LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-12-2014, 05:27 AM   #1
grayFalcon
Member
 
Registered: Jan 2003
Distribution: Debian
Posts: 69

Rep: Reputation: 15
Active Directory: Join OK, getent, wbinfo & smbclient all work, but login fails


Hello everybody,

I have a very strange problem with AD authentification. I have a fresh install of Ubuntu 14.04 on a machine where I want the users to authenticate via AD. Details:
  • Copied /etc/nsswitch.conf, /etc/krb5.conf, /etc/samba/smb.conf and /etc/pam.d/common-* from another Ubuntu 14.04 machine where it works, changed hostname in smb.conf
  • net ads join -U DOMAINADMIN, net ads testjoin says the join is OK
  • wbinfo -u: gives a list of all AD users
  • wbinfo -g: gives a list of all AD groups
  • getent passwd: lists all AD users
  • kinit ADUSER with correct password: works, klist shows the ticket. kinit ADUSER with wrong password fails as expected
  • wbinfo -a ADUSER%ADPASSWORD: says "plaintext password authentication succeeded, challenge/response password authentication succeeded"
  • wbinfo --pam-logon ADUSER: asks for password, then says "plaintext password authentication succeeded"
  • From another host: smbclient -L SERVER -U ADUSER: Asks for password, then lists all shares (including the home directory), if I give the wrong password, fails as expected with NT_STATUS_LOGON_FAILURE

So everything looks awesome. However, when I try to log in as an AD user (be it directly from the console, using su when logged in as a local user, using SSH from a remote machine), I get a "Login incorrect" and the following in /var/log/auth.log:

Quote:
Nov 12 14:20:26 SERVER login[3863]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty3 ruser= rhost= user=ADUSER
Nov 12 14:20:26 SERVER login[3863]: pam_winbind(login:auth): getting password (0x00000388)
Nov 12 14:20:26 SERVER login[3863]: pam_winbind(login:auth): pam_get_item returned a password
Nov 12 14:20:26 SERVER login[3863]: pam_winbind(login:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: Logon failure
Nov 12 14:20:26 SERVER login[3863]: pam_winbind(login:auth): user 'ADUSER' denied access (incorrect password or invalid membership)
Nov 12 14:20:28 SERVER login[3863]: FAILED LOGIN (1) on '/dev/tty3' FOR 'ADUSER', Authentication failure
I am completely stumped and, frankly, have totally run out of ideas where to even look (especially since it seems not to be possible to get PAM to be any more verbose). Does anyone have an idea what the problem may be? I mean, it seems to me that PAM is screwing up somewhere along the line, but I have really no idea where to look anymore.

As mentioned, it works on another server with the exactly same config files and the same Ubuntu version. I have also made sure that exactly the same packages are installed on both servers (basically piped the list of packages on the server where it works to an "apt-get install" on the server where it doesn't and rebooted).

If necessary, I can post any relevant config files, just didn't want to spam the whole config needlessly.

I would be really thankful for any pointers - as I said, I am completely at my wit's end here.

Last edited by grayFalcon; 11-12-2014 at 08:21 AM. Reason: Quick update concerning installed packages
 
Old 11-20-2014, 09:11 AM   #2
rokytnji
LQ Veteran
 
Registered: Mar 2008
Location: Waaaaay out West Texas
Distribution: antiX 23, MX 23
Posts: 7,153
Blog Entries: 21

Rep: Reputation: 3484Reputation: 3484Reputation: 3484Reputation: 3484Reputation: 3484Reputation: 3484Reputation: 3484Reputation: 3484Reputation: 3484Reputation: 3484Reputation: 3484
Well, I am no samba expert. So basically just bumping your thread since no one replied.

Some links for your error messages is the best I can do for you.

http://comments.gmane.org/gmane.netw...general/128502

Ubuntu Search Engine Error Links

Sorry, I do not know more.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
AD Authentication - wbinfo Works, getent Doesn't work, Can't Login amarriner Linux - Server 2 09-29-2016 09:45 AM
Desktop 10.04 cant join active directory delineator Linux - Networking 2 06-01-2010 11:32 PM
samba join to active directory boazs Debian 4 08-09-2009 09:53 PM
Join XP to Active Directory shahgols Linux - Networking 7 10-04-2008 01:13 AM
Samba problem Getent differs from wbinfo baslemmens Linux - Networking 2 10-19-2006 03:45 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration