[Date Prev][Date Next] [Chronological] [Thread] [Top]

Win2K and Linux passwd/group info

Good afternoon,

I'll provide a little background before I get into my issue.  I am trying to
have a Linux box authenticate users and get passwd and group information
from a Windows 2000 Active Directory.  I was going to use Server for NIS
provided by Microsoft Services For UNIX 2.0
(http://www.microsoft.com/windows2000/sfu/) to get passwd and group info
from the AD, but I believe I ran into a possible "limitation" of this NIS

Everything was working great with the few "beta" testers that we set up to
use this method of authentication and NIS information retrieval.  Figuring
everything was good to go, I decided to roll it out to all of our users that
login to this box.  When I added a good deal of users to an NIS group
(approximately 175 -- not all that many in the grand scheme of things) the
NIS service on the 2000 box barfed; this is the error I received:

Application popup: nissvc.exe - Application Error : The instruction at
"0x77fca2bf" referenced memory at "0x6f77612c". The memory could not be
"written". Click on OK to terminate the program.

Since this solution wasn't working I decided to try a different route and
use LDAP authentication via pam_ldap and passwd and group info via nss_ldap.
The Server for NIS extends the AD schema to seemingly include the needed
information needed that the pam_ldap and nss_ldap modules are attempting to
retrieve (of course I may be missing some glaringly needed attribute :) ).  

The authentication part I have working just fine - a user that has no
password information on the Linux box (but does have login shell and home
directory info in /etc/passwd) can login to the box with their Win2K
password and get a shell.  But I can't seem to retrieve the passwd and group
information from the AD as the sole source for that info. 

If I remove the user's information from the local files then the login
session immediately dies upon successful authentication.  I can tell the
authentication is successful because /var/log/messages shows a login session
being opened for the user in question (Apr 26 10:35:03 rh71test
login(pam_unix)[1494]: session opened for user joe_user by (uid=0)).

I have ethereal captures that show the Linux box successfully binding to the
2000 machine and retrieving some account information from the AD, but it
seems to just die out after that point.  Sometimes I can see the retrieved
information in the correct format in ethereal (although the capture states
"Short message! expected: 66, actual: 24); other captures show the LDAP
information in 2 or more fragmented packets.  The first packet shows as an
LDAP packet but with the info "Short message! (expected: 2200, actual:
1442); the next packet shows the rest of the user's data, but is marked as
an "Invalid LDAP packet."  Is the MS LDAP server sending back the
information fragmented and it's not supposed to be split that way?

I have thought about modifying the source code of nss_ldap, but I'm not
convinced that the problem lies in that module.  If anyone has any insight
on this particular issue, I would GREATLY appreciate their input.  Below are
some of my configuration files for your inspection (not in their entirety).

Thank you in advance for any help.

Andrew Rechenberg
Network Team, Sherman Financial Group


Red Hat Linux 7.1 stock (no updates) -- full install (@Everything for you
kickstart fans :) )

auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_ldap.so debug
auth       required     /lib/security/pam_unix_auth.so try_first_pass
account    sufficient   /lib/security/pam_ldap.so debug
account    required     /lib/security/pam_unix_acct.so
password   required    /lib/security/pam_cracklib.so
password   required    /lib/security/pam_ldap.so debug
password   required     /lib/security/pam_pwdb.so use_first_pass
session    required     /lib/security/pam_unix_session.so
session    optional     /lib/security/pam_console.so

# Your LDAP server. Must be resolvable without using LDAP.

# The distinguished name of the search base.
base dc=mydomain,dc=com

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=aeinstein,cn=users,dc=mydomain,dc=com

# The credentials to bind with.
# Optional: default is no credential.

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=aeinstein,cn=users,dc=mydomain,dc=com

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit
#timelimit 30

# Bind timelimit
# If using Netscape SDK 4.x, this is used to
# set the TCP connection timeout as well as the
# bind timelimit.
#bind_timelimit 30

# Filter to AND with uid=%s
pam_filter name=*     # kind of a kludge but it works.  FIXME 

# The user ID attribute (defaults to uid)
pam_login_attribute cn

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
pam_password ad