LdapErr: DSID-0C0903AA, data 52e: authenticating against AD '08 with pam_ldap

I have full admin access to the AD '08 server I'm trying to authenticate towards.

The error code means invalid credentials, but I wish this was as simple as me typing in the wrong password.

First of all, I have a working Apache mod_ldap configuration against the same domain.

AuthType basic
AuthName "MYDOMAIN"
AuthBasicProvider ldap
AuthLDAPUrl "ldap://10.220.100.10/OU=Companies,MYCOMPANY,DC=southit,DC=inet?sAMAccountName?sub?(objectClass=user)"
AuthLDAPBindDN svc_webaccess_auth
AuthLDAPBindPassword mySvcWebAccessPassword
Require ldap-group CN=Service_WebAccess,OU=Groups,OU=MYCOMPANY,DC=southit,DC=inet

I'm showing this because it works without the use of any Kerberos, as so many other guides out there recommend for system authentication to AD.

Now I want to translate this into pam_ldap.conf for use with OpenSSH.

The /etc/pam.d/common-auth part is simple.

auth sufficient pam_ldap.so debug

This line is processed before any other.

I believe the real issue is configuring pam_ldap.conf.

host 10.220.100.10
base OU=Companies,MYCOMPANY,DC=southit,DC=inet
ldap_version 3
binddn svc_webaccess_auth
bindpw mySvcWebAccessPassword

scope sub
timelimit 30

pam_filter objectclass=User

nss_map_attribute uid sAMAccountName
pam_login_attribute sAMAccountName
pam_password ad

Now I've been monitoring ldap traffic on the AD host using wireshark. I've captured a successful session from Apache's mod_ldap and compared it to a failed session from pam_ldap.

The first bindrequest is a success using the svc_webaccess_auth account, the searchrequest is a success and returns a result of 1. The last bindrequest using my user is a failure and returns the above error code.

Everything looks identical except for this one line in the filter for the searchrequest, here showing mod_ldap.

Filter: (&(objectClass=user)(sAMAccountName=ivasta))

The second one is pam_ldap.

Filter: (&(&(objectclass=User)(objectclass=User))(sAMAccountName=ivasta))

My user is named ivasta. However, the searchrequest does not return failure, it does return 1 result. I've also tried this with ldapsearch on the cli.

It's the bindrequest that follows the searchrequest that fails with the above error code 52e.

Here is the failure message of the final bindrequest.

resultcode: invalidcredentials (49)
80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772

This should mean invalid password but I've tried with other users and with very simple passwords.

Does anyone recognize this from their own struggles with pam_ldap and AD?

Edit: Worth noting is that I've also tried pam_password crypt, and pam_filter sAMAccountName=User because this worked when using ldapsearch.

ldapsearch -LLL -h 10.220.100.10 -x -b "ou=Users,ou=mycompany,dc=southit,dc=inet" -v -s sub -D svc_webaccess_auth -W '(sAMAccountName=ivasta)'

This works using the svc_webaccess_auth account password. This account has scan access to that OU for use with apache's mod_ldap.

Edit2: This is all I get in the AD '08 logs when I fail to login.

An account failed to log on.

Subject:
    Security ID:        SYSTEM
    Account Name:       WIN-DC02$
    Account Domain:     SOUTHIT
    Logon ID:       0x3e7

Logon Type:         3

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       ivasta
    Account Domain:     SOUTHIT

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xc000006d
    Sub Status:     0xc000006a

Process Information:
    Caller Process ID:  0x264
    Caller Process Name:    C:\Windows\System32\lsass.exe

Network Information:
    Workstation Name:   WIN-DC02
    Source Network Address: 10.220.100.105
    Source Port:        44565

Detailed Authentication Information:
    Logon Process:      Advapi  
    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested

Tail between my legs I'll have to answer this one because I have the embarrassing inside information.

I did not realize that you had to create a regular Unix user on the system to be able to login. As soon as I created a user matching ivasta I was able to login with that users AD password.

Only thing I can't do is change the password, even with pam_password ad but that doesn't matter because this is only for username logging purposes.