LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Password
Red Hat This forum is for the discussion of Red Hat Linux.

Notices

Reply
 
Search this Thread
Old 09-26-2006, 05:43 PM   #1
buddyj57
LQ Newbie
 
Registered: Sep 2006
Location: Houston, TX
Distribution: Red Hat AS 4
Posts: 2

Rep: Reputation: 0
Pam-auth issues after Samba/Winbind config


enviroment:

Linux mymachine.mydoman.com 2.6.9-42.0.2.ELsmp #1 SMP Thu Aug 17 18:00:32 EDT 2006 i686 i686 i386 GNU/Linux

I'm getting the following messages in logwatch after configuring samba/winbind. Domain users can ssh (home directory is created) and ftp. I wil post my config steps for samba/winbind after this post. Any clues to what I've done wrong would be greatly appreciated

Users logging in through sshd:
mydomain\\don:
it1.mydomain.com (192.168.2.173): 2 times


Received disconnect:
11: All open channels closed
::ffff:192.168.2.173 : 1 Time(s)

**Unmatched Entries**
pam_krb5[24666]: no v5 creds for user 'mydomain\don', skipping session cleanup
pam_krb5[24664]: authentication fails for 'mydomain\don' (fdidon@FDI.com): User not known to the underlying authentication module (Client not found in Kerberos database)
pam_krb5[24664]: account checks fail for 'mydomain\don': user is unknown

This causes problems with certain 3rd party applications such as ROC Easyspooler web interface where neither local or domain users can be validated (except root).

Output from 3rd party authentication test script (caut, verifies trusted, /etc/password and pam flavor of choice) is as follows for local user.

Authentication dump
service (eg "su") - pam_sudo
user name - buddyj
password (will be echoed) - xxxxxxx
auth_auth: debug 1 inline 0
auth_trusted: getspname found entry User buddyj
sp_namp: buddyj
sp_pwdp: imaskedtheoutput
auth_check_passwd_crypt: glibc2 crypt OK - passed
auth_etc_passswd: getpwnam found entry for User buddyj
pw_name: buddyj
pw_passwd: x
auth_check_passwd_crypt: FAILED (Standard crypt) *****
auth_check_passwd_crypt: Salt x passwd x crypt_result xxcxxxxxnNA
Calling pam_start
pam_start succeeded for service pam_sudo, user buddyj
Calling pam_authenticate
[GUI]Authentication failure for buddyj (PAM Err# 7)
[Result]NOK
Authentication failure for buddyj

and for domain user only

Authentication dump
service (eg "su") - pam_sudo
user name - mydomain\don
password (will be echoed) - xxxxx
auth_auth: debug 1 inline 0
auth_trusted: getspname did not find an entry for User fdi\don
auth_etc_passswd: getpwnam found entry for User mydomain\don
pw_name: don
pw_passwd: *
auth_check_passwd_crypt: FAILED (Standard crypt) *****
auth_check_passwd_crypt: Salt * passwd * crypt_result **7xxxxxxxA
Calling pam_start
pam_start succeeded for service pam_sudo, user mydomain\don
Calling pam_authenticate
[GUI]Authentication failure for mydomain\don (PAM Err# 7)
[Result]NOK
Authentication failure for mydomain\don

Thanx for any help!
Buddy
 
Old 09-26-2006, 05:48 PM   #2
buddyj57
LQ Newbie
 
Registered: Sep 2006
Location: Houston, TX
Distribution: Red Hat AS 4
Posts: 2

Original Poster
Rep: Reputation: 0
my samba/winbind config steps

Requires logon as mydomain\username but here is what I've done so far

1. configure kbr5.conf (kerbose authen). FAQ suggested using numeric ip address, not dns name

[libdefaults]
default_realm = MYDOMAIN.com
dns_lookup_realm = false
dns_lookup_kdc = false


[realms]

MYDOMAIN.com = {
kdc = 192.168.2.6:88
admin_server = 192.168.2.6:749
}

MYDOMAIN.COM = {
kdc = 192.168.2.6
kdc = 192.168.2.7
}

[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM



2. stop services:

service winbind stop
service smb stop

net ads join -U ads_administrator_name

This should give you feedback on what it finds t
There are the pertinent changes I made to smb.conf [run testparm to verify typing!]
'#' are my comments for this post, not in my file

[global]
workgroup = mydomain #short domain name
realm = MYDOMAIN.COM #kerbos realm see below should be caps
server string = Test Server #Description type field for server
security = ads #I want Active Directory Service (security?)
password server = 192.168.2.6 192.168.2.7 #my PDC, BDC
template primary group = mycompany #pre-configured group I want as primary
template homedir = /home/%U # for use with pam_mkhomedirso parent has to
# exist. /home/%D/%U will create /home/mydomain/username
template shell = /bin/bash # shell I want them to start up
winbind use default domain = yes # this is supposed to keep you from having to log on as
# as mydomain\username but can just do username
# not working for me yet....
hosts allow = 192.168.2., 192.168.4., 127. #not required but I want to controll what subnets
#can log on

[netlogon] # I uncommented this section, not sure if it wasnecessary


3. Run testparm to make sure it likes the edited file. The FAQ says to restart the services but step 4 requires
a reboot

4. Add

session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=077

above

session required /lib/security/$ISA/pam_limits.so

to the /etc/pam.d/system-auth file. skel=/etc/skel are default files that populate the directory

5. add

wbinfo --set-auth-user myuser

it will prompt to the the password and it will echo on screen and be stored unencrypted.

6. Reboot and test

Sources:
Red hat FAQ
# 5851 (but change '= DOMAIN' to '= ads'
# 5787
# 5402
# 4760

also referred to
# 918
Redhat docs install guide 11.6 User authentication with PAM
# 6047
man page for smb.conf
# 5532
# 5492
# 5402
 
  


Reply

Tags
pam, samba, winbind


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache auth_pam / pam winbind deny failed user auth collen Linux - Security 3 04-10-2006 02:20 AM
Samba, Pam, winbind and ADS loaf Linux - Software 5 08-17-2004 07:46 PM
Qpopper not getting email (using PAM/Samba Winbind Auth) Josh_T_2 Linux - Networking 8 12-19-2003 12:52 PM
Slackware, Samba, Winbind & PAM; Oh My! BulletSponge Slackware 3 06-20-2003 05:01 PM
Need help w/Samba & PAM Auth DocJones Linux - Software 3 05-14-2003 08:42 AM


All times are GMT -5. The time now is 03:41 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration