Cannot login to Active Directory account on Fedora 14 desktop

slinx · 11-29-2010, 09:21 AM

Hello, I had my laptop set up to allow logging in with an AD account using winbind and samba. I had cached password login working too. After I upgraded from 13 to 14, now I cannot login to the gdm (xfce) using my AD account, but I CAN login using it on a text console, OR I can login with a local account and su to the AD account. The only error I'm getting at login is

Code:

Erroneous conversation (5)

What the heck does that even mean?

kbp · 11-30-2010, 06:58 PM

Anything in any of the logs .. /var/log/messages for example ? .. or /var/log/secure ?

slinx · 11-30-2010, 11:31 PM

This is all I get from /var/log/secure:

Code:

Nov 30 08:27:46 my-laptop pam: gdm-password[2181]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Nov 30 08:27:46 my-laptop pam: gdm-password[2181]: pam_winbind(gdm-password:auth): user 'myusername' granted access
Nov 30 17:06:09 my-laptop pam: gdm-password[5106]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Nov 30 17:06:09 my-laptop pam: gdm-password[5106]: pam_winbind(gdm-password:auth): user 'myusername' granted access
Nov 30 19:10:18 my-laptop pam: gdm-password[2057]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Nov 30 19:10:18 my-laptop pam: gdm-password[2057]: pam_winbind(gdm-password:auth): user 'myusername' granted access

When I login, it appears to give me success (the pam_unix failure is due to it being an Active Directory account authenticated through winbind), but it just takes me right back to the gdm login screen.

slinx · 11-30-2010, 11:53 PM

This is all I get from /var/log/secure:

Code:

Nov 30 08:27:46 my-laptop pam: gdm-password[2181]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Nov 30 08:27:46 my-laptop pam: gdm-password[2181]: pam_winbind(gdm-password:auth): user 'myusername' granted access
Nov 30 17:06:09 my-laptop pam: gdm-password[5106]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Nov 30 17:06:09 my-laptop pam: gdm-password[5106]: pam_winbind(gdm-password:auth): user 'myusername' granted access
Nov 30 19:10:18 my-laptop pam: gdm-password[2057]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Nov 30 19:10:18 my-laptop pam: gdm-password[2057]: pam_winbind(gdm-password:auth): user 'myusername' granted access

When I login, it appears to give me success, but it just takes me right back to the gdm login screen.

kbp · 12-01-2010, 03:33 AM

If you take a look at /etc/pam.d/gdm-password you should be able to add 'debug' at the end of the pam_unix and pam_winbind lines in the auth section. My version of /etc/pam.d/gdm-password doesn't contain these directly but includes /etc/pam.d/password-auth so you may need to find the correct file.

slinx · 12-01-2010, 03:43 PM

Thanks for the reply. Here is the result of adding the debug statement to password-auth and attempting to log in with my AD account:

Code:

Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): [pamh: 0x8b527f0] ENTER: pam_sm_authenticate (flags: 0x0000)
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): getting password (0x00000211)
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): pam_get_item returned a password
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): Verify user 'myusername'
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): enabling cached login flag
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): request wbcLogonUser succeeded
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): user 'myusername' granted access

Oh, I'm not using selinux and have it disabled, if that has anything to do with anything.

kbp · 12-01-2010, 05:51 PM

The auth seems to be successful, is the winbind module listed under any other sections like 'session' ?

slinx · 12-02-2010, 08:21 AM

Here's what I get with additional debug information:

Code:

Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): [pamh: 0x8a1b7f0] ENTER: pam_sm_authenticate (flags: 0x0000)
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): [pamh: 0x8a1b7f0] STATE: ITEM(PAM_SERVICE) = "gdm-password" (0x8a1b998)
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): [pamh: 0x8a1b7f0] STATE: ITEM(PAM_USER) = "myusername" (0x8a1b978)
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): [pamh: 0x8a1b7f0] STATE: ITEM(PAM_TTY) = ":0" (0x8a22ed0)
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): [pamh: 0x8a1b7f0] STATE: ITEM(PAM_AUTHTOK) = 0x8a265a8
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): [pamh: 0x8a1b7f0] STATE: ITEM(PAM_CONV) = 0x8a1b988
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): getting password (0x00001211)
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): pam_get_item returned a password
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): Verify user 'myusername'
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): enabling cached login flag
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): request wbcLogonUser succeeded
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): user 'myusername' granted access
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): [pamh: 0x91777f0] ENTER: pam_sm_authenticate (flags: 0x0000)
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): [pamh: 0x91777f0] STATE: ITEM(PAM_SERVICE) = "gdm-password" (0x9177998)
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): [pamh: 0x91777f0] STATE: ITEM(PAM_USER) = "myusername" (0x9177978)
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): [pamh: 0x91777f0] STATE: ITEM(PAM_TTY) = ":0" (0x917eed0)
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): [pamh: 0x91777f0] STATE: ITEM(PAM_AUTHTOK) = 0x91825a8
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): [pamh: 0x91777f0] STATE: ITEM(PAM_CONV) = 0x9177988
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): getting password (0x00001211)
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): pam_get_item returned a password
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): Verify user 'myusername'
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): enabling cached login flag
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): request wbcLogonUser succeeded
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): user 'myusername' granted access

Here's all the references to winbind in /etc/pam.d:

Code:

/etc/pam.d/fingerprint-auth:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/fingerprint-auth-ac:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/password-auth:auth        sufficient    pam_winbind.so cached_login use_first_pass debug
/etc/pam.d/password-auth:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/password-auth:password    sufficient    pam_winbind.so cached_login use_authtok
/etc/pam.d/password-auth-ac:auth        sufficient    pam_winbind.so cached_login use_first_pass debug
/etc/pam.d/password-auth-ac:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/password-auth-ac:password    sufficient    pam_winbind.so cached_login use_authtok
/etc/pam.d/smartcard-auth:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/smartcard-auth-ac:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/system-auth:auth        sufficient    pam_winbind.so cached_login use_first_pass
/etc/pam.d/system-auth:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/system-auth:password    sufficient    pam_winbind.so cached_login use_authtok
/etc/pam.d/system-auth~:auth        sufficient    pam_winbind.so cached_login use_first_pass
/etc/pam.d/system-auth~:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/system-auth~:password    sufficient    pam_winbind.so cached_login use_authtok
/etc/pam.d/system-auth-ac:auth        sufficient    pam_winbind.so cached_login use_first_pass
/etc/pam.d/system-auth-ac:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/system-auth-ac:password    sufficient    pam_winbind.so cached_login use_authtok

kbp · 12-02-2010, 04:36 PM

It's the pam_unix module that's failing not winbind, could you please post the content of the gdm-password file, or the relevant file if it's an include ?

slinx · 12-02-2010, 10:50 PM

<dup>

slinx · 12-02-2010, 10:55 PM

Here it is:

Code:

# cat gdm-password 
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth        substack      password-auth
auth        required      pam_succeed_if.so user != root quiet
auth        optional      pam_gnome_keyring.so

account     required      pam_nologin.so
account     include       password-auth

password    include       password-auth

session     required      pam_selinux.so close
session     required      pam_loginuid.so
session     optional      pam_console.so
session     required      pam_selinux.so open
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     optional      pam_gnome_keyring.so auto_start
session     include       password-auth

But it's an active directory account, so pam_unix is supposed to fail, and pass authentication to pam_winbind

slinx · 12-03-2010, 10:10 AM

I have no idea what happened, but I changed "sufficient" to "requisite" to "sufficient" for pam_winbind.so in system-auth, and now it is working.

birger · 01-19-2012, 05:02 AM

I had this exact same problem, and in my case the 'culprit' was Active Directory trying to warn me that the password was about to expire. This warning message was presented to me in the login box and the login failed. I will report it as a gdm bug.

For 2 different users I first confirmed both had the problem, then I changed one password from a windows client and the other by logging in to a console window on the linux client and use 'passwd'. Both users immediately started working in gdm again.