LdapErr: DSID-0C0903AA, data 52e: authenticating against AD '08 with pam_ldap
Tail between my legs I'll have to answer this one because I have the embarrassing inside information.
I did not realize that you had to create a regular Unix user on the system to be able to login. As soon as I created a user matching ivasta I was able to login with that users AD password.
Only thing I can't do is change the password, even with pam_password ad but that doesn't matter because this is only for username logging purposes.
Related videos on Youtube
Stefan Midjich
Updated on September 18, 2022Comments
-
Stefan Midjich almost 2 years
I have full admin access to the AD '08 server I'm trying to authenticate towards.
The error code means invalid credentials, but I wish this was as simple as me typing in the wrong password.
First of all, I have a working Apache mod_ldap configuration against the same domain.
AuthType basic AuthName "MYDOMAIN" AuthBasicProvider ldap AuthLDAPUrl "ldap://10.220.100.10/OU=Companies,MYCOMPANY,DC=southit,DC=inet?sAMAccountName?sub?(objectClass=user)" AuthLDAPBindDN svc_webaccess_auth AuthLDAPBindPassword mySvcWebAccessPassword Require ldap-group CN=Service_WebAccess,OU=Groups,OU=MYCOMPANY,DC=southit,DC=inet
I'm showing this because it works without the use of any Kerberos, as so many other guides out there recommend for system authentication to AD.
Now I want to translate this into pam_ldap.conf for use with OpenSSH.
The /etc/pam.d/common-auth part is simple.
auth sufficient pam_ldap.so debug
This line is processed before any other.
I believe the real issue is configuring pam_ldap.conf.
host 10.220.100.10 base OU=Companies,MYCOMPANY,DC=southit,DC=inet ldap_version 3 binddn svc_webaccess_auth bindpw mySvcWebAccessPassword scope sub timelimit 30 pam_filter objectclass=User nss_map_attribute uid sAMAccountName pam_login_attribute sAMAccountName pam_password ad
Now I've been monitoring ldap traffic on the AD host using wireshark. I've captured a successful session from Apache's mod_ldap and compared it to a failed session from pam_ldap.
The first bindrequest is a success using the svc_webaccess_auth account, the searchrequest is a success and returns a result of 1. The last bindrequest using my user is a failure and returns the above error code.
Everything looks identical except for this one line in the filter for the searchrequest, here showing mod_ldap.
Filter: (&(objectClass=user)(sAMAccountName=ivasta))
The second one is pam_ldap.
Filter: (&(&(objectclass=User)(objectclass=User))(sAMAccountName=ivasta))
My user is named ivasta. However, the searchrequest does not return failure, it does return 1 result. I've also tried this with ldapsearch on the cli.
It's the bindrequest that follows the searchrequest that fails with the above error code 52e.
Here is the failure message of the final bindrequest.
resultcode: invalidcredentials (49) 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772
This should mean invalid password but I've tried with other users and with very simple passwords.
Does anyone recognize this from their own struggles with pam_ldap and AD?
Edit: Worth noting is that I've also tried pam_password crypt, and pam_filter sAMAccountName=User because this worked when using ldapsearch.
ldapsearch -LLL -h 10.220.100.10 -x -b "ou=Users,ou=mycompany,dc=southit,dc=inet" -v -s sub -D svc_webaccess_auth -W '(sAMAccountName=ivasta)'
This works using the svc_webaccess_auth account password. This account has scan access to that OU for use with apache's mod_ldap.
Edit2: This is all I get in the AD '08 logs when I fail to login.
An account failed to log on. Subject: Security ID: SYSTEM Account Name: WIN-DC02$ Account Domain: SOUTHIT Logon ID: 0x3e7 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ivasta Account Domain: SOUTHIT Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x264 Caller Process Name: C:\Windows\System32\lsass.exe Network Information: Workstation Name: WIN-DC02 Source Network Address: 10.220.100.105 Source Port: 44565 Detailed Authentication Information: Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested
-
Stefan Midjich almost 12 yearsNobody respond to this, turns out I misunderstood ldap authentication. I had not created a matching local user. Doing so it immediately started working with AD password, and if AD password was entered incorrectly the local password could take over, in the correct PAM order. Embarrassing.
-