LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Desktop
User Name
Password
Linux - Desktop This forum is for the discussion of all Linux Software used in a desktop context.

Notices


Reply
  Search this Thread
Old 11-29-2010, 09:21 AM   #1
slinx
Member
 
Registered: Apr 2008
Location: Cleveland, Ohio
Distribution: SuSE, CentOS, Fedora, Ubuntu
Posts: 106

Rep: Reputation: 23
Question Cannot login to Active Directory account on Fedora 14 desktop


Hello, I had my laptop set up to allow logging in with an AD account using winbind and samba. I had cached password login working too. After I upgraded from 13 to 14, now I cannot login to the gdm (xfce) using my AD account, but I CAN login using it on a text console, OR I can login with a local account and su to the AD account. The only error I'm getting at login is
Code:
Erroneous conversation (5)
What the heck does that even mean?
 
Old 11-30-2010, 06:58 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
Anything in any of the logs .. /var/log/messages for example ? .. or /var/log/secure ?
 
Old 11-30-2010, 11:31 PM   #3
slinx
Member
 
Registered: Apr 2008
Location: Cleveland, Ohio
Distribution: SuSE, CentOS, Fedora, Ubuntu
Posts: 106

Original Poster
Rep: Reputation: 23
This is all I get from /var/log/secure:

Code:
Nov 30 08:27:46 my-laptop pam: gdm-password[2181]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Nov 30 08:27:46 my-laptop pam: gdm-password[2181]: pam_winbind(gdm-password:auth): user 'myusername' granted access
Nov 30 17:06:09 my-laptop pam: gdm-password[5106]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Nov 30 17:06:09 my-laptop pam: gdm-password[5106]: pam_winbind(gdm-password:auth): user 'myusername' granted access
Nov 30 19:10:18 my-laptop pam: gdm-password[2057]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Nov 30 19:10:18 my-laptop pam: gdm-password[2057]: pam_winbind(gdm-password:auth): user 'myusername' granted access
When I login, it appears to give me success (the pam_unix failure is due to it being an Active Directory account authenticated through winbind), but it just takes me right back to the gdm login screen.
 
Old 11-30-2010, 11:53 PM   #4
slinx
Member
 
Registered: Apr 2008
Location: Cleveland, Ohio
Distribution: SuSE, CentOS, Fedora, Ubuntu
Posts: 106

Original Poster
Rep: Reputation: 23
This is all I get from /var/log/secure:

Code:
Nov 30 08:27:46 my-laptop pam: gdm-password[2181]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Nov 30 08:27:46 my-laptop pam: gdm-password[2181]: pam_winbind(gdm-password:auth): user 'myusername' granted access
Nov 30 17:06:09 my-laptop pam: gdm-password[5106]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Nov 30 17:06:09 my-laptop pam: gdm-password[5106]: pam_winbind(gdm-password:auth): user 'myusername' granted access
Nov 30 19:10:18 my-laptop pam: gdm-password[2057]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Nov 30 19:10:18 my-laptop pam: gdm-password[2057]: pam_winbind(gdm-password:auth): user 'myusername' granted access
When I login, it appears to give me success, but it just takes me right back to the gdm login screen.
 
Old 12-01-2010, 03:33 AM   #5
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
If you take a look at /etc/pam.d/gdm-password you should be able to add 'debug' at the end of the pam_unix and pam_winbind lines in the auth section. My version of /etc/pam.d/gdm-password doesn't contain these directly but includes /etc/pam.d/password-auth so you may need to find the correct file.
 
Old 12-01-2010, 03:43 PM   #6
slinx
Member
 
Registered: Apr 2008
Location: Cleveland, Ohio
Distribution: SuSE, CentOS, Fedora, Ubuntu
Posts: 106

Original Poster
Rep: Reputation: 23
Thanks for the reply. Here is the result of adding the debug statement to password-auth and attempting to log in with my AD account:

Code:
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): [pamh: 0x8b527f0] ENTER: pam_sm_authenticate (flags: 0x0000)
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): getting password (0x00000211)
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): pam_get_item returned a password
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): Verify user 'myusername'
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): enabling cached login flag
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): request wbcLogonUser succeeded
Dec  1 16:35:59 my-laptop pam: gdm-password[14983]: pam_winbind(gdm-password:auth): user 'myusername' granted access
Oh, I'm not using selinux and have it disabled, if that has anything to do with anything.

Last edited by slinx; 12-01-2010 at 03:46 PM.
 
Old 12-01-2010, 05:51 PM   #7
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
The auth seems to be successful, is the winbind module listed under any other sections like 'session' ?
 
Old 12-02-2010, 08:21 AM   #8
slinx
Member
 
Registered: Apr 2008
Location: Cleveland, Ohio
Distribution: SuSE, CentOS, Fedora, Ubuntu
Posts: 106

Original Poster
Rep: Reputation: 23
Here's what I get with additional debug information:

Code:
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): [pamh: 0x8a1b7f0] ENTER: pam_sm_authenticate (flags: 0x0000)
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): [pamh: 0x8a1b7f0] STATE: ITEM(PAM_SERVICE) = "gdm-password" (0x8a1b998)
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): [pamh: 0x8a1b7f0] STATE: ITEM(PAM_USER) = "myusername" (0x8a1b978)
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): [pamh: 0x8a1b7f0] STATE: ITEM(PAM_TTY) = ":0" (0x8a22ed0)
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): [pamh: 0x8a1b7f0] STATE: ITEM(PAM_AUTHTOK) = 0x8a265a8
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): [pamh: 0x8a1b7f0] STATE: ITEM(PAM_CONV) = 0x8a1b988
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): getting password (0x00001211)
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): pam_get_item returned a password
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): Verify user 'myusername'
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): enabling cached login flag
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): request wbcLogonUser succeeded
Dec  2 09:13:56 my-laptop pam: gdm-password[2201]: pam_winbind(gdm-password:auth): user 'myusername' granted access
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myusername
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): [pamh: 0x91777f0] ENTER: pam_sm_authenticate (flags: 0x0000)
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): [pamh: 0x91777f0] STATE: ITEM(PAM_SERVICE) = "gdm-password" (0x9177998)
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): [pamh: 0x91777f0] STATE: ITEM(PAM_USER) = "myusername" (0x9177978)
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): [pamh: 0x91777f0] STATE: ITEM(PAM_TTY) = ":0" (0x917eed0)
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): [pamh: 0x91777f0] STATE: ITEM(PAM_AUTHTOK) = 0x91825a8
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): [pamh: 0x91777f0] STATE: ITEM(PAM_CONV) = 0x9177988
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): getting password (0x00001211)
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): pam_get_item returned a password
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): Verify user 'myusername'
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): enabling cached login flag
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): request wbcLogonUser succeeded
Dec  2 09:14:07 my-laptop pam: gdm-password[2211]: pam_winbind(gdm-password:auth): user 'myusername' granted access
Here's all the references to winbind in /etc/pam.d:
Code:
/etc/pam.d/fingerprint-auth:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/fingerprint-auth-ac:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/password-auth:auth        sufficient    pam_winbind.so cached_login use_first_pass debug
/etc/pam.d/password-auth:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/password-auth:password    sufficient    pam_winbind.so cached_login use_authtok
/etc/pam.d/password-auth-ac:auth        sufficient    pam_winbind.so cached_login use_first_pass debug
/etc/pam.d/password-auth-ac:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/password-auth-ac:password    sufficient    pam_winbind.so cached_login use_authtok
/etc/pam.d/smartcard-auth:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/smartcard-auth-ac:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/system-auth:auth        sufficient    pam_winbind.so cached_login use_first_pass
/etc/pam.d/system-auth:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/system-auth:password    sufficient    pam_winbind.so cached_login use_authtok
/etc/pam.d/system-auth~:auth        sufficient    pam_winbind.so cached_login use_first_pass
/etc/pam.d/system-auth~:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/system-auth~:password    sufficient    pam_winbind.so cached_login use_authtok
/etc/pam.d/system-auth-ac:auth        sufficient    pam_winbind.so cached_login use_first_pass
/etc/pam.d/system-auth-ac:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
/etc/pam.d/system-auth-ac:password    sufficient    pam_winbind.so cached_login use_authtok
 
Old 12-02-2010, 04:36 PM   #9
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
It's the pam_unix module that's failing not winbind, could you please post the content of the gdm-password file, or the relevant file if it's an include ?
 
Old 12-02-2010, 10:50 PM   #10
slinx
Member
 
Registered: Apr 2008
Location: Cleveland, Ohio
Distribution: SuSE, CentOS, Fedora, Ubuntu
Posts: 106

Original Poster
Rep: Reputation: 23
<dup>

Last edited by slinx; 12-02-2010 at 10:55 PM. Reason: dup
 
Old 12-02-2010, 10:55 PM   #11
slinx
Member
 
Registered: Apr 2008
Location: Cleveland, Ohio
Distribution: SuSE, CentOS, Fedora, Ubuntu
Posts: 106

Original Poster
Rep: Reputation: 23
Here it is:

Code:
# cat gdm-password 
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth        substack      password-auth
auth        required      pam_succeed_if.so user != root quiet
auth        optional      pam_gnome_keyring.so

account     required      pam_nologin.so
account     include       password-auth

password    include       password-auth

session     required      pam_selinux.so close
session     required      pam_loginuid.so
session     optional      pam_console.so
session     required      pam_selinux.so open
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     optional      pam_gnome_keyring.so auto_start
session     include       password-auth


But it's an active directory account, so pam_unix is supposed to fail, and pass authentication to pam_winbind
 
Old 12-03-2010, 10:10 AM   #12
slinx
Member
 
Registered: Apr 2008
Location: Cleveland, Ohio
Distribution: SuSE, CentOS, Fedora, Ubuntu
Posts: 106

Original Poster
Rep: Reputation: 23
I have no idea what happened, but I changed "sufficient" to "requisite" to "sufficient" for pam_winbind.so in system-auth, and now it is working.
 
Old 01-19-2012, 05:02 AM   #13
birger
LQ Newbie
 
Registered: May 2004
Location: Norway
Distribution: Fedora/RedHat
Posts: 4

Rep: Reputation: 0
one possible fix

I had this exact same problem, and in my case the 'culprit' was Active Directory trying to warn me that the password was about to expire. This warning message was presented to me in the login box and the login failed. I will report it as a gdm bug.

For 2 different users I first confirmed both had the problem, then I changed one password from a windows client and the other by logging in to a console window on the linux client and use 'passwd'. Both users immediately started working in gdm again.
 
  


Reply

Tags
fedora 14, gdm, samba, winbind, xfce


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Fedora 10 failure to login in Windows Active Directory Invisible-Man Linux - General 1 07-28-2009 10:53 AM
Linux + Kerberos + Active Directory + Account UID Mapping? humbletech99 Linux - Networking 2 02-02-2008 06:30 AM
Active Directory Account Lockout zmsc1 Linux - Enterprise 8 04-26-2007 11:41 AM
Login to Fedora With Active Directory FloydFan Linux - Networking 2 05-27-2005 08:41 PM
Login to Fedora With Active Directory FloydFan Linux - General 1 05-27-2005 10:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Desktop

All times are GMT -5. The time now is 11:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration