msh at blisses.org
Fri Sep 15 16:31:16 GMT 2006
On Fri, Sep 15, 2006 at 11:42:12AM -0300, Felipe Augusto van de Wiel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 09/12/2006 06:50 PM, Matt Herzog escreveu:
> > I have the winbind login working on FC5 but now logins to local accounts
> > cannot authenticate.
> > My config files are here:
> > http://www.pigeonnier.org/nsswitch.conf
> > http://www.pigeonnier.org/pam.d/
> > http://www.pigeonnier.org/krb.conf
> > Again, if I try to ssh in as a user that exists only as a local account on the remote
> > host, I am rejected. User msh is -not- a AD account and only exists on the
> > FC5 server "province"
> >>From the /var/log/secure file:
> > Sep 12 16:58:29 province sshd: reverse mapping checking getaddrinfo
> > for zogness.cinteractive.com failed - POSSIBLE BREAK-IN ATTEMPT!
> > Sep 12 16:58:33 province sshd: pam_unix(sshd:auth): authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=188.8.131.52 user=msh
> > Sep 12 16:58:35 province sshd: Failed password for msh from
> > 184.108.40.206 port 58069 ssh2
> > Sep 12 16:58:39 province sshd: pam_succeed_if(sshd:account):
> > requirement "uid < 100" not met by user "msh"
> > Sep 12 16:58:39 province sshd: fatal: Access denied for user msh by
> > PAM account configuration
> Well, for some reason your pam requires that your user has
> an uid less than 100, I don't know why, but it doesn't looks like
> to be related with Samba.
> Kind regards,
Thanks. My problem was solved by Red Hat's authconfig utility. I am still
kicking myself for not having run it before. As it turns out, Red Hat's PAM
config for winbind authentication puts the line:
session sufficient pam_mkhomedir.so skel=/etc/skel umask=0027
while in Debian that same line needs to be in /etc/pam.d/system-auth.
Announcing your plans is a good way to hear the gods' laughter.
More information about the samba