1,We use windows2012 servers as domain controller
2,We have centos5 and centos6 in our environment,last week after I
configured ldap, all servers were working fine, I can login with ldap
account or root.
3,Today we found all centos5 server are not able to login with ad account
nor root account,while centos6 is still working well。We tried to restart
domain controllers, restart centos5 server. And now we run getent passwd we
can get the output from AD sometimes, but when id ldapuser(or getent passwd
ldapuser) the session just hangs there。Centos6 servers are still working
well。
4,Belows are some of my config files, is there any body can help me to have
a look and give suggestion? Thanks in advance...
$ cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_listfile.so item=group sense=allow
file=/etc/security/group.allowed onerr=fail
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
$ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
MYDOMAIN.LOCAL = {
kdc = MYDOMAIN.local:88
admin_server = MYDOMAIN.local:749
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
MYDOMAIN.local = MYDOMAIN.LOCAL
.MYDOMAIN.local = MYDOMAIN.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
$ cat /etc/ldap.conf |grep -v ^#
timelimit 120
bind_timelimit 120
idle_timelimit 3600
base dc=mydomain,dc=local
uri ldap://dc-01.mydomain.local/ ldap://dc-02.mydomain.local/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
binddn [email protected]
bindpw ********
scope sub
pam_filter objectClass=User
nss_base_passwd dc=mydomain,dc=local
nss_base_shadow dc=mydomain,dc=local
nss_base_group dc=mydomain,dc=local
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber UidNumber
nss_map_attribute gidNumber GidNumber
nss_map_attribute loginShell LoginShell
nss_map_attribute gecos displayName
nss_map_attribute uniqueMember PosixMember
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute cn cn
bind_policy hard
nss_reconnect_tries 3
nss_reconnect_sleeptime 1
nss_reconnect_maxsleeptime 8
nss_reconnect_maxconntries 2
$ cat /etc/sysconfig/authconfig
USEWINBINDAUTH=no
USEMKHOMEDIR=yes
USESYSNETAUTH=no
USEPAMACCESS=no
USESSSDAUTH=no
USESHADOW=yes
USESMBAUTH=no
USESMARTCARD=no
USELDAPAUTH=no
USEPASSWDQC=no
USEDB=no
USEWINBIND=no
USESSSD=no
FORCESMARTCARD=no
PASSWDALGORITHM=md5
USEHESIOD=no
USEKERBEROS=yes
USELDAP=yes
USELOCAUTHORIZE=yes
USECRACKLIB=yes
USENIS=no
# cat /etc/nsswitch.conf |grep -v ^#
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
$ cat /etc/security/group.allowed
wheel
admin
unixadmins
unixscan
opsunixusers
--
--
You received this message because you are subscribed to the Linux Users Group.
To post a message, send email to [email protected]
To unsubscribe, send email to [email protected]
For more options, visit our group at
http://groups.google.com/group/linuxusersgroup
References can be found at: http://goo.gl/anqri
Please remember to abide by our list rules (http://tinyurl.com/LUG-Rules or
http://cdn.fsdev.net/List-Rules.pdf)
---
You received this message because you are subscribed to the Google Groups
"Linux Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
