Redhat Linux 6.6 and LDAP

My apologies for the ignorant questions, but  I am new to Redhat Linux, but I learn quickly!  :-)

I have received the responsibility of administering our Linux Redhat 6.6 environment and I have run into an issue.

We are a Windows 2008 - Active Directory environment and our Redhat Linux Servers are authenticating users via LDAP.  I had created a new user in AD and added him to the associated Linux Access Groups.

Unfortunately, when this user tries to Putty or logon to the Linux Server console he receives Access Denied.  Other users who are in the same AD - Linux groups are able to logon.

When I perform a getent passwd, the server will list all of the local and AD users who can login, however this new user is not listed.  Also, when I perform a getent group, it lists all of the groups including the AD groups, however the new users is not listed in the Linux AD Group I added it to.

Any assistance or thoughts on this would be greatly appreciated!  Thank you in advance for any assistance!
rmessing171ConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel McAllisterPresident, IT4SOHO, LLCCommented:
The first issue I would look at is to verify that both systems are working with the same AD server. To that end, from a DOS PROMPT on the server you added the new user to, please run:
  net group /domain <your_groupname>

Then, on your linux system, get a terminal window (another command prompt, by another name) & run:
  net ads testjoin
This will ensure your connection to the AD server is valid
  getent group <Domain & Group Name>
This will show what Samba thinks are the members of the group on ADS.

These should confirm your earlier report, that your join is OK, and that you still do NOT see the new user. That is because winbind (by default) will CACHE the AD values for user & group IDs. It will look to the AD server if there is an error (like in a user not found, or a password failure) -- but it doesn't automatically refresh group membership the same way (for several reasons).

So, what you'll do lastly here is (on the Linux server), run
  service winbind reload

This will force a refresh of the ADS tables, including group memberships. So, then retry the wbinfo command above and you should see the fresh data.

I hope this helps!

Dan
IT4SOHO
rmessing171ConsultantAuthor Commented:
Hi Dan,

Thank you for the detailed info and assistance!  I have been wrestling with this for days.

Here are my results from your coaching:

When I perform:

On the AD Server: net group /domain "Linux" - I successfully get all of the users in the Linux AD group

On the Linux Server:

net ads testjoin - I receive - "Join is OK"

getent group COMP "Linux"  - I receive all of the members in the group as I saw when I perform net group /domain "Linux" on the AD Server.

service winbind reload - I receive

[root@sar26app79 ~]# service winbind reload
Reloading smb.conf file:                                   [FAILED]

Any ideas?

One other thing  - I noticed on my Active Directory - When I edited the group Linux there was a note that stated - "Need to add members to this group and on the UNIX Attributes tab"  Where can I find the UNIX Attributes Tab?
gheistCommented:
You need to check if wbinfo -u lists user in question and switch authentication from ldap to winbind
It may involve re-shuffling UIDs.
Correct way as of RHEL7 is to employ SSSD for all your authentication integration needs.
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

Daniel McAllisterPresident, IT4SOHO, LLCCommented:
OK, the only way you could be getting a FAILED on winbind on Linux, but still getting any output for getent would be if you're using SAMBA 4 (vs. Samba 3), or if winbind was not running due to a corrupt cache.

Lets start with a scalpel -- try this command and then retest:
  net cache flush

Alternatively, we can take a sledge hammer to this one & issue the following commands:
NOTE: If you're using samba installs from a non-standard repo (like SerNet), these commands may not work!
 service winbind stop # will stop winbind -- ignore any error
 service smb stop # will stop file shares -- if error, try replacing smb with samba
 net cache flush  # same as above
 rm -f /var/lib/samba/*.tdb
  rm -f /var/lib/samba/group_mapping.ldb
  service smb start
# if error, use samba like we did above
 service winbind start # if error, we have bigger problems

I hope this helps!

Dan
IT4SOHO
rmessing171ConsultantAuthor Commented:
Gheist - thank you for the suggestion.  I performed a wbinfo -u and it did indeed show the user in question.  

Quick question:

How do I go about - switch authentication from ldap to winbind and re-shuffling UIDs?
rmessing171ConsultantAuthor Commented:
Hi Dan:

I got a little further.

I performed the following:

net cache

service winbind restart

Shutting down Winbind services:                            [  OK  ]
Starting Winbind services:                                 [  OK  ]

service winbind reload
Reloading smb.conf file:                                   [  OK  ]

When I perform a getent group, I still don't see the user I am looking for that is in the Linux group in AD.

Any ideas?
gheistCommented:
authconfig --help
man authconfig
system-config-auth-tui
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
With regards to LDAP vs. winbind auth, just show us the output of:
   cat /etc/nsswitch.conf | grep passwd

The line (well, the one that doesn't start with a #) will either say winbind or some other kind of ldap.
I suspect it already says winbind, but I'll await your response to be sure.

Dan
IT4SOHO
rmessing171ConsultantAuthor Commented:
Hi Dan,

When I perfrom cat /etc/nsswitch.conf | grep passwd

I received back:

#passwd:    db files nisplus nis
passwd:     files sss
gheistCommented:
You use sssd. Ignore all we told about winbind
Easiest way to configure it is authconfig-tui
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
That explains why winbind's cache clearing wasn't working -- you're not using winbind!

I remain convinced that your configs work fine (other users login without incident), and that your issue is one of cached data.

Fortunately, in sss there is an anticipation of that issue, so there is a special command for it. Please run:
  sss_cache -E

This is a "sledge hammer" (because it invalidates your entire LDAP cache), but better than trying to wrestle with the formatting of detailed arguments.

Dan
IT4SOHO
rmessing171ConsultantAuthor Commented:
Hi Dan and Gheist - Thank you very much for assisting me!

Dan - Just curious to what you mean that this sis a Sledge Hammer, what will the impact be?

Thank you again for your assistance!
-Rich
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
lol - my comment about the sss_cache command is in regards to the -E option -- which says to flush EVERYTHING out of the sss cache (users, groups, gpos, etc).

Theoretically, you could flush just the group information, but as I noted, its far too difficult to determine the arguments exactly... easier to just flush the entire cache and re-load it.

Dan
IT4SOHO
rmessing171ConsultantAuthor Commented:
Thank you for this info Dan!

I just performed the sss_cache -E and it did not produce a response, it just provided me another # prompt.

Is there anything else I should do?

After performing the sss_cache -E, I performed a getent group and getent passwd and I do not see the AD account I am looking for.

What else could I try?
rmessing171ConsultantAuthor Commented:
Dan and Gheist:

I just performed  the command to restart SSSD:

service sssd restart

Then I performed getent group, and saw the accounts added to the proper groups!  However when I performed another getent group and the accounts were removed.

It seems as if something may be corrupted?  Is there something I should reinstall to get SSSD working properly?

What are your thoughts?
gheistCommented:
your sssd is unstable
I suggest buggering RHEL support and digging through sssd debug logs.

Do you have nscd running? Make sure you stop it when manipulating any authentication brokers (-E flags etc)
rmessing171ConsultantAuthor Commented:
Thank you for this Gheist.  I actually did not stop nscd when I performed the sss_cache -E.

What is the command to stop and start nscd?

This may be an ignorant question, but what is nscd?
gheistCommented:
service nscd stop
service nscd start
man nscd

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.