Troubleshooting authentication issues

2 hours
  • 2 Learning Objectives

About this Hands-on Lab

In this exercise, you will need to troubleshoot and resolve authentication issues with LDAP, Kerberos, and PAM.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Troubleshoot and resolve Server1.

Resolve login issues for testuser01

Try to log in as testuser01:

ssh testuser01@localhost

View /var/log/secure:

tail /var/log/secure

Attempt to pull the LDAP user information for testuser01:

getent passwd testuser01

Perform an LDAP search:

ldapsearch -x *

View and modify /etc/openldap/ldap.conf:

vim /etc/openldap/ldap.conf

Change:

URI ldap://ldap.example.com/

To:

URI ldap://auth.example.com/

Perform an LDAP search:

ldapsearch -x *

Restart the LDAP naming services daemon:

systemctl restart nslcd

Attempt to pull the LDAP user information for testuser01:

getent passwd testuser01

View /etc/sysconfig/authconfig:

cat /etc/sysconfig/authconfig

Modify authconfig using the TUI interface:

authconfig-tui

Within authconfig-tui:

  • Verify Use LDAP is checked under User Information
  • Check Use Kerberos under Authentication
  • Modify the LDAP server to use auth.example.com
  • Use auth.example.com for the KDC and Admin Server for Kerberos

Restart the LDAP naming services daemon:

systemctl restart nslcd

Pull the LDAP user information for testuser01:

getent passwd testuser01

Log in to the localhost as testuser01:

ssh testuser01@localhost

Obtain a Kerberos ticket

kinit

List cached Kerberos tickets and logout:

klist && exit

Resolve Samba issues for cloud_user

Verify Samba is started and enabled:

systemctl start smb && systemctl enable smb

Attempt to list the shares using cloud_user:

smbclient -U cloud_user -L localhost

View the Samba log:

tail /var/log/samba/log.smbd

View the Samba PAM config:

cat /etc/pam.d/samba

Verify the Samba package:

rpm -V samba

Move the modified file to /root/samba.pam.old:

mv /etc/pam.d/samba /root/samba.pam.old

Reinstall Samba:

yum reinstall -y samba

List the shares using cloud_user:

smbclient -U cloud_user -L localhost
Troubleshoot and resolve Server2.

Use authconfig-tui to verify and modify LDAP/Kerberos authentication:

authconfig-tui
  • Verify Use LDAP is checked for both User Information and Authentication
  • Verify Use Kerberos is checked for Authentication
  • LDAP server should be auth.example.com
  • Kerberos KDC and Admin should be auth.example.com

Perform an LDAP search:

ldapsearch -x *

Ping the LDAP server:

ping auth.example.com

Note the IP, view the contents of /etc/hosts:

cat /etc/hosts

Modify /etc/hosts so that auth.example.com points to 10.0.1.5:

vim /etc/hosts

Perform an LDAP search:

ldapsearch -x *

Restart the LDAP naming services daemon:

systemctl restart nslcd

Pull the LDAP user information for testuser01:

getent passwd testuser01

Log in as testuser01:

ssh testuser01@localhost

Obtain a Kerberos ticket:

kinit

List Kerberos ticket cache:

klist

Additional Resources

Environment

Server1: 10.0.1.10

Server2: 10.0.1.11

auth.example.com: 10.0.1.5


LDAP

LDAP host: 10.0.1.5

LDAP Base: dc=example,dc=com


Kerberos

Kerberos KDC: 10.0.1.5

Kerberos Admin: 10.0.1.5

Realm: example.com


Objectives

Username testuser01

Password welcome1

Server1

  • testuser01 must be able to log into Server1 using Kerberos
  • testuser01 must be able to obtain a Kerberos ticket
  • Server1 should not permit LDAP authentication
  • cloud_user should be able to list the available Samba shares on the localhost

Server2

  • testuser01 must be able to log into Server1 using LDAP
  • testuser01 must be able to obtain a Kerberos ticket

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?