I am administrating several Ubuntu servers (virtual VMWare ESX servers) in a corporate domain with a Windows active domain and SUN 8 NIS server. The NIS server is necessary since the active domain doesn't provide UNIX connectivity (it is possible, but the AD provider doesn't want to offer it despite numerous requests).
Usernames are either 8 or 9 characters long. The 8 character accounts (old accounts) look like abc12345, the new 9 character accounts look like 123456789, only numeric characters. The NIS translates the username to a userID, which is linked to the active directory account, which verifies the useraccount / password combination. This way users only have to remember 1 username / password combo. The NIS is very old, I am well aware of that, however the person administrating it doesn't want to change it, and he has quite a lot of seniority in the organisation. The NIS limits useraccounts to 8 characters, therefore it translates the new useraccounts to 5 character userIDs.
On the Ubuntu servers we use krb5 to connect to the active directory, and ypbind to talk to the NIS. The whole setup functions OK with the relative old Ubuntu 8.04 servers, however I can't seem to get it to work with the newly created Ubuntu 12.04 servers. I am able to login with a local user account both with putty and the graphical console (GDM in this case, behaviour is similar with KDM and LightDM) and I can execute sudo commands with the local accounts. However if I use a domain account (like abc12345 or the 123456789) I am still able to login with putty, but it denies the login in the graphical console (authentication failure) and denies the entered password when calling putty. Both the domain account and local account are in the sudoers file.
Each server runs its own samba, and we are able to contact a users samba share using its active domain credentials.
Here're the corresponding lines from auth.log for the actions with the domain user:
Login with putty:
Code:
Jun 28 10:43:37 severname sshd[3016]: Accepted password for abc12345 from 130.145.42.10 port 52076 ssh2
Jun 28 10:43:37 servername sshd[3016]: pam_unix(sshd:session): session opened for user abc12345 by (uid=0)
Sudo:
Code:
Jun 28 10:44:57 servername sudo: pam_unix(sudo:auth): authentication failure; logname=abc12345 uid=12345 euid=0 tty=/dev/pts/7 ruser=abc12345 rhost= user=abc12345
Jun 28 10:45:02 servername sudo: pam_unix(sudo:auth): conversation failed
Jun 28 10:45:02 servername sudo: pam_unix(sudo:auth): auth could not identify password for [abc12345]
Jun 28 10:45:02 servername sudo: abc12345 : 1 incorrect password attempt ; TTY=pts/7 ; PWD=/home/abc12345 ; USER=root ; COMMAND=/bin/ls -l /root
Graphical login:
Code:
Jun 28 10:49:24 servername gdm-session-worker[31753]: pam_succeed_if(gdm:auth): requirement "user ingroup nopasswdlogin" not met by user "abc12345"
Jun 28 10:49:30 servername gdm-session-worker[31753]: pam_unix(gdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=abc12345
Jun 28 10:49:30 servername gdm-session-worker[31753]: pam_winbind(gdm:auth): getting password (0x00000388)
Jun 28 10:49:30 servername gdm-session-worker[31753]: pam_winbind(gdm:auth): pam_get_item returned a password
Jun 28 10:49:30 servername gdm-session-worker[31753]: pam_winbind(gdm:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Jun 28 10:49:31 servername gdm-session-worker[4741]: pam_succeed_if(gdm:auth): requirement "user ingroup nopasswdlogin" not met by user "abc12345"
I suspect there's something off with the pam settings, but I am not an expert on this. I hope someone can help me sorting this. I am able to get a LDAP ticket with kinit and retrieve information from LDAP with ldapsearch, and I am able to contact NIS with yptest / ypcat.
krb5.conf:
Code:
[libdefaults]
default_realm = OUR.DOMAIN.COM
clockskew = 300
[realms]
OUR.DOMAIN.COM = {
kdc = windowsad.our.domain.com
default_domain = OUR.DOMAIN.COM
admin_server = windowsad.our.domain.com
}
[domain_realm]
.OUR.DOMAIN.COM = OUR.DOMAIN.COM
[appdefaults]
pam = {
debug = true
ticket_lifetime = 10h
renew_lifetime = 9h
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
try_first_pass = true
}
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = SYSLOG:debug:local1
admin-server = SYSLOG:debug:local1
default = SYSLOG:debug:local1
nsswitch.conf:
Code:
passwd: nis compat
group: nis compat
shadow: compat
hosts: files dns
networks: files dns
services: files dns
protocols: files
rpc: files
ethers: files
netmasks: files dns
netgroup: nis
publickey: files
bootparams: files
automount: files
aliases: files
yp.conf:
Code:
domain nisdom server 10.14.41.10
smb.conf:
Code:
[global]
workgroup = OUR
realm = OUR.DOMAIN.COM
server string = %h
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = no
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ADS
smb passwd file =
unix extensions = no
load printers = no
winbind enum groups = yes
winbind enum users = yes
[homes]
comment = Local home accessed by %U
path = /home2/%S
read only = No
map archive = No
force create mode = 0100
browseable = No
[rootdir]
path = /
/etc/pam.d/gdm :
Code:
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
@include common-password
/etc/pam.d/sshd :
Code:
auth required pam_env.so envfile=/etc/default/locale
@include common-auth
account required pam_nologin.so
@include common-account
@include common-session
session required pam_limits.so
@include common-password
/etc/pam.d/sudo :
Code:
auth required pam_env.so readenv=1 user_readenv=0
auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive
/etc/pam.d/common-auth :
Code:
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
/etc/pam.d/common-account :
Code:
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
account requisite pam_deny.so
account required pam_permit.so