LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 07-17-2003, 02:26 PM   #1
acb67
Member
 
Registered: Jun 2002
Posts: 50

Rep: Reputation: 15
Angry Winbind, Samba, NT


I am trying to get authentication against AD using Winbind and Samba 3. We use Kerberos 5 as well. I know that winbind is running properly because when I run wbinfo -a, I get success messages. The problem seems to be when I try to play with the pam modules. For kicks, here is the pam module for sshd:

#%PAM-1.0
auth sufficient pam_winbind.so debug
auth sufficient pam_unix2.so # set_secrpc
auth required pam_nologin.so
auth required pam_env.so
account sufficient pam_winbind.so debug
account required pam_unix2.so
account required pam_nologin.so
password required pam_pwcheck.so
password required pam_unix2.so use_first_pass use_authtok
session required pam_unix2.so none # trace or debug
session required pam_limits.so

The frustrating thing is that nothing shows up in the logs. SInce the auth is set to sufficient above, I can still use the service using my local credentials. This shows up in the logfiles...it shows the pam_winbind failing while the pam_unix2 succeeding. But when I try to use the service with DOMAIN+username, nothing shows up in the logs. All I get is a permission denied when I try to use the service.

I don't know if this problem could be related to the fact that we are using Krb and the PDC might not be configured for that???? I am not familiar with the specifics of everything yet. Any ideas?? Any help is much appreciated.

Thank in Advance,
Aaron
 
Old 07-18-2003, 04:29 PM   #2
acb67
Member
 
Registered: Jun 2002
Posts: 50

Original Poster
Rep: Reputation: 15
Ok, I'm going a different route now. I've decided to play with the login pam module and I've made a little progress. The problem is now, though, when someone tries to login, the screen just resets itself. Nothing happens. Prompts for username and password and then it blinks back to the beginning. I looked in the logs and this is what I got:
________________________________
Jul 18 16:16:55 pam_winbind[20821]: Verify user `xxxx+xxxx'
Jul 18 16:16:55 pam_winbind[20821]: user 'xxxx+xxxx' granted acces
Jul 18 16:16:55 pam_winbind[20821]: user `xxxx+xxxx' not found
Jul 18 16:16:55 login[20821]: pam_unix2: pam_sm_acct_mgmt() called
Jul 18 16:16:58 login[20821]: pam_unix2: pam_ldap returned 10
Jul 18 16:16:58 login[20821]: User not known to the underlying authentication module
_________________________________

It is obviously authenticating, but then it dies and says user not found. Here is my login pam:
____________________________________
auth required pam_securetty.so debug
auth sufficient pam_winbind.so debug
auth requisite pam_unix2.so debug,nullok set_secrpc
auth required pam_nologin.so debug
auth required pam_homecheck.so debug
auth required pam_env.so debug
auth required pam_mail.so debug
account sufficient pam_winbind.so debug
account required pam_unix2.so debug
password required pam_pwcheck.so debug,nullok
password required pam_unix2.so debug,nullok use_first_pass use\
_authtok
session required pam_unix2.so debug,none # debug or trace
session required pam_limits.so debug
_____________________________________

NOTE: I think that the account module here is failing for pam_winbind...if I comment out the account pam_unix2 above, the entries in the log for pam_unix2 disappears. So for some reason winbind is failing here, but I don't know why. Is login tied to something else that I need to change?

Thanks.
 
Old 07-22-2003, 04:45 PM   #3
acb67
Member
 
Registered: Jun 2002
Posts: 50

Original Poster
Rep: Reputation: 15
I think I've gotten a step closer. The entry in pam 'account sufficient pam_winbind.so' performs a getpwnam() on the username. For some reason it doesn't seem to be going out the PDC to check the username. Does anyone know how I could change this?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba + Winbind + AD Thakowbbery Linux - Networking 6 06-28-2007 02:49 AM
Samba and Winbind bkesting Linux - Networking 0 11-18-2004 04:12 PM
samba with winbind kaasi Red Hat 2 10-26-2003 03:48 PM
samba with winbind kaasi Linux - Newbie 1 10-26-2003 03:43 PM
samba with winbind kaasi Linux - Networking 0 10-24-2003 08:27 PM


All times are GMT -5. The time now is 12:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration