Ubuntu/AD/KRB5/LDAP/NIS able to use domain user login with putty, unable in gui login

Nitroglycerine · 06-28-2012, 04:17 AM

I am administrating several Ubuntu servers (virtual VMWare ESX servers) in a corporate domain with a Windows active domain and SUN 8 NIS server. The NIS server is necessary since the active domain doesn't provide UNIX connectivity (it is possible, but the AD provider doesn't want to offer it despite numerous requests).

Usernames are either 8 or 9 characters long. The 8 character accounts (old accounts) look like abc12345, the new 9 character accounts look like 123456789, only numeric characters. The NIS translates the username to a userID, which is linked to the active directory account, which verifies the useraccount / password combination. This way users only have to remember 1 username / password combo. The NIS is very old, I am well aware of that, however the person administrating it doesn't want to change it, and he has quite a lot of seniority in the organisation. The NIS limits useraccounts to 8 characters, therefore it translates the new useraccounts to 5 character userIDs.

On the Ubuntu servers we use krb5 to connect to the active directory, and ypbind to talk to the NIS. The whole setup functions OK with the relative old Ubuntu 8.04 servers, however I can't seem to get it to work with the newly created Ubuntu 12.04 servers. I am able to login with a local user account both with putty and the graphical console (GDM in this case, behaviour is similar with KDM and LightDM) and I can execute sudo commands with the local accounts. However if I use a domain account (like abc12345 or the 123456789) I am still able to login with putty, but it denies the login in the graphical console (authentication failure) and denies the entered password when calling putty. Both the domain account and local account are in the sudoers file.
Each server runs its own samba, and we are able to contact a users samba share using its active domain credentials.

Here're the corresponding lines from auth.log for the actions with the domain user:

Login with putty:

Code:

Jun 28 10:43:37 severname sshd[3016]: Accepted password for abc12345 from 130.145.42.10 port 52076 ssh2
Jun 28 10:43:37 servername sshd[3016]: pam_unix(sshd:session): session opened for user abc12345 by (uid=0)

Sudo:

Code:

Jun 28 10:44:57 servername sudo: pam_unix(sudo:auth): authentication failure; logname=abc12345 uid=12345 euid=0 tty=/dev/pts/7 ruser=abc12345 rhost=  user=abc12345
Jun 28 10:45:02 servername sudo: pam_unix(sudo:auth): conversation failed
Jun 28 10:45:02 servername sudo: pam_unix(sudo:auth): auth could not identify password for [abc12345]
Jun 28 10:45:02 servername sudo: abc12345 : 1 incorrect password attempt ; TTY=pts/7 ; PWD=/home/abc12345 ; USER=root ; COMMAND=/bin/ls -l /root

Graphical login:

Code:

Jun 28 10:49:24 servername gdm-session-worker[31753]: pam_succeed_if(gdm:auth): requirement "user ingroup nopasswdlogin" not met by user "abc12345"
Jun 28 10:49:30 servername gdm-session-worker[31753]: pam_unix(gdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=abc12345
Jun 28 10:49:30 servername gdm-session-worker[31753]: pam_winbind(gdm:auth): getting password (0x00000388)
Jun 28 10:49:30 servername gdm-session-worker[31753]: pam_winbind(gdm:auth): pam_get_item returned a password
Jun 28 10:49:30 servername gdm-session-worker[31753]: pam_winbind(gdm:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Jun 28 10:49:31 servername gdm-session-worker[4741]: pam_succeed_if(gdm:auth): requirement "user ingroup nopasswdlogin" not met by user "abc12345"

I suspect there's something off with the pam settings, but I am not an expert on this. I hope someone can help me sorting this. I am able to get a LDAP ticket with kinit and retrieve information from LDAP with ldapsearch, and I am able to contact NIS with yptest / ypcat.

krb5.conf:

Code:

[libdefaults]
        default_realm = OUR.DOMAIN.COM
        clockskew = 300

[realms]
        OUR.DOMAIN.COM = {
                kdc = windowsad.our.domain.com
                default_domain = OUR.DOMAIN.COM
                admin_server = windowsad.our.domain.com
        }

[domain_realm]
        .OUR.DOMAIN.COM = OUR.DOMAIN.COM

[appdefaults]
    pam = {
            debug = true
            ticket_lifetime = 10h
            renew_lifetime = 9h
            forwardable = true
            proxiable = false
            retain_after_close = false
            minimum_uid = 0
            try_first_pass = true
    }

[login]
        krb4_convert = true
        krb4_get_tickets = false

[logging]
   kdc = SYSLOG:debug:local1
   admin-server = SYSLOG:debug:local1
   default = SYSLOG:debug:local1

nsswitch.conf:

Code:

passwd:         nis compat
group:          nis compat
shadow:         compat

hosts:          files dns
networks:       files dns

services:   files dns
protocols:  files
rpc:        files
ethers:     files
netmasks:   files dns
netgroup:   nis
publickey:  files

bootparams: files
automount:  files
aliases:        files

yp.conf:

Code:

domain nisdom server 10.14.41.10

smb.conf:

Code:

[global]
   workgroup = OUR
   realm = OUR.DOMAIN.COM
   server string = %h
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog only = no
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ADS
   smb passwd file =
   unix extensions = no
   load printers = no
   winbind enum groups = yes
   winbind enum users = yes

[homes]
        comment = Local home accessed by %U
        path = /home2/%S
        read only = No
        map archive = No
        force create mode = 0100
        browseable = No

[rootdir]
        path = /

/etc/pam.d/gdm :

Code:

#%PAM-1.0
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth    optional        pam_gnome_keyring.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required        pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional        pam_gnome_keyring.so auto_start
@include common-password

/etc/pam.d/sshd :

Code:

auth       required     pam_env.so envfile=/etc/default/locale
@include common-auth
account    required     pam_nologin.so
@include common-account
@include common-session
session    required     pam_limits.so
@include common-password

/etc/pam.d/sudo :

Code:

auth       required   pam_env.so readenv=1 user_readenv=0
auth       required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive

/etc/pam.d/common-auth :

Code:

auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

/etc/pam.d/common-account :

Code:

account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore]        pam_winbind.so
account requisite                       pam_deny.so
account required                        pam_permit.so