Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 06-28-2012, 04:17 AM   #1
LQ Newbie
Registered: Jun 2012
Distribution: Ubuntu
Posts: 1

Rep: Reputation: Disabled
Question Ubuntu/AD/KRB5/LDAP/NIS able to use domain user login with putty, unable in gui login

I am administrating several Ubuntu servers (virtual VMWare ESX servers) in a corporate domain with a Windows active domain and SUN 8 NIS server. The NIS server is necessary since the active domain doesn't provide UNIX connectivity (it is possible, but the AD provider doesn't want to offer it despite numerous requests).

Usernames are either 8 or 9 characters long. The 8 character accounts (old accounts) look like abc12345, the new 9 character accounts look like 123456789, only numeric characters. The NIS translates the username to a userID, which is linked to the active directory account, which verifies the useraccount / password combination. This way users only have to remember 1 username / password combo. The NIS is very old, I am well aware of that, however the person administrating it doesn't want to change it, and he has quite a lot of seniority in the organisation. The NIS limits useraccounts to 8 characters, therefore it translates the new useraccounts to 5 character userIDs.

On the Ubuntu servers we use krb5 to connect to the active directory, and ypbind to talk to the NIS. The whole setup functions OK with the relative old Ubuntu 8.04 servers, however I can't seem to get it to work with the newly created Ubuntu 12.04 servers. I am able to login with a local user account both with putty and the graphical console (GDM in this case, behaviour is similar with KDM and LightDM) and I can execute sudo commands with the local accounts. However if I use a domain account (like abc12345 or the 123456789) I am still able to login with putty, but it denies the login in the graphical console (authentication failure) and denies the entered password when calling putty. Both the domain account and local account are in the sudoers file.
Each server runs its own samba, and we are able to contact a users samba share using its active domain credentials.

Here're the corresponding lines from auth.log for the actions with the domain user:

Login with putty:
Jun 28 10:43:37 severname sshd[3016]: Accepted password for abc12345 from port 52076 ssh2
Jun 28 10:43:37 servername sshd[3016]: pam_unix(sshd:session): session opened for user abc12345 by (uid=0)
Jun 28 10:44:57 servername sudo: pam_unix(sudo:auth): authentication failure; logname=abc12345 uid=12345 euid=0 tty=/dev/pts/7 ruser=abc12345 rhost=  user=abc12345
Jun 28 10:45:02 servername sudo: pam_unix(sudo:auth): conversation failed
Jun 28 10:45:02 servername sudo: pam_unix(sudo:auth): auth could not identify password for [abc12345]
Jun 28 10:45:02 servername sudo: abc12345 : 1 incorrect password attempt ; TTY=pts/7 ; PWD=/home/abc12345 ; USER=root ; COMMAND=/bin/ls -l /root
Graphical login:
Jun 28 10:49:24 servername gdm-session-worker[31753]: pam_succeed_if(gdm:auth): requirement "user ingroup nopasswdlogin" not met by user "abc12345"
Jun 28 10:49:30 servername gdm-session-worker[31753]: pam_unix(gdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=abc12345
Jun 28 10:49:30 servername gdm-session-worker[31753]: pam_winbind(gdm:auth): getting password (0x00000388)
Jun 28 10:49:30 servername gdm-session-worker[31753]: pam_winbind(gdm:auth): pam_get_item returned a password
Jun 28 10:49:30 servername gdm-session-worker[31753]: pam_winbind(gdm:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Jun 28 10:49:31 servername gdm-session-worker[4741]: pam_succeed_if(gdm:auth): requirement "user ingroup nopasswdlogin" not met by user "abc12345"
I suspect there's something off with the pam settings, but I am not an expert on this. I hope someone can help me sorting this. I am able to get a LDAP ticket with kinit and retrieve information from LDAP with ldapsearch, and I am able to contact NIS with yptest / ypcat.

        default_realm = OUR.DOMAIN.COM
        clockskew = 300

        OUR.DOMAIN.COM = {
                kdc =
                default_domain = OUR.DOMAIN.COM
                admin_server =


    pam = {
            debug = true
            ticket_lifetime = 10h
            renew_lifetime = 9h
            forwardable = true
            proxiable = false
            retain_after_close = false
            minimum_uid = 0
            try_first_pass = true

        krb4_convert = true
        krb4_get_tickets = false

   kdc = SYSLOG:debug:local1
   admin-server = SYSLOG:debug:local1
   default = SYSLOG:debug:local1
passwd:         nis compat
group:          nis compat
shadow:         compat

hosts:          files dns
networks:       files dns

services:   files dns
protocols:  files
rpc:        files
ethers:     files
netmasks:   files dns
netgroup:   nis
publickey:  files

bootparams: files
automount:  files
aliases:        files
domain nisdom server
   workgroup = OUR
   realm = OUR.DOMAIN.COM
   server string = %h
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog only = no
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ADS
   smb passwd file =
   unix extensions = no
   load printers = no
   winbind enum groups = yes
   winbind enum users = yes

        comment = Local home accessed by %U
        path = /home2/%S
        read only = No
        map archive = No
        force create mode = 0100
        browseable = No

        path = /
/etc/pam.d/gdm :
auth    requisite
auth    required readenv=1
auth    required readenv=1 envfile=/etc/default/locale
auth    sufficient user ingroup nopasswdlogin
@include common-auth
auth    optional
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] close
session required
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] open
session optional auto_start
@include common-password
/etc/pam.d/sshd :
auth       required envfile=/etc/default/locale
@include common-auth
account    required
@include common-account
@include common-session
session    required
@include common-password
/etc/pam.d/sudo :
auth       required readenv=1 user_readenv=0
auth       required readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive
/etc/pam.d/common-auth :
auth    [success=2 default=ignore] nullok_secure
auth    [success=1 default=ignore] krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    requisite             
auth    required              
/etc/pam.d/common-account :
account [success=2 new_authtok_reqd=done default=ignore]
account [success=1 new_authtok_reqd=done default=ignore]
account requisite             
account required              

Last edited by Nitroglycerine; 06-28-2012 at 04:21 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to login to NIS client machine(Ubuntu) using NIS login user name crazymoonboy Linux - Server 10 05-08-2015 07:28 AM
unable to login any user through the console but users can login in GUI p kumar Linux - Server 1 04-19-2012 06:09 AM
unable login via GUI but can login via Putty (command line) linuxandtsm Linux - Newbie 10 06-09-2011 02:08 PM
unable to login as NIS user sunilvadranapu SUSE / openSUSE 1 12-09-2009 03:55 AM
i m running ubuntu 8.10 .unable to login as a user in gui mode. chandan766 Linux - Newbie 1 04-05-2009 05:03 PM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 02:49 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration