Problem with "Identity Management for Unix"

We currently have all of our Linux servers using Pam to our DC (DC1)
running 2003 R2.

I currently brought up a second 2003 R2 (DC2) to start building it to
swap and replace a 2000 DC, it has been Dcpromo'd and I will change IP
and Name when I demote the original DC.

Now that the second DC is up (Temp name and IP), all Pam requests are
now hitting DC2. Even though the ldap.conf is set only to look at DC1.

Now I want to shutdown DC2, and move it to the final rack to start the
swap.

But as soon as I take DC2 down, all the Linux boxes fail on Pam.

Thoughts?!

-Mark

/etc/ldap.conf
-------------
host dc1.domain.com
base dc=domain,dc=com
ldap_version 3
binddn cn=LDAP Bind User,ou=Restricted Users,dc=domain,dc=com

/etc/ldap/ldap.conf
----------------------------
BASE dc=domain,dc=com
URI ldaps://dc1.domain.com
HOST dc1.domain.com
TLS_CACERT /etc/openldap/cacerts/adcert.pem
TLS_REQCERT never
binddn "cn=LDAP Bind User,ou=Restricted Users,dc=domain,dc=com"
bindpwd ldap

In news:602BDBE5-C155-459F-9219-(E-Mail Removed),
Mark Jenks <(E-Mail Removed)> stated, which I commented
on below:
> We currently have all of our Linux servers using Pam to our DC (DC1)
> running 2003 R2.
>
> I currently brought up a second 2003 R2 (DC2) to start building it to
> swap and replace a 2000 DC, it has been Dcpromo'd and I will change IP
> and Name when I demote the original DC.
>
> Now that the second DC is up (Temp name and IP), all Pam requests are
> now hitting DC2. Even though the ldap.conf is set only to look at
> DC1.
>
> Now I want to shutdown DC2, and move it to the final rack to start the
> swap.
>
> But as soon as I take DC2 down, all the Linux boxes fail on Pam.
>
> Thoughts?!
>
> -Mark
>
> /etc/ldap.conf
> -------------
> host dc1.domain.com
> base dc=domain,dc=com
> ldap_version 3
> binddn cn=LDAP Bind User,ou=Restricted Users,dc=domain,dc=com
>
> /etc/ldap/ldap.conf
> ----------------------------
> BASE dc=domain,dc=com
> URI ldaps://dc1.domain.com
> HOST dc1.domain.com
> TLS_CACERT /etc/openldap/cacerts/adcert.pem
> TLS_REQCERT never
> binddn "cn=LDAP Bind User,ou=Restricted Users,dc=domain,dc=com"
> bindpwd ldap


Have you contacted the makers of PAM to see if they have a solution?

I posted a response almost two months ago for your previous identical post.
Did you see it? WEre you able to read it or access it? I'm not sure because
I didn't see a response. So just in case you weren't able to access or read
the post, here is a repost below.


==========================================
I remember a similar issue with OSx and AD when we had to bind it to AD. I
believe it was when we kerberized it we had to state that in the process,
but it was so long ago and can't remember. Just going by some memory on this
and guidelines, we neeed to kerberize it so it would allow and force
authentication for resource access from Mac users thru AD using a specific
DC and not OSx. Was the Unix box kerberized?

But honeslty, I can;t help much more than this because it was awhile ago,
and I am not familiar with what PAM (Pluggable Authentication Modules) is or
how it works. Here are some hits I found in Google that may help you:

http://www.google.com/search?sourcei...ng+wrong+AD+DC

I hope my comments may guide you in the right direction.
==========================================

Ace

Right after I posted this again, I found your link.

I've been doing alot of testing of thing today using some of your ideas, but
I still don't have an answer yet.

I can do a ldapsearch against both dc, and they both respond to the right
queries and return the right values. So the DC that it is ignoring, is also
giving valid reponses.

I also did a tcpdump -i eth0 host (dc1 + dc2), and it is actually running
the query against both dc's. But if I bring down DC2, it just dies.

Not quite sure what to test next.

I'll try and track down Pam developers and ask them.

I was wondering if there is something within AD, for a redirect or something?

"Ace Fekay [MVP]" wrote:

> In news:602BDBE5-C155-459F-9219-(E-Mail Removed),
> Mark Jenks <(E-Mail Removed)> stated, which I commented
> on below:
> > We currently have all of our Linux servers using Pam to our DC (DC1)
> > running 2003 R2.
> >
> > I currently brought up a second 2003 R2 (DC2) to start building it to
> > swap and replace a 2000 DC, it has been Dcpromo'd and I will change IP
> > and Name when I demote the original DC.
> >
> > Now that the second DC is up (Temp name and IP), all Pam requests are
> > now hitting DC2. Even though the ldap.conf is set only to look at
> > DC1.
> >
> > Now I want to shutdown DC2, and move it to the final rack to start the
> > swap.
> >
> > But as soon as I take DC2 down, all the Linux boxes fail on Pam.
> >
> > Thoughts?!
> >
> > -Mark
> >
> > /etc/ldap.conf
> > -------------
> > host dc1.domain.com
> > base dc=domain,dc=com
> > ldap_version 3
> > binddn cn=LDAP Bind User,ou=Restricted Users,dc=domain,dc=com
> >
> > /etc/ldap/ldap.conf
> > ----------------------------
> > BASE dc=domain,dc=com
> > URI ldaps://dc1.domain.com
> > HOST dc1.domain.com
> > TLS_CACERT /etc/openldap/cacerts/adcert.pem
> > TLS_REQCERT never
> > binddn "cn=LDAP Bind User,ou=Restricted Users,dc=domain,dc=com"
> > bindpwd ldap
>
>
> Have you contacted the makers of PAM to see if they have a solution?
>
> I posted a response almost two months ago for your previous identical post.
> Did you see it? WEre you able to read it or access it? I'm not sure because
> I didn't see a response. So just in case you weren't able to access or read
> the post, here is a repost below.
>
>
> ==========================================
> I remember a similar issue with OSx and AD when we had to bind it to AD. I
> believe it was when we kerberized it we had to state that in the process,
> but it was so long ago and can't remember. Just going by some memory on this
> and guidelines, we neeed to kerberize it so it would allow and force
> authentication for resource access from Mac users thru AD using a specific
> DC and not OSx. Was the Unix box kerberized?
>
> But honeslty, I can;t help much more than this because it was awhile ago,
> and I am not familiar with what PAM (Pluggable Authentication Modules) is or
> how it works. Here are some hits I found in Google that may help you:
>
> http://www.google.com/search?sourcei...ng+wrong+AD+DC
>
> I hope my comments may guide you in the right direction.
> ==========================================
>
> Ace
>
>
>

In news:4A3C9D2D-3D44-4A66-B54E-(E-Mail Removed),
Mark Jenks <(E-Mail Removed)> stated, which I commented
on below:
> Right after I posted this again, I found your link.
>
> I've been doing alot of testing of thing today using some of your
> ideas, but I still don't have an answer yet.
>
> I can do a ldapsearch against both dc, and they both respond to the
> right queries and return the right values. So the DC that it is
> ignoring, is also giving valid reponses.
>
> I also did a tcpdump -i eth0 host (dc1 + dc2), and it is actually
> running the query against both dc's. But if I bring down DC2, it
> just dies.
>
> Not quite sure what to test next.
>
> I'll try and track down Pam developers and ask them.
>
> I was wondering if there is something within AD, for a redirect or
> something?


Sorry for the late response. Maybe the only other thing that comes to mind
is to unbind it and then rebind it. I think we did that with OSx because it
kept chasing the wrong DC, but discovered it was a GC. It's been awhile but
I think we swapped GCs and it worked. But it was so long ago, I am just
going on a sketchy memory.

PAM devs is the only thing I can think of. If you get a hold of them, let me
know what they say.

Ace