Trying to change passwords on UNIX accounts stored in Win2K Active
Directory... we have extracted the Solaris 2.6 passwd binary and replaced
2.8 binary. However, still get the following error:
# passwd dav
Permission denied
The following is logged in /var/adm/messages
Mar 25 20:09:18 sun6.CPQUNIX.NET passwd[11637]: [ID 280705 user.error]
pam_ldap: ldap_simple_bind Can't contact LDAP server
Using truss on passwd appears to show a dialog with the Win2K system running
Active Directory, Enterprise Certificate Authority via SSL, port 636. The
reply from Win2K is read on fd 5 and possibly compared with the local client
database read on fd 4. However, this leads to ldap_simple_bind failing.
We have exported the Microsoft Enterprise Certificate Authority certificate
from the Win2k system in base-64, DER and PKCS #7 format. The certificates
have been copied to the Solaris system. The certutil executable has been
copied from another Solaris system. However, attempts to add the
Certificates to the database on Solaris fail as follows:
# ./certutil -d /etc/ssl/certs -A -n "CPQ UNIX ENTERPRISE CA" -t "C,C,C" -i
cpqunix_der.cer
certutil: failure authenticating to key database.
: Security I/O error
Questions
1. how do we update the certifcate database on Solaris to include the Win2K
Enterprise CA?
2. what else do we need to do to get this working?
Although this is not OpenSSL it does appear to be an SSL issue, so any help
appreciated.
Thanks,
Stuart
Environment: Solaris 8, LDAP, SSL, Active Directory, Microsft SFU (Services
For Unix) schema in Active Directory, PADL nss_ldap.so, pam_ldap.so on
Solaris, Microsoft Enterprise Certificate Authority
The truss trace follows:
truss -f -u libpam,libldap,libldapssl40 -v connect /usr/bin/passwd dav
11557: stat("/etc/ssl/certs/cert7.db", 0xFFBEE408) = 0
#
# open local certificate database cert7.db on fd 4
#
11557: open("/etc/ssl/certs/cert7.db", O_RDONLY) = 4
11557: fcntl(4, F_SETFD, 0x00000001) = 0
11557: read(4, "\00615 a\0\0\002\0\010E1".., 260) = 260
11557: brk(0x0003FDB8) = 0
11557: brk(0x00041DB8) = 0
11557: lseek(4, 73728, SEEK_SET) = 73728
11557: read(4, "\0 $1FF71FF41F821D1F1D03".., 8192) = 8192
11557: brk(0x00041DB8) = 0
11557: brk(0x00043DB8) = 0
11557: lseek(4, 98304, SEEK_SET) = 98304
11557: read(4, "\0181F9E1EEE1E v1DC11D N".., 8192) = 8192
11557: stat("/etc/ssl/certs/secmod.db", 0xFFBEE398) = 0
11557: open("/etc/ssl/certs/secmod.db", O_RDONLY) = 5
11557: fcntl(5, F_SETFD, 0x00000001) = 0
11557: read(5, "\00615 a\0\0\002\0\010E1".., 260) = 260
11557: brk(0x00043DB8) = 0
11557: brk(0x00045DB8) = 0
11557: lseek(5, 8192, SEEK_SET) = 8192
11557: read(5, "\0021FDF1F881F ~1F88\0\0".., 8192) = 8192
11557: brk(0x00045DB8) = 0
11557: brk(0x00047DB8) = 0
11557: lseek(5, 16384, SEEK_SET) = 16384
11557: read(5, "\0\0\0\0\0\0\0\0\0\0\0\0".., 8192) = 8192
11557: close(5) = 0
11557/1: <- libldapssl40:ldapssl_client_init() = 0
11557/1: -> libldapssl40:ldapssl_init(0x385a0, 0x27c, 0x1, 0x391d0)
11557/1: <- libldapssl40:ldapssl_init() = 0x3e4c0
11557/1: -> libldapssl40:ldap_set_option(0x3e4c0, 0x11, 0x39224, 0x391d0)
11557/1: <- libldapssl40:ldap_set_option() = 0
11557/1: -> libldapssl40:ldap_set_rebind_proc(0x3e4c0, 0xff1e3400,
0x38588, 0xff05e7c0)
11557/1: <- libldapssl40:ldap_set_rebind_proc() = 0x3e4c0
11557/1: -> libldapssl40:ldap_set_option(0x3e4c0, 0x2, 0x391e8, 0x3e4c0)
11557/1: <- libldapssl40:ldap_set_option() = 0
11557/1: -> libldapssl40:ldap_set_option(0x3e4c0, 0x4, 0x39228,
0xff05e7c0)
11557/1: <- libldapssl40:ldap_set_option() = 0
11557/1: -> libldapssl40:ldap_set_option(0x3e4c0, 0x8, 0x0, 0xff05e7c0)
11557/1: <- libldapssl40:ldap_set_option() = 0
11557/1: -> libldapssl40:ldap_set_option(0x3e4c0, 0x9, 0x1, 0xff05e7c0)
11557/1: <- libldapssl40:ldap_set_option() = 0
11557: getuid() = 0 [0]
11557/1: -> libldapssl40:ldap_simple_bind(0x3e4c0, 0x392a0, 0x38600, 0x0)
11557: so_socket(2, 2, 0, "", 1) = 5
11557: fcntl(5, F_GETFL, 0x00000000) = 2
11557: fstat64(5, 0xFFBEDA98) = 0
11557: getsockopt(5, 65535, 8192, 0xFFBEDB98, 0xFFBEDB90, 229005) = 0
11557: fstat64(5, 0xFFBEDA98) = 0
11557: getsockopt(5, 65535, 8192, 0xFFBEDB98, 0xFFBEDB94, 229005) = 0
11557: setsockopt(5, 65535, 8192, 0xFFBEDB98, 4, 229005) = 0
11557: fcntl(5, F_SETFL, 0x00000082) = 0
11557: setsockopt(5, 65535, 8, 0xFFBEDC04, 4, 1) = 0
11557: connect(5, 0xFFBEDD58, 16, 1) Err#150 EINPROGRESS
11557: AF_INET name = 16.37.3.118 port = 636
11557: poll(0x00044DF0, 1, 100) = 1
11557: getsockopt(5, 65535, 4103, 0xFFBEDA38, 0xFFBEDA3C, 1) = 0
11557: time() = 1017085844
11557: getpeername(5, 0xFFBEE22C, 0xFFBEE1C4, 1) = 0
11557: write(5, "801F0103\0\006\0\0\010\0".., 33) = 33
11557: read(5, 0x00043DA8, 3) Err#11 EAGAIN
11557: poll(0x00044DF0, 1, 100) = 1
#
# read response from Win2K via SSL on fd 5
#
11557: read(5, "1603\0", 3) = 3
11557: read(5, "10 V", 2) = 2
11557: read(5, "02\0\0 F03\0D0 \ % z /DA".., 4182) = 1455
11557: read(5, "8216 C P Q T E S T D C 1".., 2727) = 2727
11557: brk(0x00047DB8) = 0
11557: brk(0x0004DDB8) = 0
11557: brk(0x0004DDB8) = 0
11557: brk(0x0004FDB8) = 0
11557: brk(0x0004FDB8) = 0
11557: brk(0x00051DB8) = 0
11557: lseek(4, 57344, SEEK_SET) = 57344
11557: read(4, "\0101F *1BD01B0717D217AD".., 8192) = 8192
11557: brk(0x00051DB8) = 0
11557: brk(0x00053DB8) = 0
11557: brk(0x00053DB8) = 0
11557: brk(0x00055DB8) = 0
11557: brk(0x00055DB8) = 0
11557: brk(0x00057DB8) = 0
11557: brk(0x00057DB8) = 0
11557: brk(0x00059DB8) = 0
11557: brk(0x00059DB8) = 0
11557: brk(0x0005BDB8) = 0
11557: brk(0x0005BDB8) = 0
11557: brk(0x0005DDB8) = 0
#
# possible comparison with local certificate database cert7.db on fd 4
#
11557: lseek(4, 163840, SEEK_SET) = 163840
11557: read(4, "\0\b1F901EE71EA91DE01D !".., 8192) = 8192
11557: brk(0x0005DDB8) = 0
11557: brk(0x0005FDB8) = 0
11557: write(5, "1503\0\00202 *", 7) = 7
11557: time() = 1017085844
#
# ldap_simple_bind fails
#
11557/1: <- libldapssl40:ldap_simple_bind() = -1
11557/1: -> libldapssl40:ldap_get_lderrno(0x3e4c0, 0x0, 0x0, 0xffbee690)
11557/1: <- libldapssl40:ldap_get_lderrno() = 81
11557/1: -> libldapssl40:ldap_err2string(0x51, 0x0, 0x0, 0xffbee690)
11557/1: <- libldapssl40:ldap_err2string() = 0xff063970
11557: getpid() = 11557 [11556]
11557: open("/proc/11557/psinfo", O_RDONLY) = 6
11557: read(6, "\f01 NC8\0\0\004\0\0 - %".., 336) = 336
11557: close(6) = 0
11557: fstat(-1, 0xFFBED968) Err#9 EBADF
11557: open("/dev/conslog", O_WRONLY) = 6
11557: fcntl(6, F_SETFD, 0x00000001) = 0
11557: fstat(6, 0xFFBED968) = 0
11557: fstat(6, 0xFFBEE3C8) = 0
11557: time() = 1017085844
11557: open("/usr/share/lib/zoneinfo/GB", O_RDONLY) = 7
11557: read(7, " T Z i f\0\0\0\0\0\0\0\0".., 8192) = 1323
11557: close(7) = 0
11557: getpid() = 11557 [11556]
11557: putmsg(6, 0xFFBEDA80, 0xFFBEDA74, 0) = 0
11557: open("/var/run/syslog_door", O_RDONLY) = 7
11557: door_info(7, 0xFFBED9B8) = 0
11557: getpid() = 11557 [11556]
11557: door_call(7, 0xFFBED9A0) = 0
11557: close(7) = 0
11557: fstat(6, 0xFFBEF200) = 0
11557: time() = 1017085844
11557: getpid() = 11557 [11556]
11557: putmsg(6, 0xFFBEE8B8, 0xFFBEE8AC, 0) = 0
11557: open("/var/run/syslog_door", O_RDONLY) = 7
11557: door_info(7, 0xFFBEE7F0) = 0
11557: getpid() = 11557 [11556]
11557: door_call(7, 0xFFBEE7D8) = 0
11557: close(7) = 0
#
# pam_chauthtok = 12 = PAM_AUTHINFO_UNAVAIL /usr/include/security/pam_appl.h
#
11557/1: <- libpam:pam_chauthtok() = 12
11557/1: -> libpam:pam_end(0x38ba0, 0x0, 0x0, 0x0)
11557/1: -> libldapssl40:ldap_unbind(0x3e4c0, 0x3e4c0, 0x38930,
0xff1b800c)
11557/1: <- libldapssl40:ldap_unbind() = 0
11557/1: <- libpam:pam_end() = 0
11557: write(2, " P e r m i s s i o n d".., 17) = 17
11557: write(2, "\n", 1) = 1
11557: llseek(0, 0, SEEK_CUR) = 528136
11557: _exit(1)
# uname -a
SunOS sun6.CPQUNIX.NET 5.8 Generic_108528-07 sun4u sparc SUNW,Ultra-5_10
#
# grep -v '#' /etc/ldap.conf | uniq
host 16.37.3.118
base dc=cpqunix,dc=net
referrals no
binddn cn=administrator,cn=users,dc=cpqunix,dc=net
bindpw Passport
rootbinddn cn=administrator,cn=users,dc=cpqunix,dc=net
nss_map_objectclass posixAccount User
nss_map_attribute uid msSFUName
nss_map_attribute uniqueMember posixMember
nss_map_attribute userPassword msSFUPassword
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
pam_login_attribute msSFUName
pam_filter objectclass=User
pam_password ad
ssl on
sslpath /etc/ssl/certs/cert7.db
#
# grep -v '#' /etc/pam.conf | uniq
login auth sufficient /usr/lib/security/pam_ldap.so.1
login auth required /usr/lib/security/pam_unix.so.1 try_first_pass
telnet auth sufficient /usr/lib/security/pam_ldap.so.1
telnet auth sufficient /usr/lib/security/pam_unix.so.1 try_first_pass
rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
rlogin auth sufficient /usr/lib/security/pam_ldap.so.1
rlogin auth required /usr/lib/security/pam_unix.so.1 try_first_pass
dtlogin auth sufficient /usr/lib/security/pam_ldap.so.1
dtlogin auth required /usr/lib/security/pam_unix.so.1 try_first_pass
rsh auth required /usr/lib/security/pam_rhosts_auth.so.1
other auth sufficient /usr/lib/security/pam_ldap.so.1
other auth required /usr/lib/security/pam_unix.so.1 try_first_pass
login account sufficient /usr/lib/security/pam_ldap.so.1
login account required /usr/lib/security/pam_unix.so.1
dtlogin account sufficient /usr/lib/security/pam_ldap.so.1
dtlogin account required /usr/lib/security/pam_unix.so.1
other account sufficient /usr/lib/security/pam_ldap.so.1
other account required /usr/lib/security/pam_unix.so.1
other session required /usr/lib/security/pam_unix.so.1
other password required /usr/lib/security/pam_ldap.so
#
# grep -v '#' /etc/nsswitch.conf | uniq
passwd: files ldap
group: files ldap
hosts: files dns ldap
services: files ldap [NOTFOUND=return] files
networks: ldap [NOTFOUND=return] files
protocols: ldap [NOTFOUND=return] files
rpc: ldap [NOTFOUND=return] files
ethers: ldap [NOTFOUND=return] files
netmasks: files
bootparams: files
publickey: files
automount: files
aliases: files
sendmailvars: files
netgroup: files nis
# # *** pam_ldap.so Makefile configured as follows ***
#
# #
./configure --with-ldap-lib=netscape4 --with-ldap-dir=/export/home/dav/Netsc
ape/ldapsdk-40 --enable-ssl
#
# ls -l /usr/lib/security/pam_ldap.so*
lrwxrwxrwx 1 root other 27 Mar 19 23:38
/usr/lib/security/pam_ldap.so -> /lib/security/pam_ldap.so.1
-rwxr-xr-x 1 root root 116028 Mar 19 23:38
/usr/lib/security/pam_ldap.so.1
#
# ldd /usr/lib/security/pam_ldap.so.1
libpthread.so.1 => /usr/lib/libpthread.so.1
libldapssl40.so =>
/export/home/dav/Netscape/ldapsdk-40/lib/libldapssl40.so
libnsl.so.1 => /usr/lib/libnsl.so.1
libcrypt_i.so.1 => /usr/lib/libcrypt_i.so.1
libresolv.so.2 => /usr/lib/libresolv.so.2
libpam.so.1 => /usr/lib/libpam.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libc.so.1 => /usr/lib/libc.so.1
libthread.so.1 => /usr/lib/libthread.so.1
libposix4.so.1 => /usr/lib/libposix4.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libmp.so.2 => /usr/lib/libmp.so.2
libgen.so.1 => /usr/lib/libgen.so.1
libaio.so.1 => /usr/lib/libaio.so.1
/usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
# # *** nss_ldap.so Makefile configured as follows ***
#
# #
./configure --with-ldap-lib=netscape4 --with-ldap-dir=/export/home/dav/Netsc
ape/ldapsdk-40 --enable-schema-mapping
#
# ls -l /usr/lib/nss_ldap.so*
lrwxrwxrwx 1 root other 18 Mar 19 23:55
/usr/lib/nss_ldap.so -> /lib/nss_ldap.so.1
-rwxr-xr-x 1 root root 1069432 Mar 19 23:55 /usr/lib/nss_ldap.so.1
#
# ldd /usr/lib/nss_ldap.so.1
libpthread.so.1 => /usr/lib/libpthread.so.1
libldapssl40.so =>
/export/home/dav/Netscape/ldapsdk-40/lib/libldapssl40.so
libdb-3.1.so => /usr/lib/libdb-3.1.so
libdl.so.1 => /usr/lib/libdl.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libresolv.so.2 => /usr/lib/libresolv.so.2
libc.so.1 => /usr/lib/libc.so.1
libthread.so.1 => /usr/lib/libthread.so.1
libposix4.so.1 => /usr/lib/libposix4.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libmp.so.2 => /usr/lib/libmp.so.2
libaio.so.1 => /usr/lib/libaio.so.1
/usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
#
# ldd /export/home/dav/Netscape/ldapsdk-40/lib/libldapssl40.so
libthread.so.1 => /usr/lib/libthread.so.1
libposix4.so.1 => /usr/lib/libposix4.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libresolv.so.2 => /usr/lib/libresolv.so.2
libc.so.1 => /usr/lib/libc.so.1
libaio.so.1 => /usr/lib/libaio.so.1
libmp.so.2 => /usr/lib/libmp.so.2
/usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
#
# file /export/home/dav/Netscape/ldapsdk-40/lib/libldapssl40.so
/export/home/dav/Netscape/ldapsdk-40/lib/libldapssl40.so: ELF 32-bit MSB
dynamic lib SPARC Version 1, dynamically linked, not stripped
#
# sum /export/home/dav/Netscape/ldapsdk-40/lib/libldapssl40.so
19854 3074 /export/home/dav/Netscape/ldapsdk-40/lib/libldapssl40.so
#
# which passwd
/usr/bin/passwd
# ldd /usr/bin/passwd
libcmd.so.1 => /usr/lib/libcmd.so.1
libcrypt_i.so.1 => /usr/lib/libcrypt_i.so.1
libbsm.so.1 => /usr/lib/libbsm.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libpam.so.1 => /usr/lib/libpam.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libsldap.so.1 => /usr/lib/libsldap.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libmp.so.2 => /usr/lib/libmp.so.2
libc.so.1 => /usr/lib/libc.so.1
libgen.so.1 => /usr/lib/libgen.so.1
libldap.so.4 => /usr/lib/libldap.so.4
libdoor.so.1 => /usr/lib/libdoor.so.1
libresolv.so.2 => /usr/lib/libresolv.so.2
/usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
