LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Desktop (http://www.linuxquestions.org/questions/linux-desktop-74/)
-   -   Cannot login to Active Directory account on Fedora 14 desktop (http://www.linuxquestions.org/questions/linux-desktop-74/cannot-login-to-active-directory-account-on-fedora-14-desktop-847231/)

slinx 11-29-2010 09:21 AM

Cannot login to Active Directory account on Fedora 14 desktop
 
Hello, I had my laptop set up to allow logging in with an AD account using winbind and samba. I had cached password login working too. After I upgraded from 13 to 14, now I cannot login to the gdm (xfce) using my AD account, but I CAN login using it on a text console, OR I can login with a local account and su to the AD account. The only error I'm getting at login is
Code:

Erroneous conversation (5)
What the heck does that even mean?

kbp 11-30-2010 06:58 PM

Anything in any of the logs .. /var/log/messages for example ? .. or /var/log/secure ?

slinx 11-30-2010 11:31 PM

This is all I get from /var/log/secure:

Code:

Nov 30 08:27:46 my-laptop pam: gdm-password[2181]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Nov 30 08:27:46 my-laptop pam: gdm-password[2181]: pam_winbind(gdm-password:auth): user 'myusername' granted access
Nov 30 17:06:09 my-laptop pam: gdm-password[5106]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Nov 30 17:06:09 my-laptop pam: gdm-password[5106]: pam_winbind(gdm-password:auth): user 'myusername' granted access
Nov 30 19:10:18 my-laptop pam: gdm-password[2057]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Nov 30 19:10:18 my-laptop pam: gdm-password[2057]: pam_winbind(gdm-password:auth): user 'myusername' granted access

When I login, it appears to give me success (the pam_unix failure is due to it being an Active Directory account authenticated through winbind), but it just takes me right back to the gdm login screen.

slinx 11-30-2010 11:53 PM

This is all I get from /var/log/secure:

Code:

Nov 30 08:27:46 my-laptop pam: gdm-password[2181]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Nov 30 08:27:46 my-laptop pam: gdm-password[2181]: pam_winbind(gdm-password:auth): user 'myusername' granted access
Nov 30 17:06:09 my-laptop pam: gdm-password[5106]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Nov 30 17:06:09 my-laptop pam: gdm-password[5106]: pam_winbind(gdm-password:auth): user 'myusername' granted access
Nov 30 19:10:18 my-laptop pam: gdm-password[2057]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Nov 30 19:10:18 my-laptop pam: gdm-password[2057]: pam_winbind(gdm-password:auth): user 'myusername' granted access

When I login, it appears to give me success, but it just takes me right back to the gdm login screen.

kbp 12-01-2010 03:33 AM

If you take a look at /etc/pam.d/gdm-password you should be able to add 'debug' at the end of the pam_unix and pam_winbind lines in the auth section. My version of /etc/pam.d/gdm-password doesn't contain these directly but includes /etc/pam.d/password-auth so you may need to find the correct file.

slinx 12-01-2010 03:43 PM

Thanks for the reply. Here is the result of adding the debug statement to password-auth and attempting to log in with my AD account:

Code:

Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): [pamh: 0x8b527f0] ENTER: pam_sm_authenticate (flags: 0x0000)
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): getting password (0x00000211)
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): pam_get_item returned a password
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): Verify user 'myusername'
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): enabling cached login flag
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): request wbcLogonUser succeeded
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): user 'myusername' granted access

Oh, I'm not using selinux and have it disabled, if that has anything to do with anything.

kbp 12-01-2010 05:51 PM

The auth seems to be successful, is the winbind module listed under any other sections like 'session' ?

slinx 12-02-2010 08:21 AM

Here's what I get with additional debug information:

Code:

Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): [pamh: 0x8a1b7f0] ENTER: pam_sm_authenticate (flags: 0x0000)
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): [pamh: 0x8a1b7f0] STATE: ITEM(PAM_SERVICE) = "gdm-password" (0x8a1b998)
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): [pamh: 0x8a1b7f0] STATE: ITEM(PAM_USER) = "myusername" (0x8a1b978)
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): [pamh: 0x8a1b7f0] STATE: ITEM(PAM_TTY) = ":0" (0x8a22ed0)
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): [pamh: 0x8a1b7f0] STATE: ITEM(PAM_AUTHTOK) = 0x8a265a8
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): [pamh: 0x8a1b7f0] STATE: ITEM(PAM_CONV) = 0x8a1b988
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): getting password (0x00001211)
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): pam_get_item returned a password
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): Verify user 'myusername'
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): enabling cached login flag
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): request wbcLogonUser succeeded
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): user 'myusername' granted access
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): [pamh: 0x91777f0] ENTER: pam_sm_authenticate (flags: 0x0000)
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): [pamh: 0x91777f0] STATE: ITEM(PAM_SERVICE) = "gdm-password" (0x9177998)
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): [pamh: 0x91777f0] STATE: ITEM(PAM_USER) = "myusername" (0x9177978)
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): [pamh: 0x91777f0] STATE: ITEM(PAM_TTY) = ":0" (0x917eed0)
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): [pamh: 0x91777f0] STATE: ITEM(PAM_AUTHTOK) = 0x91825a8
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): [pamh: 0x91777f0] STATE: ITEM(PAM_CONV) = 0x9177988
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): getting password (0x00001211)
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): pam_get_item returned a password
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): Verify user 'myusername'
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): enabling cached login flag
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): request wbcLogonUser succeeded
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): user 'myusername' granted access

Here's all the references to winbind in /etc/pam.d:
Code:

/etc/pam.d/fingerprint-auth:account    [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/fingerprint-auth-ac:account    [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/password-auth:auth        sufficient    pam_winbind.so cached_login use_first_pass debug
/etc/pam.d/password-auth:account    [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/password-auth:password    sufficient    pam_winbind.so cached_login use_authtok
/etc/pam.d/password-auth-ac:auth        sufficient    pam_winbind.so cached_login use_first_pass debug
/etc/pam.d/password-auth-ac:account    [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/password-auth-ac:password    sufficient    pam_winbind.so cached_login use_authtok
/etc/pam.d/smartcard-auth:account    [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/smartcard-auth-ac:account    [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/system-auth:auth        sufficient    pam_winbind.so cached_login use_first_pass
/etc/pam.d/system-auth:account    [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/system-auth:password    sufficient    pam_winbind.so cached_login use_authtok
/etc/pam.d/system-auth~:auth        sufficient    pam_winbind.so cached_login use_first_pass
/etc/pam.d/system-auth~:account    [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/system-auth~:password    sufficient    pam_winbind.so cached_login use_authtok
/etc/pam.d/system-auth-ac:auth        sufficient    pam_winbind.so cached_login use_first_pass
/etc/pam.d/system-auth-ac:account    [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/system-auth-ac:password    sufficient    pam_winbind.so cached_login use_authtok


kbp 12-02-2010 04:36 PM

It's the pam_unix module that's failing not winbind, could you please post the content of the gdm-password file, or the relevant file if it's an include ?

slinx 12-02-2010 10:50 PM

<dup>

slinx 12-02-2010 10:55 PM

Here it is:

Code:

# cat gdm-password
auth    [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth        substack      password-auth
auth        required      pam_succeed_if.so user != root quiet
auth        optional      pam_gnome_keyring.so

account    required      pam_nologin.so
account    include      password-auth

password    include      password-auth

session    required      pam_selinux.so close
session    required      pam_loginuid.so
session    optional      pam_console.so
session    required      pam_selinux.so open
session    optional      pam_keyinit.so force revoke
session    required      pam_namespace.so
session    optional      pam_gnome_keyring.so auto_start
session    include      password-auth



But it's an active directory account, so pam_unix is supposed to fail, and pass authentication to pam_winbind

slinx 12-03-2010 10:10 AM

I have no idea what happened, but I changed "sufficient" to "requisite" to "sufficient" for pam_winbind.so in system-auth, and now it is working.

birger 01-19-2012 05:02 AM

one possible fix
 
I had this exact same problem, and in my case the 'culprit' was Active Directory trying to warn me that the password was about to expire. This warning message was presented to me in the login box and the login failed. I will report it as a gdm bug.

For 2 different users I first confirmed both had the problem, then I changed one password from a windows client and the other by logging in to a console window on the linux client and use 'passwd'. Both users immediately started working in gdm again.


All times are GMT -5. The time now is 08:10 PM.