2

I've got a configuration where I've got a corporate active directory that contains usernames and passwords that is used for authentication. I stand up my own cloud resources, in my case Linux RHEL 7 hosts; I'm given an out-of-the-box configuration in which I create local (/etc/passwd) accounts for all users on each linux host and that account authenticates using krb5 to the corporate AD. That's all good and works.

However, I want to put my user information in LDAP instead of maintaining user information on every host. So I set up nslcd and openldap servers and clients. I define the user information (/etc/passwd equivalent) in OpenLDAP, but leave the password information out (that's still in AD). This configuration works when I login to the host via ssh (putty).

I also want to login to the Linux hosts via XRDP rather than direct VNC (since I'm coming from Windows). If I use the local file configuration, such that users are in /etc/passwd, krb5 to corporate AD for password auth, XRDP works. However, when I take the user out of /etc/passwd and shadow, put them in LDAP, even though ssh login works, XRDP login then does not.

/etc/pam.d/sshd and /etc/pam.d/xrdp-sesman are identical; both first contain corporate AD entries via pam_krb5, then regular unix/LDAP login configurations.

The problem appears to be that pam_krb5 does not get the UID/GID information when logging in via XRDP.

With the user in LDAP, /var/log/secure for ssh looks like:

Oct  3 13:20:56 host sshd[2407]: pam_krb5[2407]: TGT verified
Oct  3 13:20:56 host sshd[2407]: pam_krb5[2407]: authentication succeeds for 'USER' (USER@DOMAIN)
Oct  3 13:20:56 host sshd[2407]: Accepted password for USER from IP_ADDR port 63785 ssh2
Oct  3 13:20:56 host sshd[2407]: pam_unix(sshd:session): session opened for user USER by (uid=0)

With the user in /etc/passwd, XRDP (working) /var/log/secure looks kinda like:

Oct  3 13:17:55 host xrdp-sesman[799]: pam_krb5[799]: TGT verified
Oct  3 13:17:55 host xrdp-sesman[799]: pam_krb5[799]: authentication succeeds for 'USER' (USER@DOMAIN)
Oct  3 13:17:55 host xrdp-sesman[2143]: pam_unix(xrdp-sesman:session): session opened for user USER by (uid=0)
Oct  3 13:17:56 host polkitd[495]: Registered Authentication Agent for unix-session:9 (system bus name :1.54 [/usr/libexec/xfce-polkit], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

But then, in the configuration that does not work, user only in LDAP, XRDP, I get this in /var/log/secure:

Oct  3 13:21:40 host xrdp-sesman[799]: pam_krb5[799]: error resolving user name 'USER' to uid/gid pair
Oct  3 13:21:40 host xrdp-sesman[799]: pam_krb5[799]: error getting information about 'USER'
Oct  3 13:21:40 host xrdp-sesman[799]: pam_unix(xrdp-sesman:auth): check pass; user unknown
Oct  3 13:21:40 host xrdp-sesman[799]: pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost=

I've tried a variety of pam file changes without success. And I've searched for any variation I can think of without finding a similar problem/solution. Any recommendations would be appreciated. Thanks!

user1676075
  • 121
  • 1
  • 4

1 Answers1

0

I ended up figuring out what I was missing. Turns out I didn't have the LDAP configuration entries in /etc/libuser.conf. I added the LDAP connection info correctly in libuser.conf, rebooted (not sure if that was necessary or not), and then I get the expected correct login result in all use cases.

I hadn't seen references to needing to update that file in any LDAP configuration guides that I could find (nor do I ever recall doing so in the past when configuring a system, although maybe some command did it for me). This is the first time I'd tried an OpenLDAP config with XRDP. So presumably some interaction there that's different (obviously, based on what I've seen).

user1676075
  • 121
  • 1
  • 4