AD: pam_ldap (Strong(er) authentication required)

Status
Not open for further replies.
M

menziesii

Cadet
Joined
Jun 26, 2013
Messages
4
I have successfully bound a FreeNAS system to our AD infrastructure but I'm running into an issue with pam_ldap, nss_ldap, and other commands like id to show user info.

Our DCs require signed ldap connections, and on our RedHat systems, we usually solve this with Samba/Winbind by adding client sasl wrapping = seal to smb.conf. I've added that as a supplemental parameter for CIFS, but we're still encountering errors such as the following:


Code:
sshd[7951]: pam_ldap: error trying to bind (Strong(er) authentication required)
cron[7981]: nss_ldap: could not search LDAP server - Server is unavailable
id: nss_ldap: could not search LDAP server - Server is unavailable
smbd[6287]: nss_ldap: could not search LDAP server - Server is unavailable


wbinfo suggests everything is okay:

Code:
# wbinfo -t
checking the trust secret for domain AD via RPC calls succeeded


Code:
# wbinfo -u
user1_name
user2_name
etc...


Code:
# wbinfo -g
group one
group two
etc...


running queries with ldapsearch using kerberos auth works, klist shows correct ticket information.

Build is FreeNAS-9.2.1.3-RELEASE-x64 (dc0c46b)
98248MB RAM

Any ideas on this one?
 
M

menziesii

Cadet
Joined
Jun 26, 2013
Messages
4
Just to add:

service ix-pam start
service ix-nsswitch start

don't return any errors, but querying those services suggests they aren't running. However, I'm not sure if the rc.d service files actually have a facility for returning a status to begin with, just looking through the service script quickly.

As expected, getent user1_name doesn't return anything, and logs a message in /var/log/messages suggesting the ldap server is unavailable.
 
M

menziesii

Cadet
Joined
Jun 26, 2013
Messages
4
Thanks, I've been pounding my head against a wall on this one.

That sure looks like the same issue. Our DCs allow non SSL/TLS connections, but if so, integrity checking has to be on.

It's odd, as ldap signing in samba should solve the issue as far as I can tell, and I can verify with testparm that it is active as an additional parameter. In addition, the typical ldap client cli tools have no problem searching the directory with the bind provided.
 
D

dlavigne

Guest
It's odd, as ldap signing in samba should solve the issue as far as I can tell, and I can verify with testparm that it is active as an additional parameter. In addition, the typical ldap client cli tools have no problem searching the directory with the bind provided.
Click to expand...

That would be useful info to add to that bug as a comment.
 
Status
Not open for further replies.

Similar threads

C
Samba stops working after 24 hours.
Replies
10
Views
3K
anodos
anodos
R
  • Locked
SOLVED AD intergration vs ISCSI
Replies
3
Views
2K
R wkgs
R
I
  • Locked
FreeNAS AD member broke after 30 days since update from 10.4 to 11.1u1, currently on 11.1u2
Replies
6
Views
4K
Ionico
I
C
  • Locked
SOLVED FreeNAS 11.0U4 won't join Samba AD server. Self-signed cert confusion.
Replies
1
Views
1K
ChinookTx
C
S
  • Locked
FreeNAS8+AD=Stronger Authentication Required
Replies
2
Views
4K
JesseCrowther
J
Top