[Date Prev][Date Next]
Win2K and Linux passwd/group info
I'll provide a little background before I get into my issue. I am trying to
have a Linux box authenticate users and get passwd and group information
from a Windows 2000 Active Directory. I was going to use Server for NIS
provided by Microsoft Services For UNIX 2.0
(http://www.microsoft.com/windows2000/sfu/) to get passwd and group info
from the AD, but I believe I ran into a possible "limitation" of this NIS
Everything was working great with the few "beta" testers that we set up to
use this method of authentication and NIS information retrieval. Figuring
everything was good to go, I decided to roll it out to all of our users that
login to this box. When I added a good deal of users to an NIS group
(approximately 175 -- not all that many in the grand scheme of things) the
NIS service on the 2000 box barfed; this is the error I received:
Application popup: nissvc.exe - Application Error : The instruction at
"0x77fca2bf" referenced memory at "0x6f77612c". The memory could not be
"written". Click on OK to terminate the program.
Since this solution wasn't working I decided to try a different route and
use LDAP authentication via pam_ldap and passwd and group info via nss_ldap.
The Server for NIS extends the AD schema to seemingly include the needed
information needed that the pam_ldap and nss_ldap modules are attempting to
retrieve (of course I may be missing some glaringly needed attribute :) ).
The authentication part I have working just fine - a user that has no
password information on the Linux box (but does have login shell and home
directory info in /etc/passwd) can login to the box with their Win2K
password and get a shell. But I can't seem to retrieve the passwd and group
information from the AD as the sole source for that info.
If I remove the user's information from the local files then the login
session immediately dies upon successful authentication. I can tell the
authentication is successful because /var/log/messages shows a login session
being opened for the user in question (Apr 26 10:35:03 rh71test
login(pam_unix): session opened for user joe_user by (uid=0)).
I have ethereal captures that show the Linux box successfully binding to the
2000 machine and retrieving some account information from the AD, but it
seems to just die out after that point. Sometimes I can see the retrieved
information in the correct format in ethereal (although the capture states
"Short message! expected: 66, actual: 24); other captures show the LDAP
information in 2 or more fragmented packets. The first packet shows as an
LDAP packet but with the info "Short message! (expected: 2200, actual:
1442); the next packet shows the rest of the user's data, but is marked as
an "Invalid LDAP packet." Is the MS LDAP server sending back the
information fragmented and it's not supposed to be split that way?
I have thought about modifying the source code of nss_ldap, but I'm not
convinced that the problem lies in that module. If anyone has any insight
on this particular issue, I would GREATLY appreciate their input. Below are
some of my configuration files for your inspection (not in their entirety).
Thank you in advance for any help.
Network Team, Sherman Financial Group
Red Hat Linux 7.1 stock (no updates) -- full install (@Everything for you
kickstart fans :) )
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so debug
auth required /lib/security/pam_unix_auth.so try_first_pass
account sufficient /lib/security/pam_ldap.so debug
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_ldap.so debug
password required /lib/security/pam_pwdb.so use_first_pass
session required /lib/security/pam_unix_session.so
session optional /lib/security/pam_console.so
# Your LDAP server. Must be resolvable without using LDAP.
# The distinguished name of the search base.
# The LDAP version to use (defaults to 3
# if supported by client library)
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
# The credentials to bind with.
# Optional: default is no credential.
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
# The port.
# Optional: default is 389.
# The search scope.
# Search timelimit
# Bind timelimit
# If using Netscape SDK 4.x, this is used to
# set the TCP connection timeout as well as the
# bind timelimit.
# Filter to AND with uid=%s
pam_filter name=* # kind of a kludge but it works. FIXME
# The user ID attribute (defaults to uid)
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
# Group to enforce membership of
# Group member attribute
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.