[Samba] AD logins using winbind looking for user in /etc/shadow

Wed Sep 6 00:00:56 GMT 2006

I'm running CentOS 4.3 with the most recent samba-client and samba-common
rpms.  I've managed to configure samba/winbind to allow me to join the box
to the AD, create the UID and GID mappings,  etc.  However, when I try to
connect via ssh, the account cannot log in.  /var/log/messages says the
following:

Sep  5 17:15:25 kdcdmz sshd[6263]: error: Could not get shadow information
for jason.mogavero
Sep  5 17:15:25 kdcdmz sshd[6263]: Failed password for jason.mogavero from
172.16.102.28 port 3646 ssh2

net ads status, getent passwd, and wbinfo all show the expected output with
no errors.  I'll include some of that output at the end of the config files.

It shouldn't be looking for a shadow password, it should be checking against
the AD user database, right?  Here are my configs.  I've poured over them
and compared them to several How-Tos and working configs and can't find
anything different.  If this would be better placed in the PAM list, let me
know and I'll send it there.

/etc/samba/smb.conf

workgroup = KDCTEST
realm = KDCTEST.COM
password server = adauth.kdctest.com
security = ads
encrypt passwords = yes
allow trusted domains = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
winbind separator = \
winbind cache time = 10
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
winbind use default domain = yes
template shell = /bin/bash
template homedir = /home/%U
client use spnego = yes

/etc/krb5.conf

[libdefaults]
 default_realm = kdctest.com
 dns_lookup_realm = true
 dns_lookup_kdc = true
 default_tkt_enctypes = des-cbc-md5
 default_tgs_enctypes = des-cbc-md5

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

[realms]
  KDCTEST.COM = {
  kdc = adauth.kdctest.com:88
  admin_server = adauth.kdctest.com:749
  default_domain = kdctest.com

        }

 kdctest.com = {
  kdc = adauth.kdctest.com
  admin_server = adauth.kdctest.com
 }

 KDCTEST.COM = {
  kdc = adauth.kdctest.com
 }

[domain_realm]

        kdctest.com = KDCTEST.COM
        .kdctest.com = KDCTEST.COM
        adauth.kdctest.com = KDCTEST.COM

/etc/nsswitch.conf

passwd:     files winbind
shadow:     files
group:      files winbind

hosts:      files dns

bootparams: files
ethers:     files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:        files
services:   files winbind
netgroup:   files winbind
publickey:  files
automount:  files winbind
aliases:    files

/etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so

And finally, /etc/pam.d/system-auth

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
#auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
#account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_krb5.so
#account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_winbind.so
account     sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
#password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
#session     optional      /lib/security/$ISA/pam_krb5.so

Now here's some output from testing AD connectivity:

net ads info
LDAP server: 172.16.102.28
LDAP server name: adauth
Realm: KDCTEST.COM
Bind Path: dc=KDCTEST,dc=COM
LDAP port: 389
Server time: Tue, 05 Sep 2006 17:37:55 GMT
KDC server: 172.16.102.28
Server time offset: -14

getent passwd  (just the AD stuff is shown here)
administrator:*:10000:10000:Administrator:/home/administrator:/bin/bash
guest:*:10001:10001:Guest:/home/guest:/bin/bash
adauth$:*:10002:10002:ADAUTH:/home/adauth_:/bin/bash
krbtgt:*:10003:10000:krbtgt:/home/krbtgt:/bin/bash
jason.mogavero:*:10004:10000:Jason Mogavero:/home/jason.mogavero:/bin/bash
kdctest02$:*:10005:10003:KDCTEST02:/home/kdctest02_:/bin/bash
kdcvps1$:*:10006:10003:kdcvps1:/home/kdcvps1_:/bin/bash
kdcdmz$:*:10007:10003:kdcdmz:/home/kdcdmz_:/bin/bash

wbinfo -u
Administrator
Guest
ADAUTH$
krbtgt
jason.mogavero
KDCTEST02$
kdcvps1$
kdcdmz$

Any ideas as to where the problem might lie?  Thanks.