SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So far, not working. I've installed the 4 new PAM-packages you (kjhambrick) recommended. I've also installed the smb.conf and pam.d/system-auth from Ivandi's SlackMATE/extra/setup/SAMBA_AD_DC/setup.ADS-client.sh. I've tried using that system-auth and also renaming the system-auth.ads to system-auth.
None of this lets me `su - mark` from a local user to domain user (mark). I can do this as root. Almost no matter what combination of pam.d and smb.conf configurations I use, I get the same basic errors in /var/log/secure:
That seems to have at least returned the password.
I think this is *very* close. There must be some PAM config issue to get right. I'm not sure what's wrong. I believe I have everything exactly as described by kjhambrick and Ivandi.
Since you've already configured /etc/samba/smb.conf for your Domain and Realm, maybe compare the 'good stuff'
OTOH, /etc/nsswitch.conf DOES need the 'winbind' and 'wins' entries that you'll find in ivandi's /etc/nsswitch.conf.ads.
#
# cat /etc/nsswitch.conf.ads
#
kjhambrick: I've got the nsswitch.conf stuff in there.
in looking at that README, I don't have:
Download setup.LDAP.
The setup.LDAP script will create the initial databases and configs.
The script by itself is a how-to.
I'm very unclear on the instructions here. Is he talking about configuring a domain member or AD server? I didn't have to run LDAP setup on the AD server to get domain members to connect or domain users to login. IN fact, these look like instructions for a "traditional" LDAP/Kerberos single-sign-on, not Active Directory.
I just finished my workout, but while resting between the sets I installed three VMs. An AD DC and two clients. Joined cl1 and cl2 to dc. Logged in as administrator(AD administrator) on each client. Then from cl1 did ssh to cl2 w/o password and vice versa:
Code:
root@dc:~# net ads info
LDAP server: 192.168.0.2
LDAP server name: dc.example.net
Realm: EXAMPLE.NET
Bind Path: dc=EXAMPLE,dc=NET
LDAP port: 389
Server time: Tue, 20 Sep 2016 20:03:30 EDT
KDC server: 192.168.0.2
Server time offset: 0
Last machine account password change: Tue, 20 Sep 2016 18:55:47 EDT
Code:
Welcome to Linux 4.4.19 (tty2)
cl1 login: administrator
Password:
Linux 4.4.19.
Creating directory '/home/EXAMPLE/administrator'.
administrator@cl1:~$ id
uid=70501(administrator) gid=70514(domain users) groups=70514(domain users),70501(administrator),70513(domain admins),70519(schema admins),70520(enterprise admins),70521(group policy creator owners),70573(denied rodc password replication group)
administrator@cl1:~$ host cl2
cl2.example.net has address 192.168.0.4
administrator@cl1:~$ ssh cl2
The authenticity of host 'cl2 (192.168.0.4)' can't be established.
ECDSA key fingerprint is SHA256:8TAb8r8ShLt2jdgDU0ykBURKJfBqdm6f4mUkSkXzMS8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'cl2,192.168.0.4' (ECDSA) to the list of known hosts.
Last login: Tue Sep 20 19:46:39 EDT 2016 on tty2
Linux 4.4.19.
administrator@cl2:~$
Code:
Welcome to Linux 4.4.19 (tty2)
cl2 login: administrator
Password:
Linux 4.4.19.
Creating directory '/home/EXAMPLE/administrator'.
administrator@cl2:~$ id
uid=70501(administrator) gid=70514(domain users) groups=70514(domain users),70501(administrator),70513(domain admins),70519(schema admins),70520(enterprise admins),70521(group policy creator owners),70573(denied rodc password replication group)
administrator@cl2:~$ ssh cl1
The authenticity of host 'cl1 (192.168.0.3)' can't be established.
ECDSA key fingerprint is SHA256:OGh65milbyRqdeGcDXs4V8vKUdmTv3DiMPaSFk9UgeQ.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'cl1,192.168.0.3' (ECDSA) to the list of known hosts.
Last login: Tue Sep 20 19:23:34 EDT 2016 on tty2
Linux 4.4.19.
administrator@cl1:~$
PAM makes you stronger ... if she doesn't kill you first
kjhambrick: Yes, I have ntp running correctly, no firewall, testjoin OK. As I mentioned, I do have all this running on Ubuntu.
ivandi: here's my `net ads info` (note that host labrat is my Slackware domain member and urat is my Ubuntu domain member):
Code:
1 01:43:06 root@labrat:~
# net ads info
LDAP server: 192.168.0.2
LDAP server name: mail.hprs.local
Realm: HPRS.LOCAL
Bind Path: dc=HPRS,dc=LOCAL
LDAP port: 389
Server time: Wed, 21 Sep 2016 01:43:44 EDT
KDC server: 192.168.0.2
Server time offset: 0
Last machine account password change: Sun, 18 Sep 2016 20:56:57 EDT
I'm doing all this remotely, so I don't have an actual login prompt. I have to use either ssh (remote) or su (local).
How about if you post the contents of your actual, working /etc/pam.d/su and /etc/pam.d/system-auth? I'll compare with what I have line-by-line. If I have the same as you it *has* to work!
Inching forward though ...
That WBC_ERR_AUTH_ERROR error happened when I used the pam.d/system-auth from .../SlackMATE/extra/setup/SAMBA_AD_DC/setup.ADS-client.sh.
My latest test uses the as-installed /etc/pam.d configs from the `upgradepkg --install-new Linux-PAM-1.3.0-x86_64-1_pam.txz` from yesterday (or earlier today, I lose track). Since I'm trying `su` locally, the only change I made was to the /etc/pam.d/su file to add the 3 suggested lines from https://wiki.samba.org/index.php/Set..._users_via_PAM as follows:
Except for the last 3 lines from the samba wiki, the rest of the file is as-installed from Invandi's Linux-PAM-1.3.0-x86_64-1_pam.txz. Then, running `su - mark` from local user mfoley I get:
Running this same `su - mark` on the Ubuntu workstation gives:
Code:
Sep 21 01:55:30 urat su[14497]: pam_krb5(su:auth): authentication failure; logname=mark uid=1001 euid=0 tty=/dev/pts/9 ruser=mfoley rhost=
Sep 21 01:55:30 urat su[14497]: pam_unix(su:auth): authentication failure; logname=mfoley uid=1001 euid=0 tty=/dev/pts/9 ruser=mfoley rhost= user=mark
Sep 21 01:55:30 urat su[14497]: pam_winbind(su:auth): getting password (0x00000388)
Sep 21 01:55:30 urat su[14497]: pam_winbind(su:auth): pam_get_item returned a password
Sep 21 01:55:30 urat su[14497]: pam_winbind(su:auth): user 'mark' granted access
Sep 21 01:55:30 urat su[14497]: Successful su for mark by mfoley
Sep 21 01:55:30 urat su[14497]: + /dev/pts/9 mfoley:mark
Sep 21 01:55:30 urat su[14497]: pam_unix(su:session): session opened for user mark by mfoley(uid=1001)
Sep 21 01:55:30 urat su[14497]: pam_systemd(su:session): Cannot create session: Already running in a session
Notice that the log messages are pretty much the same for both, including the "user 'mark' granted access" which indicates to me that the domain user/password was authenticated. The difference is that the Ubuntu machine next gives "Successful su for mark by mfoley" whereas the Slackware machine gives "pam_authenticate: Authentication failure".
So, there is some next-step after granting access that is missing on the Slackware host.
My Slackware /etc/samba/smb.conf (same as Ubuntu, which works) is:
Code:
[global]
netbios name = labrat
workgroup = HPRS
security = ADS
realm = HPRS.LOCAL
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-10099
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
[demoshare]
path = /srv/samba/test
read only = no
Note that I did try the one from .../SlackMATE/extra/setup/SAMBA_AD_DC/setup.ADS-client.sh with no luck.
Note that the Ubuntu /etc/pam.d/su includes the following 3 config definitions which have apparent successive types of re-tries. Does any of this give us a hint as to what's missing?
common-auth:
Code:
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
common-account:
Code:
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account required pam_krb5.so minimum_uid=10000
# end of pam-auth-update config
session required pam_mkhomedir.so skel=/etc/skel/ umask=0002
common-password:
Code:
password [success=3 default=ignore] pam_krb5.so minimum_uid=10000
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_gnome_keyring.so
How about if you post the contents of your actual, working /etc/pam.d/su and /etc/pam.d/system-auth? I'll compare with what I have line-by-line. If I have the same as you it *has* to work!
mfoley --
Not sure you were addressing me or ivandi since I am not yet testing AD Logins only locals.
But if you wanted to see my files, they are below.
#
# note1: shouldn't matter but I did a RHELish thing and installed system-auth.ads as a symlink so I can see what's what ...
# note2: I installed ivandi's sudo last night so I could test with local users ( works great )
# note3: there is an extra symlink in my /etc/pam.d/ directory for VMWare's vmtools
#
Code:
# cp -p system-auth.ads system-auth.ads-ivandi-orig # back up so I can edit the file, leaving the original as provided by ivandi
# ln -sf system-auth.ads system-auth # install system-auth.ads as system-auth
# ls -l # content of /etc/pam.d
Code:
total 112
-rw-r--r-- 1 root root 95 May 5 21:23 chage
-rw-r--r-- 1 root root 95 May 5 21:23 chfn
-rw-r--r-- 1 root root 95 May 5 21:23 chgpasswd
-rw-r--r-- 1 root root 95 May 5 21:23 chpasswd
-rw-r--r-- 1 root root 95 May 5 21:23 chsh
-rw-r--r-- 1 root root 150 Jun 18 08:08 cups
-rw-r--r-- 1 root root 95 May 5 21:23 groupadd
-rw-r--r-- 1 root root 95 May 5 21:23 groupdel
-rw-r--r-- 1 root root 95 May 5 21:23 groupmems
-rw-r--r-- 1 root root 95 May 5 21:23 groupmod
-rw-r--r-- 1 root root 498 May 5 21:23 login
-rw-r--r-- 1 root root 95 May 5 21:23 newusers
-rw-r--r-- 1 root root 237 May 5 21:23 other
-rw-r--r-- 1 root root 89 May 5 21:23 passwd
-rw-r--r-- 1 root root 247 May 5 21:31 polkit-1
-rw-r--r-- 1 root root 156 May 5 21:25 runuser
-rw-r--r-- 1 root root 50 May 5 21:25 runuser-l
-rw-r--r-- 1 root root 457 Aug 7 10:45 sshd
-rw-r--r-- 1 root root 417 May 5 21:23 su
-rw-r--r-- 1 root root 417 May 5 21:25 sudo
lrwxrwxrwx 1 root root 15 Sep 21 03:55 system-auth -> system-auth.ads
-rw-r--r-- 1 root root 382 Jul 8 06:57 system-auth.ads
-rw-r--r-- 1 root root 382 Jul 8 06:57 system-auth.ads-ivandi-orig
-rw-r--r-- 1 root root 417 May 5 21:24 system-auth.krb5
-rw-r--r-- 1 root root 207 Jul 8 06:57 system-auth.samba
-rw-r--r-- 1 root root 137 May 5 21:23 system-auth.unix
-rw-r--r-- 1 root root 95 May 5 21:23 useradd
-rw-r--r-- 1 root root 95 May 5 21:23 userdel
-rw-r--r-- 1 root root 95 May 5 21:23 usermod
lrwxrwxrwx 1 root root 49 Sep 19 11:02 vmtoolsd -> /usr/lib/vmware-tools/configurator/pam.d/vmtoolsd
How about if you post the contents of your actual, working /etc/pam.d/su and /etc/pam.d/system-auth? I'll compare with what I have line-by-line. If I have the same as you it *has* to work!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.