LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Active Directory with pam_krb5 getpwnam failed for <user> (https://www.linuxquestions.org/questions/linux-server-73/active-directory-with-pam_krb5-getpwnam-failed-for-user-4175445444/)

jmusbach 01-13-2013 04:31 PM
Active Directory with pam_krb5 getpwnam failed for <user>
 
Hello, I'm trying to get my Linux box bound with kerberos... For my /etc/krb5.conf I have:

Code:
DOMAIN = {
  kdc = kdc-server.domain.com
  admin_server = kdc-server.domain.com
  default_domain = DOMAIN
}
In the "[realms]" section. Under "[domain_realm]" I have:

Code:
.domain.com = KDC-SERVER.DOMAIN.COM
domain.com = KDC-SERVER.DOMAIN.COM
Then in /etc/samba/smb.conf I have:

Code:
workgroup = DOMAIN
netbios name = DEB
security = ads
realm = DOMAIN
password server = KDC-SERVER.DOMAIN.COM
template homedir = /home/%D/%U
template shell = /bin/bash
winbind separator=+
winbnd use default domain=Yes
idmap_rid:DOMAIN=10000-100000
idmap uid=10000-20000
idmap gid=10000-20000
My /etc/nsswitch.conf contains:

Code:
passwd: compat winbind
group: compat winbind
shadow: compat winbind
When I do "kinit Administrator@DOMAIN.COM" it works ok as well as the "net ads join -U Administrator" command. However login fails as shown below (excerpt from /var/log/auth.log -- running Debian):

Code:
(login:auth): user Administrator authenticated as Administrator@DOMAIN
pam_env(login:session): No such user!?
pam_env(login:session): No such user!?
pam_mkhomedir(login:session): User unknown.
pam_krb5(login:session): (user Administrator) getpwnam failed for Administrator
pam_unix(login:session): session opened for user Administrator by LOGIN(uid=0)
User not known to the underlying authentication module
What can cause getpwnam to fail? :( Thanks for your help.

kbp 01-13-2013 08:47 PM
I don't have a kerberos client handy but your "[domain_realm]" section may be wrong, from memory I think it should be:

Code:
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
.. you might want to check the man page - 'man 5 krb5.conf'.

I'm not sure what distro you're running but when configuring authentication by hand it can be tricky to get everything right, I'd recommend using the 'authconfig' command if available or a graphical tool.

jmusbach 01-13-2013 08:59 PM
Hmm I'll try that thanks, I'm running Debian 6 btw. Any other thoughts on what could possibly be wrong?

kbp 01-13-2013 09:25 PM
Sorry, I'm not a fan of Samba .. I usually go with kerberos/ldap/sssd combo. Maybe have a read here and see if you missed anything .. p.s. you missed scrubbing a domain name in smb.conf :)

jmusbach 01-15-2013 12:39 AM
Thanks for your help, I tried making that change in krb5.conf and nothing changed. :( I checked my pam.d conf files and those seem ok too. I guess I'll try compiling pam_krb5 from the latest source tarball to see if the binary deb is foobar somehow. Can't hurt eh?

kbp 01-15-2013 02:06 AM
I'd find it highly unlikely .. chances are about %99.99 the config is wrong somewhere, it's just a matter of finding where :)


All times are GMT -5. The time now is 06:15 AM.