Skip to main content

Troubleshooting authentication issues

Hands-On Lab

 

Photo of Michael Christian

Michael Christian

Course Development Director in Content

Length

02:00:00

Difficulty

Advanced

In this exercise, you will need to troubleshoot and resolve authentication issues with LDAP, Kerberos, and PAM.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Troubleshooting authentication issues

Introduction

In this exercise, you will need to troubleshoot and resolve authentication issues with LDAP, Kerberos, and PAM.

Environment

Server1: 10.0.1.10

Server2: 10.0.1.11

auth.example.com: 10.0.1.5


LDAP

LDAP host: 10.0.1.5

LDAP Base: dc=example,dc=com


Kerberos

Kerberos KDC: 10.0.1.5

Kerberos Admin: 10.0.1.5

Realm: example.com


Objectives

Username testuser01

Password welcome1

Server1

  • testuser01 must be able to log into Server1 using Kerberos
  • testuser01 must be able to obtain a Kerberos ticket
  • Server1 should not permit LDAP authentication
  • cloud_user should be able to list the available Samba shares on the localhost

Server2

  • testuser01 must be able to log into Server1 using LDAP
  • testuser01 must be able to obtain a Kerberos ticket

Solution

Start by logging in to the lab servers using the credentials provided on the hands-on lab page:

ssh cloud_user@PUBLIC_IP_ADDRESS

Become the root user:

sudo su -

Be sure to log in to both Server1 and Server2 in separate tabs or windows.

Troubleshoot and resolve Server1

On Server1 (10.0.1.10)

Resolve login issues for testuser01

  1. Try to log in as testuser01:

    ssh testuser01@localhost
  2. View /var/log/secure:

    tail /var/log/secure
  3. Attempt to pull the LDAP user information for testuser01:

    getent passwd testuser01
  4. Perform an LDAP search:

    ldapsearch -x *
  5. View and modify /etc/openldap/ldap.conf:

    vim /etc/openldap/ldap.conf

    Change:

    URI ldap://ldap.example.com/

    To:

    URI ldap://auth.example.com/

    Save and close the file:

    :wq
  6. Perform an LDAP search:

    ldapsearch -x *
  7. Restart the LDAP naming services daemon:

    systemctl restart nslcd
  8. Attempt to pull the LDAP user information for testuser01:

    getent passwd testuser01
  9. View /etc/sysconfig/authconfig:

    cat /etc/sysconfig/authconfig
  10. Modify authconfig using the TUI interface:

    authconfig-tui

    Within authconfig-tui:

    • Verify Use LDAP is checked under User Information
    • Check Use Kerberos under Authentication
    • Modify the LDAP server to use auth.example.com
    • Use auth.example.com for the KDC and Admin Server for Kerberos
  11. Restart the LDAP naming services daemon:

    systemctl restart nslcd
  12. Pull the LDAP user information for testuser01:

    getent passwd testuser01
  13. Log in to the localhost as testuser01:

    ssh testuser01@localhost
  14. Obtain a Kerberos ticket

    kinit
  15. List cached Kerberos tickets and logout:

    klist && exit

Resolve Samba issues for cloud_user

  1. Verify Samba is started and enabled:

    systemctl start smb && systemctl enable smb
  2. Attempt to list the shares using cloud_user:

    smbclient -U cloud_user -L localhost
  3. View the Samba log:

    tail /var/log/samba/log.smbd
  4. View the Samba PAM config:

    cat /etc/pam.d/samba
  5. Verify the Samba package:

    rpm -V samba
  6. Move the modified file to /root/samba.pam.old:

    mv /etc/pam.d/samba /root/samba.pam.old
  7. Reinstall Samba:

    yum reinstall -y samba
  8. List the shares using cloud_user:

    smbclient -U cloud_user -L localhost

Troubleshoot and resolve Server2

On Server2 (10.0.1.11)

  1. Use authconfig-tui to verify and modify LDAP/Kerberos authentication:

    authconfig-tui
    • Verify Use LDAP is checked for both User Information and Authentication
    • Verify Use Kerberos is checked for Authentication
    • LDAP server should be auth.example.com
    • Kerberos KDC and Admin should be auth.example.com
  2. Perform an LDAP search:

    ldapsearch -x *
  3. Ping the LDAP server:

    ping auth.example.com
  4. Note the IP, view the contents of /etc/hosts:

    cat /etc/hosts
  5. Modify /etc/hosts so that auth.example.com points to 10.0.1.5:

    vim /etc/hosts

    Save and close the file:

    :wq
  6. Perform an LDAP search:

    ldapsearch -x *
  7. Restart the LDAP naming services daemon:

    systemctl restart nslcd
  8. Pull the LDAP user information for testuser01:

    getent passwd testuser01
  9. Log in as testuser01:

    ssh testuser01@localhost
  10. Obtain a Kerberos ticket:

    kinit
  11. List Kerberos ticket cache:

    klist

Conclusion

Congratulations, you've completed this hands-on lab!