AD Authentication broken on new install

[Fred Kroeger]

I've just spun up a new NagiosXI VM (was 5.4.0 - but since upgraded to 5.4.1).
I can't get AD authentication working. User gets and "Invalid username or password" when they use their AD Credentials.
Configuration is OK according to the Site Admin - BaseDN & Account suffix. (I've done it a few times now at other sites).
I've done a dsquery for my user account and the BaseDN matches.
The following message appears in /var/log/secure about every 30secs:

Code: Select all

Feb  1 02:11:28 nagios001 sudo: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
Feb  1 02:11:28 nagios001 sudo: PAM adding faulty module: /lib64/security/pam_fprintd.so

This file doesn't exist on this server, but it doesn't exist either on any of the other sites that do work.

The Nagios Audit Log doesn't provide much more info:

Code: Select all

2017-02-01 18:41:27	711	Nagios XI	SECURITY		10.152.20.11	Log in Failure - Username: fred : Invalid username or password.

Any ideas on troubleshooting steps do to get it working?
Regards ... Fred

[dwhitfield]

I don't have pam_fprintd.so in that dir either...or anywhere else on my 5.4.1 CentOS 6 install.

What OS/version are you using? Which of the AD components are you using? I can try to match things up as closely as possible to see if I can replicate the issue.

[Fred Kroeger]

This is the standard Nagios VM that I downloaded. So it's CentOS 6.8

With regards to the pam_fprint.d missing problem - looks like an OS bug. They have enabled the fingerprint reader module.
Solution is to remove it or yum install the module.
I chose to remove it, which stopped the messages in the log file.

Code: Select all

authconfig --disablefingerprint --update

What info do you need on AD components?

[ssax]

Run this command:

Code: Select all

sed -i 's/\/\/ Otherwise check authentication/ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);/g' /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php

Then run this tail command, try to import/login again, and then send me the entire output from the tail command:

Code: Select all

tail -f /var/log/httpd/*error_log

When you are done, revert the change with this command:

Code: Select all

sed -i 's/ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);/\/\/ Otherwise check authentication/g' /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php

[SteveBeauchemin]

Does the image have the Active Directory Integration component installed by default?

[ssax]

Yes, it does, you can go to Admin > Manage Components and then search for LDAP / Active Directory Integration (it's down under the bottom Core Components section).

LDAP_AD_Integration_Component.png

[Fred Kroeger]

Got your test OK and ran it. Waiting for the Wintel Administrator to explain the failure messages before I post it back here.

thanks... Fred

[rkennedy]

Sounds good - we'll watch for your response.

[ssax]

Sounds good, we'll keep an eye out.

[Fred Kroeger]

Just a follow-up to close this ticket. Problem ended up being that the site was using two suffixes and instead of using the same format login name for both suffixes, they used a different standard (for some of the users) for the suffix they wanted me to use. sigh......
Anyway once they gave the right login name to use with that suffix, then the AD authentication started working - Amazing!
Sorry to waste your time - but the worthwhile part of this excercise was to see how to increase the DEBUG_LEVEL to get some more informative info in the error_log file

Thanks.... Fred