Pam-auth issues after Samba/Winbind config
enviroment:
Linux mymachine.mydoman.com 2.6.9-42.0.2.ELsmp #1 SMP Thu Aug 17 18:00:32 EDT 2006 i686 i686 i386 GNU/Linux I'm getting the following messages in logwatch after configuring samba/winbind. Domain users can ssh (home directory is created) and ftp. I wil post my config steps for samba/winbind after this post. Any clues to what I've done wrong would be greatly appreciated Users logging in through sshd: mydomain\\don: it1.mydomain.com (192.168.2.173): 2 times Received disconnect: 11: All open channels closed ::ffff:192.168.2.173 : 1 Time(s) **Unmatched Entries** pam_krb5[24666]: no v5 creds for user 'mydomain\don', skipping session cleanup pam_krb5[24664]: authentication fails for 'mydomain\don' (fdidon@FDI.com): User not known to the underlying authentication module (Client not found in Kerberos database) pam_krb5[24664]: account checks fail for 'mydomain\don': user is unknown This causes problems with certain 3rd party applications such as ROC Easyspooler web interface where neither local or domain users can be validated (except root). Output from 3rd party authentication test script (caut, verifies trusted, /etc/password and pam flavor of choice) is as follows for local user. Authentication dump service (eg "su") - pam_sudo user name - buddyj password (will be echoed) - xxxxxxx auth_auth: debug 1 inline 0 auth_trusted: getspname found entry User buddyj sp_namp: buddyj sp_pwdp: imaskedtheoutput auth_check_passwd_crypt: glibc2 crypt OK - passed auth_etc_passswd: getpwnam found entry for User buddyj pw_name: buddyj pw_passwd: x auth_check_passwd_crypt: FAILED (Standard crypt) ***** auth_check_passwd_crypt: Salt x passwd x crypt_result xxcxxxxxnNA Calling pam_start pam_start succeeded for service pam_sudo, user buddyj Calling pam_authenticate [GUI]Authentication failure for buddyj (PAM Err# 7) [Result]NOK Authentication failure for buddyj and for domain user only Authentication dump service (eg "su") - pam_sudo user name - mydomain\don password (will be echoed) - xxxxx auth_auth: debug 1 inline 0 auth_trusted: getspname did not find an entry for User fdi\don auth_etc_passswd: getpwnam found entry for User mydomain\don pw_name: don pw_passwd: * auth_check_passwd_crypt: FAILED (Standard crypt) ***** auth_check_passwd_crypt: Salt * passwd * crypt_result **7xxxxxxxA Calling pam_start pam_start succeeded for service pam_sudo, user mydomain\don Calling pam_authenticate [GUI]Authentication failure for mydomain\don (PAM Err# 7) [Result]NOK Authentication failure for mydomain\don Thanx for any help! Buddy |
my samba/winbind config steps
Requires logon as mydomain\username but here is what I've done so far
1. configure kbr5.conf (kerbose authen). FAQ suggested using numeric ip address, not dns name [libdefaults] default_realm = MYDOMAIN.com dns_lookup_realm = false dns_lookup_kdc = false [realms] MYDOMAIN.com = { kdc = 192.168.2.6:88 admin_server = 192.168.2.6:749 } MYDOMAIN.COM = { kdc = 192.168.2.6 kdc = 192.168.2.7 } [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM 2. stop services: service winbind stop service smb stop net ads join -U ads_administrator_name This should give you feedback on what it finds t There are the pertinent changes I made to smb.conf [run testparm to verify typing!] '#' are my comments for this post, not in my file [global] workgroup = mydomain #short domain name realm = MYDOMAIN.COM #kerbos realm see below should be caps server string = Test Server #Description type field for server security = ads #I want Active Directory Service (security?) password server = 192.168.2.6 192.168.2.7 #my PDC, BDC template primary group = mycompany #pre-configured group I want as primary template homedir = /home/%U # for use with pam_mkhomedirso parent has to # exist. /home/%D/%U will create /home/mydomain/username template shell = /bin/bash # shell I want them to start up winbind use default domain = yes # this is supposed to keep you from having to log on as # as mydomain\username but can just do username # not working for me yet.... hosts allow = 192.168.2., 192.168.4., 127. #not required but I want to controll what subnets #can log on [netlogon] # I uncommented this section, not sure if it wasnecessary 3. Run testparm to make sure it likes the edited file. The FAQ says to restart the services but step 4 requires a reboot 4. Add session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=077 above session required /lib/security/$ISA/pam_limits.so to the /etc/pam.d/system-auth file. skel=/etc/skel are default files that populate the directory 5. add wbinfo --set-auth-user myuser it will prompt to the the password and it will echo on screen and be stored unencrypted. 6. Reboot and test Sources: Red hat FAQ # 5851 (but change '= DOMAIN' to '= ads' # 5787 # 5402 # 4760 also referred to # 918 Redhat docs install guide 11.6 User authentication with PAM # 6047 man page for smb.conf # 5532 # 5492 # 5402 |
All times are GMT -5. The time now is 06:14 PM. |