Subscribe

QUESTION - Authenticating OnCMD with W2K8 AD on a RHEL box...

Hello ... I want to start a thread on a specific configuration a customer is running and having difficulty making it work.

With the information I have ( and lets us assume that all versions are current and supported ) ... a client has a RHEL system hosting OnCommand 5.X.  The RHEL host itself is configured to authenticate with the W2K8 domain controller and our admins can log in ( ex: esynodinos ) with a simple user name and pass their domain password just fine.  With OnCommand this is not the case.  A user by the name of esynodinos is on the OnCommand admin list with Global Full Control but yet the domain password is rejected.

I have searched the forums for ideas and it may be that we have to enter LDAP credentials into OnCommand to better pass authentication requests.

We are going to ask the customer what they do to get their RHEL boxes to authenticate properly.

In the meantime, I am hoping to get some ideas from the community here.

Thanks. 

Re: QUESTION - Authenticating OnCMD with W2K8 AD on a RHEL box...

Okay an update ... we may have the answer next week.

We do not have root access to the RHEL server so we will have to wait until next week but through the access we have we believe the RHEL is configured with the PAM package which allows authentication to a Windows AD system.  With that in mind, through a colleague's experience, they had to set a command line only option to make DFM pass the authentication properly through PAM

the option in question is authUsePam and is only command line; once you enable it, it should just work.

However since we are in a pickle with ROOT access, no matter how we tried to fool the host system, it refused us the ability to make the change.  On the actual system, our regular users can log into the host with local accounts.  Those same local accounts have DFM admin user entries with GlobalFullControl but are unable to make the command line change

dfm option set authUsePam=yes

You must have the capability to perform the DFM Core Control operation in order to change these options.

Log in as a different administrator to try again.

My test instance allows me to make the change to the option.  The only difference is, my test instance is a windows box and i am logged in as a domain administrator account ( domain/esynodinos )


C:\script>dfm option set authUsePam=yes

Service DFMServer: Unable to connect to Service Control Manager: 5

Changed authenticate using PAM to Yes.

You must now restart the server service:

        dfm service stop server

        dfm service start server

Note: Since you have chosen to use PAM authentication which is used by the

server service, you must restart the server service every time you change

the PAM configuration on this system.

Re: QUESTION - Authenticating OnCMD with W2K8 AD on a RHEL box...

UPDATE - this did not work and now the curiosity is to understand if there are other linux modules out there that can configure hosts to authenticate through an active directory.

Re: QUESTION - Authenticating OnCMD with W2K8 AD on a RHEL box...

Hi,

why you don,t use LDAP?

Look at this:

https://kb.netapp.com/support/index?page=content&id=1011398

It works fine and you could configure it without special permissions for root. Only a Systemaccount in th AD and two ore more groups are neccessary.

Regards

Martin

Re: QUESTION - Authenticating OnCMD with W2K8 AD on a RHEL box...

Correct ... we got the AD - LDAP information and plugged them into DFM and we can authenticate with AD accounts on a Linux box through AD.

This opens up other questions, like when a OnCommand Admin user named "pete" becomes recorded as a series of contain name properties.  This will be a separate thread.

Thank you.

Re: QUESTION - Authenticating OnCMD with W2K8 AD on a RHEL box...

Martin,

So I followed the instructions according to the kb article and I'm still having issue.  These are the settings that I have in my lab environment.

[root@tkoslis01 ~]# dfm options list | grep -i ldap

ldapBaseDN                            ou=System,ou=Accounts,dc=tkocs,dc=prv

ldapBindDN                            cn=svcDFM,ou=System,ou=Accounts,dc=tkocs,dc=prv

ldapBindPass                          ********

ldapEnabled                           Yes

ldapGID                               memberOf

ldapMember                            member

ldapUGID                              CN

ldapUID                               sAMAccountName

ldapVersion                           3

[root@tkoslis01 ~]# dfm ldap list

Address                                    Port   Last Use                   Last Failure             

------------------------------------------ ------ -------------------------- --------------------------

tkosmdc01.tkocs.prv                        389    2012-08-17 19:10:23.000000                          

tkosmdc02.tkocs.prv                        389    2012-08-17 19:18:41.000000                          

tkosmdc03.tkocs.prv                        389    2012-08-17 19:25:00.000000

And this is the error that I get:

[root@tkoslis01 ~]# dfm ldap test svcDFM <password>

Warning: Failed to bind to ldap server 'tkosmdc01.tkocs.prv' as administrator 'cn=svcDFM,ou=System,ou=Accounts,dc=tkocs,dc=prv': Invalid credentials

Warning: ldapBindDN ('cn=svcDFM,ou=System,ou=Accounts,dc=tkocs,dc=prv') and/or ldapBindPass setting may be wrong.

Error: Failed to authenticate svcDFM.

I know the username and password is correct.  I've tried this with a Linux system configured with Winbind authentication working and without.  Not sure what I need to do and have been checking posts to see where I'm going wrong.

Re: QUESTION - Authenticating OnCMD with W2K8 AD on a RHEL box...

Hi,

After looking at ldap setting I can guess that you are using active directory LDAP server. You are getting  this error because option value for below fields are not setting correctly.

ldapBindDN                            cn=svcDFM,ou=System,ou=Accounts,dc=tkocs,dc=prv

ldapBindPass                          ********

Normal, in Ad server we create a user under "Users" directory, so in your case "ldapBindDN" field's value should be "cn=svcDFM,cn=Users,ou=System,ou=Accounts,dc=tkocs,dc=prv".

So, below option value should be

ldapBindDN                            cn=svcDFM,cn=Users,ou=System,ou=Accounts,dc=tkocs,dc=prv

ldapBindPass                          password of "svcDFM"

Also, you can bind the LDAP server with different domain user, the user that is created  when you build the AD setup.

Exp: I have Administrator user in BARD_QA domain, so my LDAP setting is

[root@shoemake-rhel ~]# dfm option list | grep -i ldap

ldapBaseDN                            dc=bard,dc=netapp,dc=com

ldapBindDN                            BARD_QA\Administrator

ldapBindPass                          ********

ldapEnabled                           Yes

ldapGID                               memberOf

ldapMember                            member

ldapUGID                              CN

ldapUID                               sAMAccountName

ldapVersion                           3

[root@shoemake-rhel ~]# dfm ldap test ldap_user ******

Authentication succeeded.

Username: CN=ldap_user,CN=Users,DC=bard,DC=netapp,DC=com

Name:     CN=ldap_user,CN=Users,DC=bard,DC=netapp,DC=com

Name:     memberOf=CN=hamlet_group,CN=Users,DC=bard,DC=netapp,DC=com

Name:     CN=hamlet_group,CN=Users,DC=bard,DC=netapp,DC=com

[root@shoemake-rhel ~]# dfm ldap find ldap_user

Username     Full Name

------------ ----------------------------------------------------------------

ldap_user    CN=ldap_user,CN=Users,DC=bard,DC=netapp,DC=com

[root@shoemake-rhel ~]#

Please first search the user with "dfm ldap find <user_name>" command if this is success then you can user "dfm ldap test " command.

Please let me know for any further assignment

Regards,

Gireesh

Re: QUESTION - Authenticating OnCMD with W2K8 AD on a RHEL box...

Gireesh,

My CN is correct as that account is in the System OU, which is in the Accounts OU in my tkocs.prv domain.  The CN=Users is the default area for user accounts if you are not maintaining a OU structure that is different from default.  In either case, I've tried it with an account in CN=Users and got the same error.

Re: QUESTION - Authenticating OnCMD with W2K8 AD on a RHEL box...

Do I need to have Winbind authentication enabled on this Linux system?

Re: QUESTION - Authenticating OnCMD with W2K8 AD on a RHEL box...

Hi,

You have three LDAP servers, "dfm ldap find/test" command first try to search the user in first LDAP server.

So, do you have ldap user "svcDFM" in "tkosmdc01.tkocs.prv" server ..?

Regards,

Gireesh