Bug 110945 - nss_ldap cannot bind to an Active Directory LDAP Server
nss_ldap cannot bind to an Active Directory LDAP Server
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: nss_ldap (Show other bugs)
1
i686 Linux
high Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-11-25 14:37 EST by Per Hjartoy
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-07-11 14:14:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Per Hjartoy 2003-11-25 14:37:42 EST
Description of problem:
When configuring FC1 to obtain (PAM) authorization from an AD4Unix 
schema, the 207 version fails to bind to the Microsoft 2000 AD based 
LDAP server.  The RH8 version (189?) has no problem binding to the 
same server.

Version-Release number of selected component (if applicable):
OpenLdap 2.1.22 or nss-ldap 207

How reproducible:
Always


Steps to Reproduce:
1. Configure the ldap.conf file to connect with
host [your win2k ldap server]
binddn cn=Administrator,cn=Users,dc=[your domain],dc=com
bindpw [Administrator's password]

2. 'strace -s128 getent -s "dns ldap" passwd [username]'
3. Watch the output when the bind to the LDAP server takes place
  
Actual results:
LDAP server returns the following error:

LdapErr: DSID-0C09030B,
comment: AcceptSecurityContext error

Expected results:
Sucessful bind

Additional info:

Stacktrace from FC1 System(I have replaced the password with
XXXXXXXX):

uname({sys="Linux", node="odin.actius.com", ...}) = 0 time
(NULL)                              = 1069495427
write(3,"0B\2\1\1`=\2\1\3
\4+cn=Administrator,cn=Users,dc=actius,dc=com\r\200\vXXXXXX
XXXX\r", 68) = 68 time(NULL)                              = 1069495427
select(1024, [3], [], NULL, {30, 0})    = 1 (in [3], left {30, 0})
read(3, "0\204\0\0\0g\2\1", 8)          = 8
read(3, "\1a\204\0\0\0^\n\0011\4\0\4W80090308: LdapErr: DSID-0C09030B,
comment: AcceptSecurityContext error, data 525, v893\0", 101) = 101
time(NULL)                              = 1069495427

From the RH8 box with the same configuration file it works without any
problem with the following trace:

uname({sys="Linux", node="tor.actius.com", ...}) = 0 time
(NULL)                              = 1069494811
write(3,"0@\2\1\1`;\2\1\3
\4*cn=Administrator,cn=Users,dc=actius,dc=com\200\nXXXXXXXX
XX", 66) = 66 time(NULL)                              = 1069494811
select(1024, [3], [], NULL, {30, 0})    = 1 (in [3], left {30, 0})
read(3, "0\204\0\0\0\20\2\1\1a\204\0\0\0\7\n\1\0\4\0\4\0", 16384) = 22
time(NULL)                              = 1069494811
Comment 1 Per Hjartoy 2003-11-25 18:33:45 EST
It should also be noted that if the nsswitch.conf file is configured:

passwd:     files ldap
shadow:     files ldap
group:      files ldap

You cannot any longer log in with local user accounts e.g. root. 
after configuring ldap.conf with the win2k ad ldap properties. Any 
login attempt result in a pop-up stating that "Authentication Failed".
Comment 2 Per Hjartoy 2003-11-26 04:10:21 EST
More investigation...
I ftp'ed the ldap.conf file from the rh8 system to the fc1 system, 
and the bind worked! Also, I now don't have a problem logging on 
local users from files.  However, the Win2K AD LDAP server returned 
no data to the FC1 system.

First the trace output from the FC1 System:

write(3, "0@\2\1\1`;\2\1\3
\4*cn=Administrator,cn=Users,dc=actius,dc=com\200\nXXXXXXXXXX", 66) = 
66
time(NULL)                              = 1069835551
select(1024, [3], [], NULL, {30, 0})    = 1 (in [3], left {30, 0})
read(3, "0\204\0\0\0\20\2\1", 8)        = 8
read(3, "\1a\204\0\0\0\7\n\1\0\4\0\4\0", 14) = 14
time(NULL)                              = 1069835551
setsockopt(3, SOL_SOCKET, SO_KEEPALIVE, [0], 4) = 0
fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0
getsockname(3, {sa_family=AF_INET, sin_port=htons(32806), 
sin_addr=inet_addr("172.27.17.5")}, [16]) = 0
getpeername(3, {sa_family=AF_INET, sin_port=htons(389), 
sin_addr=inet_addr("172.27.17.2")}, [16]) = 0
time([1069835551])                      = 1069835551
getpid()                                = 2129
geteuid32()                             = 0
time(NULL)                              = 1069835551
write(3, "0\201\312\2\1\2c\201\304\4\31cn=Users,dc=actius,dc=com\n\1\2
\n\1\0\2\1\1\2\1\0\1\1\0\240-\243\33\4\vobjectclass\4
\fposixAccount\243\16\4\3uid\4\7nerissa0i\4\3uid\4\fuserPassword\4
\tuidNumb"..., 205) = 205
select(1024, [3], [], NULL, NULL)       = 1 (in [3])
read(3, "0\204\0\0\0\20\2\1", 8)        = 8
read(3, "\2e\204\0\0\0\7\n\1\0\4\0\4\0", 14) = 14
time(NULL)                              = 1069835551
time([1069835551])                      = 1069835551
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
exit_group(2)                           = ?

Then the RH8 output:

write(3, "0@\2\1\1`;\2\1\3
\4*cn=Administrator,cn=Users,dc=actius,dc=com\200\nXXXXXXXXXX", 66) = 
66
time(NULL)                              = 1069833787
select(1024, [3], [], NULL, {30, 0})    = 1 (in [3], left {30, 0})
read(3, "0\204\0\0\0\20\2\1\1a\204\0\0\0\7\n\1\0\4\0\4\0", 16384) = 22
time(NULL)                              = 1069833787
setsockopt(3, SOL_SOCKET, SO_KEEPALIVE, [0], 4) = 0
fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0
getsockname(3, {sin_family=AF_INET, sin_port=htons(33071), 
sin_addr=inet_addr("172.27.17.4")}}, [16]) = 0
getpeername(3, {sin_family=AF_INET, sin_port=htons(389), 
sin_addr=inet_addr("172.27.17.2")}}, [16]) = 0
time([1069833787])                      = 1069833787
getpid()                                = 3976
geteuid32()                             = 0
time(NULL)                              = 1069833787
write(3, "0\201\346\2\1\2c\201\340\4\31cn=Users,dc=actius,dc=com\n\1\2
\n\1\0\2\1\1\2\1\0\1\1\0\2400\243\23\4\vobjectclass\4\4User\243\31\4
\16sAMAccountName\4\7nerissa0\201\201\4\16sAMAccountName\4
\rmsSFUP"..., 233) = 233
select(1024, [3], [], NULL, NULL)       = 1 (in [3])
read(3, "0\204\0\0\1\235\2\1\2d\204\0\0\1\224\4-CN=Nerissa C. 
Chang,CN=Users,DC=actius,DC=com0\204\0\0\1_0\204\0\0\0!\4
\vdescription1\204\0\0\0\16\4\fUser account0\204\0\0\0<\4
\vobjectClass1\204"..., 16384) = 441
time(NULL)                              = 1069833787
time([1069833787])                      = 1069833787
rt_sigaction(SIGPIPE, {SIG_DFL}, {SIG_IGN}, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [PIPE], NULL, 8) = 0
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -
1, 0) = 0x40021000
write(1, "nerissa:x:1002:1000:Nerissa C. 
Chang:/home/nerissa:/bin/bash\n", 61nerissa:x:1002:1000:Nerissa C. 
Chang:/home/nerissa:/bin/bash
) = 61
munmap(0x40021000, 4096)                = 0
_exit(0)                                = ?

Comment 3 Per Hjartoy 2003-11-26 04:53:16 EST
Tested with the nss_ldap-207-6.i386.rpm made available on 
fedora/update/testing and the authentication now works!
Comment 4 Per Hjartoy 2003-11-26 05:20:33 EST
Ooops, spoke to soon.  The new package authenticates against the LDAP 
server and user records are retrievable by getent However, I still 
cannot log in with a user in the LDAP server. :-( Per
Comment 5 Nalin Dahyabhai 2003-12-08 22:37:58 EST
You're using SSL, right?  Does adding
  TLS_REQCERT allow
to /etc/openldap/ldap.conf make things start working again?  If it
does, then your SSL client isn't configured to trust certificates
issued by the AD realm's certificate authority, and we can go from there.
Comment 6 Per Hjartoy 2003-12-10 08:16:48 EST
No, I haven't turned on SSL yet. From my post on the Fedora list on 
12/2:

An update ....
Tonight I updated my system with the Kernel and the initscript 
patches ['kernel-2.4.22-1.2129.nptl', 'kernel-smp-2.4.22-
1.2129.nptl', 'initscripts-7.42.2-1']. I then rebooted, and I was 
suddenly able to log in with an AD based login ID! Not sure what is 
going on here, but the combination of the above mentioned packages 
and the testing nss_ldap rpm
(nss_ldap-207-6.i386.rpm) seems to be a winning combination. 
Explanation anyone?  -- Per
Comment 7 Matthew Miller 2006-07-11 13:31:13 EDT
Fedora Core 1 is maintained by the Fedora Legacy project for security updates
only. If this problem is a security issue, please reopen and reassign to the
Fedora Legacy product. If it is not a security issue and hasn't been resolved in
the current FC5 updates or in the FC6 test release, reopen and change the
version to match.

Thanks!

NOTE: Fedora Core 1 is reaching the final end of support even by the Legacy
project. After Fedora Core 6 Test 2 is released (currently scheduled for July
26th), there will be no more security updates for FC1. Please use these next two
weeks to upgrade any remaining FC1 systems to a current release.

Comment 8 Per Hjartoy 2006-07-11 14:11:31 EDT
This problem was fixed in a patch to Fedora 1. Please close
Comment 9 Matthew Miller 2006-07-11 14:14:43 EDT
Thank you. Marking fixed as per comment #8.

Note You need to log in before you can comment on or make changes to this bug.