|
Local user login doesn't work after setting Winbind authentication with AD
Hi All,
I found myself in a disturbing situation, after setting my RHEL6 for Winbind authentication with AD I can't login with root or any other local users anymore.
Tried to search here and everywhere, seems like it related to PAM settings? I'm not sure.....
This is what I configured for Winbind authentication:
1.
authconfig --update --kickstart --enablewinbind --smbsecurity=ads --smbworkgroup=domain --smbrealm=domain.com --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablelocauthorize --enablekrb5 --krb5realm=domain.com --enablekrb5kdcdns --enablekrb5realmdns --enablepamaccess
2. net ads join -U Administrator
3. service winbind restart
4. authconfig --enablemkhomedir --update
5. in /etc/security/access.conf added the following lines to the end of the file
+ : ADGroupadmin : ALL
+ : ADGroupusers : ALL
- : ALL EXCEPT LOCAL: ALL
6. in visudo added the following line at the end of the file
% ADGroupadmin ALL=(ALL) ALL
=====================================================
My system-auth-ac file doesn't mention windbind at all, so I'm not sure if it's related, but anyway here is the file:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
================================================
/etc/nsswitch.conf:
passwd: files winbind
shadow: files winbind
group: files winbind
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
===================================================
Not sure what I can do in this stage, I tried to rollback and disable windbind by "authconfig --update --disablewinbind "
But then I wasn't able to login at all to the machine, lucky I took a snapshot and revert it back.....
Any help will be appreciated.
Thanks!
|
