsswitch.ldap is listed above, DNS is Ok and I made something different in pam.conf, krb5.conf and sshd_config (see above)
nsswitch.ldap:
passwd: files ldap
group: files ldap
hosts: files dns
ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files
pam.conf:
login auth required pam_unix_cred.so.1
login auth sufficient pam_krb5.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_krb5.so.1
other account required pam_unix_account.so.1
other account required pam_krb5.so.1
other password requisite pam_authtok_check.so.1
other password sufficient pam_krb5.so.1
krb5.conf:
[libdefaults]
default_realm = <mybusiness>.BIZ
verify_ap_req_nofail = false
[realms]
<mybusiness>.BIZ = {
kdc = dc01server
kdc = dc02server
kdc = <mybusiness>.biz
admin_server = <mybusiness>.biz
}
[domain_realm]
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
version = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
With all changes made, here is my ldapclient command:
ldapclient -v manual -a credentialLevel=proxy -a authenticationMethod=simple -a "proxyDN=CN=<user>,OU=<blablabla>,OU=<otherbla>,OU=<blaRIO>,DC=<mybusiness>,DC=biz" -a proxyPassword=<passwd> -a "defaultServerList=dc01server dc02server" -a defaultSearchBase=dc=<mybusiness>,dc=biz -a domainName=<mybusiness>.biz -a attributeMap=group:userpassword=userPassword -a attributeMap=group:memberuid=memberUid -a attributeMap=group:gidnumber=gidNumber -a attributeMap=passwd:gecos=displayName -a attributeMap=passwd:gidnumber=gidNumber -a attributeMap=passwd:uidnumber=uidNumber -a attributeMap=passwd:homedirectory=unixHomeDirectory -a attributeMap=passwd:uid=sAMAccountName -a attributeMap=passwd:loginshell=loginShell -a attributeMap=shadow:shadowflag=shadowFlag -a attributeMap=shadow:userpassword=userPassword -a attributeMap=shadow:uid=sAMAccountName -a objectClassMap=group:posixGroup=group -a objectClassMap=passwd:posixAccount=user -a objectClassMap=shadow:shadowAccount=user -a "serviceSearchDescriptor=shadow:ou=otherbla,ou=blaRIO,dc=<mybusiness>,dc=biz?sub" -a "serviceSearchDescriptor=passwd:ou=otherbla,ou=blaRIO,dc=<mybusiness>,dc=biz?sub" -a "serviceSearchDescriptor=group:ou=otherbla,ou=blaRIO,DC=<mybusiness>,DC=biz?sub"
The problem is when I put a secondary user group in AllowGroups line in sshd_config, i cannot login, only using the primary group.
With no AllowGroups or AllowGroups PRIMARYGROUP in sshd_config:
$ ssh me@obelix
Password:
Your Kerberos password will expire in 9672 days.
Last login: Tue Mar 22 14:58:42 2011 from gwserver
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
-bash-3.00$ id
uid=1771466(ME) gid=1885196(PRIMARYGROUP)
-bash-3.00$ id -a
uid=1771466(ME) gid=1885196(PRIMARYGROUP) groups=1885196(PRIMARYGROUP),1885197(SECONDARYGROUP)
Changing to secondary group in sshd_config (AllowGroups SECONDARYGROUP) and restarting sshd daemon:
$ ssh me@obelix
Password:
Password:
Password:
me@obelix's password:
Permission denied, please try again.
me@obelix's password:
Received disconnect from 10.2.96.174: 2: Too many authentication failures for me
In messages:
Mar 22 15:08:42 obelix sshd[27467]: [ID 800047 auth.error] error: PAM: Authentication failed for illegal user me from gwserver
Anyone knows where is the problem? How can I user the secondary group to authenticate users in sshd?
Thanks in advance,
MP