Page 1 of 2
AD Authentication broken on new install
Posted: Wed Feb 01, 2017 2:42 am
by Fred Kroeger
I've just spun up a new NagiosXI VM (was 5.4.0 - but since upgraded to 5.4.1).
I can't get AD authentication working. User gets and "Invalid username or password" when they use their AD Credentials.
Configuration is OK according to the Site Admin - BaseDN & Account suffix. (I've done it a few times now at other sites).
I've done a dsquery for my user account and the BaseDN matches.
The following message appears in /var/log/secure about every 30secs:
Code: Select all
Feb 1 02:11:28 nagios001 sudo: PAM unable to dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
Feb 1 02:11:28 nagios001 sudo: PAM adding faulty module: /lib64/security/pam_fprintd.so
This file doesn't exist on this server, but it doesn't exist either on any of the other sites that do work.
The Nagios Audit Log doesn't provide much more info:
Code: Select all
2017-02-01 18:41:27 711 Nagios XI SECURITY 10.152.20.11 Log in Failure - Username: fred : Invalid username or password.
Any ideas on troubleshooting steps do to get it working?
Regards ... Fred
Re: AD Authentication broken on new install
Posted: Wed Feb 01, 2017 1:39 pm
by dwhitfield
I don't have pam_fprintd.so in that dir either...or anywhere else on my 5.4.1 CentOS 6 install.
What OS/version are you using? Which of the AD components are you using? I can try to match things up as closely as possible to see if I can replicate the issue.
Re: AD Authentication broken on new install
Posted: Wed Feb 01, 2017 5:20 pm
by Fred Kroeger
This is the standard Nagios VM that I downloaded. So it's CentOS 6.8
With regards to the pam_fprint.d missing problem - looks like an OS bug. They have enabled the fingerprint reader module.
Solution is to remove it or yum install the module.
I chose to remove it, which stopped the messages in the log file.
Code: Select all
authconfig --disablefingerprint --update
What info do you need on AD components?
Re: AD Authentication broken on new install
Posted: Wed Feb 01, 2017 5:27 pm
by ssax
Run this command:
Code: Select all
sed -i 's/\/\/ Otherwise check authentication/ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);/g' /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php
Then run this tail command, try to import/login again, and then send me the entire output from the tail command:
When you are done, revert the change with this command:
Code: Select all
sed -i 's/ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);/\/\/ Otherwise check authentication/g' /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php
Re: AD Authentication broken on new install
Posted: Thu Feb 02, 2017 12:15 pm
by SteveBeauchemin
Does the image have the Active Directory Integration component installed by default?
Re: AD Authentication broken on new install
Posted: Thu Feb 02, 2017 2:41 pm
by ssax
Yes, it does, you can go to
Admin > Manage Components and then search for
LDAP / Active Directory Integration (it's down under the bottom
Core Components section).
LDAP_AD_Integration_Component.png
Re: AD Authentication broken on new install
Posted: Fri Feb 03, 2017 2:05 am
by Fred Kroeger
Got your test OK and ran it. Waiting for the Wintel Administrator to explain the failure messages before I post it back here.
thanks... Fred
Re: AD Authentication broken on new install
Posted: Fri Feb 03, 2017 10:06 am
by rkennedy
Sounds good - we'll watch for your response.
Re: AD Authentication broken on new install
Posted: Fri Feb 03, 2017 10:08 am
by ssax
Sounds good, we'll keep an eye out.
Re: AD Authentication broken on new install
Posted: Sun Feb 19, 2017 7:52 pm
by Fred Kroeger
Just a follow-up to close this ticket. Problem ended up being that the site was using two suffixes and instead of using the same format login name for both suffixes, they used a different standard (for some of the users) for the suffix they wanted me to use. sigh......
Anyway once they gave the right login name to use with that suffix, then the AD authentication started working - Amazing!
Sorry to waste your time - but the worthwhile part of this excercise was to see how to increase the DEBUG_LEVEL to get some more informative info in the error_log file
Thanks.... Fred