Description of problem: When configuring FC1 to obtain (PAM) authorization from an AD4Unix schema, the 207 version fails to bind to the Microsoft 2000 AD based LDAP server. The RH8 version (189?) has no problem binding to the same server. Version-Release number of selected component (if applicable): OpenLdap 2.1.22 or nss-ldap 207 How reproducible: Always Steps to Reproduce: 1. Configure the ldap.conf file to connect with host [your win2k ldap server] binddn cn=Administrator,cn=Users,dc=[your domain],dc=com bindpw [Administrator's password] 2. 'strace -s128 getent -s "dns ldap" passwd [username]' 3. Watch the output when the bind to the LDAP server takes place Actual results: LDAP server returns the following error: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error Expected results: Sucessful bind Additional info: Stacktrace from FC1 System(I have replaced the password with XXXXXXXX): uname({sys="Linux", node="odin.actius.com", ...}) = 0 time (NULL) = 1069495427 write(3,"0B\2\1\1`=\2\1\3 \4+cn=Administrator,cn=Users,dc=actius,dc=com\r\200\vXXXXXX XXXX\r", 68) = 68 time(NULL) = 1069495427 select(1024, [3], [], NULL, {30, 0}) = 1 (in [3], left {30, 0}) read(3, "0\204\0\0\0g\2\1", 8) = 8 read(3, "\1a\204\0\0\0^\n\0011\4\0\4W80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893\0", 101) = 101 time(NULL) = 1069495427 From the RH8 box with the same configuration file it works without any problem with the following trace: uname({sys="Linux", node="tor.actius.com", ...}) = 0 time (NULL) = 1069494811 write(3,"0@\2\1\1`;\2\1\3 \4*cn=Administrator,cn=Users,dc=actius,dc=com\200\nXXXXXXXX XX", 66) = 66 time(NULL) = 1069494811 select(1024, [3], [], NULL, {30, 0}) = 1 (in [3], left {30, 0}) read(3, "0\204\0\0\0\20\2\1\1a\204\0\0\0\7\n\1\0\4\0\4\0", 16384) = 22 time(NULL) = 1069494811
It should also be noted that if the nsswitch.conf file is configured: passwd: files ldap shadow: files ldap group: files ldap You cannot any longer log in with local user accounts e.g. root. after configuring ldap.conf with the win2k ad ldap properties. Any login attempt result in a pop-up stating that "Authentication Failed".
More investigation... I ftp'ed the ldap.conf file from the rh8 system to the fc1 system, and the bind worked! Also, I now don't have a problem logging on local users from files. However, the Win2K AD LDAP server returned no data to the FC1 system. First the trace output from the FC1 System: write(3, "0@\2\1\1`;\2\1\3 \4*cn=Administrator,cn=Users,dc=actius,dc=com\200\nXXXXXXXXXX", 66) = 66 time(NULL) = 1069835551 select(1024, [3], [], NULL, {30, 0}) = 1 (in [3], left {30, 0}) read(3, "0\204\0\0\0\20\2\1", 8) = 8 read(3, "\1a\204\0\0\0\7\n\1\0\4\0\4\0", 14) = 14 time(NULL) = 1069835551 setsockopt(3, SOL_SOCKET, SO_KEEPALIVE, [0], 4) = 0 fcntl64(3, F_SETFD, FD_CLOEXEC) = 0 getsockname(3, {sa_family=AF_INET, sin_port=htons(32806), sin_addr=inet_addr("172.27.17.5")}, [16]) = 0 getpeername(3, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("172.27.17.2")}, [16]) = 0 time([1069835551]) = 1069835551 getpid() = 2129 geteuid32() = 0 time(NULL) = 1069835551 write(3, "0\201\312\2\1\2c\201\304\4\31cn=Users,dc=actius,dc=com\n\1\2 \n\1\0\2\1\1\2\1\0\1\1\0\240-\243\33\4\vobjectclass\4 \fposixAccount\243\16\4\3uid\4\7nerissa0i\4\3uid\4\fuserPassword\4 \tuidNumb"..., 205) = 205 select(1024, [3], [], NULL, NULL) = 1 (in [3]) read(3, "0\204\0\0\0\20\2\1", 8) = 8 read(3, "\2e\204\0\0\0\7\n\1\0\4\0\4\0", 14) = 14 time(NULL) = 1069835551 time([1069835551]) = 1069835551 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 exit_group(2) = ? Then the RH8 output: write(3, "0@\2\1\1`;\2\1\3 \4*cn=Administrator,cn=Users,dc=actius,dc=com\200\nXXXXXXXXXX", 66) = 66 time(NULL) = 1069833787 select(1024, [3], [], NULL, {30, 0}) = 1 (in [3], left {30, 0}) read(3, "0\204\0\0\0\20\2\1\1a\204\0\0\0\7\n\1\0\4\0\4\0", 16384) = 22 time(NULL) = 1069833787 setsockopt(3, SOL_SOCKET, SO_KEEPALIVE, [0], 4) = 0 fcntl64(3, F_SETFD, FD_CLOEXEC) = 0 getsockname(3, {sin_family=AF_INET, sin_port=htons(33071), sin_addr=inet_addr("172.27.17.4")}}, [16]) = 0 getpeername(3, {sin_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("172.27.17.2")}}, [16]) = 0 time([1069833787]) = 1069833787 getpid() = 3976 geteuid32() = 0 time(NULL) = 1069833787 write(3, "0\201\346\2\1\2c\201\340\4\31cn=Users,dc=actius,dc=com\n\1\2 \n\1\0\2\1\1\2\1\0\1\1\0\2400\243\23\4\vobjectclass\4\4User\243\31\4 \16sAMAccountName\4\7nerissa0\201\201\4\16sAMAccountName\4 \rmsSFUP"..., 233) = 233 select(1024, [3], [], NULL, NULL) = 1 (in [3]) read(3, "0\204\0\0\1\235\2\1\2d\204\0\0\1\224\4-CN=Nerissa C. Chang,CN=Users,DC=actius,DC=com0\204\0\0\1_0\204\0\0\0!\4 \vdescription1\204\0\0\0\16\4\fUser account0\204\0\0\0<\4 \vobjectClass1\204"..., 16384) = 441 time(NULL) = 1069833787 time([1069833787]) = 1069833787 rt_sigaction(SIGPIPE, {SIG_DFL}, {SIG_IGN}, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [PIPE], NULL, 8) = 0 fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, - 1, 0) = 0x40021000 write(1, "nerissa:x:1002:1000:Nerissa C. Chang:/home/nerissa:/bin/bash\n", 61nerissa:x:1002:1000:Nerissa C. Chang:/home/nerissa:/bin/bash ) = 61 munmap(0x40021000, 4096) = 0 _exit(0) = ?
Tested with the nss_ldap-207-6.i386.rpm made available on fedora/update/testing and the authentication now works!
Ooops, spoke to soon. The new package authenticates against the LDAP server and user records are retrievable by getent However, I still cannot log in with a user in the LDAP server. :-( Per
You're using SSL, right? Does adding TLS_REQCERT allow to /etc/openldap/ldap.conf make things start working again? If it does, then your SSL client isn't configured to trust certificates issued by the AD realm's certificate authority, and we can go from there.
No, I haven't turned on SSL yet. From my post on the Fedora list on 12/2: An update .... Tonight I updated my system with the Kernel and the initscript patches ['kernel-2.4.22-1.2129.nptl', 'kernel-smp-2.4.22- 1.2129.nptl', 'initscripts-7.42.2-1']. I then rebooted, and I was suddenly able to log in with an AD based login ID! Not sure what is going on here, but the combination of the above mentioned packages and the testing nss_ldap rpm (nss_ldap-207-6.i386.rpm) seems to be a winning combination. Explanation anyone? -- Per
Fedora Core 1 is maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC5 updates or in the FC6 test release, reopen and change the version to match. Thanks! NOTE: Fedora Core 1 is reaching the final end of support even by the Legacy project. After Fedora Core 6 Test 2 is released (currently scheduled for July 26th), there will be no more security updates for FC1. Please use these next two weeks to upgrade any remaining FC1 systems to a current release.
This problem was fixed in a patch to Fedora 1. Please close
Thank you. Marking fixed as per comment #8.