[user@server ~]# id username
uid=100001(username) gid=100(users) groups=100(users),10000(sudo)
but when I try su username it says password incorrect
[user@server ~]# su username
su: incorrect password
/var/log/secure
Code: Select all
Jan 23 05:52:52 Server001 su: pam_unix(su:auth): authentication failure; logname=shell_username uid=12 euid=0 tty=pts/0 ruser=shell_username rhost= user=my_username
Jan 23 05:52:52 Server001 su: pam_krb5[16895]: authentication fails for 'my_username' (my_usernmae@example.com)
Its like password is being checked locally
It had to be something to do with ldap.conf because AD used to reset connection whenever I tried "id username" but after modifying ldap.conf "id username" works. Any idea what could be wrong in the ldap.conf?
ldap.conf
Code: Select all
base dc=example,dc=com
uri ldap://example.com
ssl no
binddn cn=Ldap Bind,cn=Users,dc=example,dc=com
bindpw bind_password_here
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus
scope sub
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute gecos name
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute loginShell loginShell
pam_login_attribute sAMAccountName
pam_filter objectclass=User
nss_base_password cn=Users,dc=example,dc=com
nss_base_shadow cn=Users,dc=example,dc=com
nss_base_group cn=Users,dc=example,dc=com
#pam_password example
referrals no
filter shadow (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map shadow uid sAMAccountName
filter group (&(objectClass=group)(gidNumber=*))
~
/etc/pam.d/system-auth-ac
Code: Select all
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so
#auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
#account required pam_unix.so broken_shadow
account required pam_unix.so
#account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
#account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
#password sufficient pam_krb5.so use_authtok
#password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
#session optional pam_krb5.so
#session optional pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel umask=0077