[Samba] pam_winbind causing local user login failures on 3.0.23c
... and a couple of other things
Stefano
ckh5z9ae at sympatico.ca
Thu Sep 28 23:54:17 GMT 2006
All,
I'm currently running a CentOS 4.4 x86_64 server and wanted to have
single-signon for Active Directory users on my domain. CentOS 4.4 comes
with Samba 3.0.10-1.4E.9, which ends up filling my logs with messages
related to the BUILTIN users/groups. I have a few local user accounts on
the server for testing, etc.
Since issues related to winbind and BUILTIN users/groups have recently been
resolved, I decided to update Samba. I downloaded the Fedora Core RPM for
3.0.23c, rebuilt it on my server and installed it. In order to have a
"fresh start", I moved the /var/cache/samba directory elsewhere. I
successfully completed the following steps:
- kinit Administrator at DOMAIN
- net ads join -Uadministrator
- service winbind start
- service smb start
- wbinfo -u
- wbinfo -g
- wbinfo -t
- wbinfo -n userid
I've listed 3 issues ... the first I've solved, but I don't understand why
it behaves as it does, the second is more of a question on lower/mixed case
group/user ids, but the third issue is related to pam_winbind not allowing
local users to login and is causing me lots of grief ...
ISSUE #1
========
I had a problem with "getent passwd userid" ... it did not print anything to
my screen. My logs were full of messages such as:
Sep 28 16:42:01 computer1 winbindd[6372]: [2006/09/28 16:42:01, 0]
sam/idmap_rid.c:rid_idmap_get_id_from_sid(491)
Sep 28 16:42:01 computer1 winbindd[6372]: rid_idmap_get_id_from_sid: no
suitable range available for sid: S-xxxxxxxxxxxxxxxxxxxxxxxxxx
Obviously the SIDS were not getting mapped to the UID/GID. My smb.conf
file is below:
[global]
workgroup = DOMAIN
realm = DOMAIN.EXAMPLE.COM
server string = computer1
interfaces = eth0
security = ADS
allow trusted domains = No
password server = kdc1.example.com
log file = /var/log/samba/%m.log
max log size = 1024
smb ports = 445
name resolve order = host
deadtime = 15
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = No
local master = No
domain master = No
dns proxy = No
idmap uid = 1000000-10000000
idmap gid = 1000000-10000000
idmap backend = rid:BUILTIN=1000000-4999999,DOMAIN=5000000-10000000
template homedir = /data/domain/%U
template shell = /bin/bash
winbind use default domain = Yes
winbind nested groups = Yes
# winbind refresh tickets = Yes
# winbind offline logon = Yes
winbind enum users = No
winbind enum groups = No
load printers = Yes
cups options = raw
I decided to rearrange the line "idmap backend" to the following:
idmap backend =
rid:"DOMAIN=5000000-10000000,BUILTIN=1000000-4999999"
and now "getent passwd userid" WORKED! The "rid_idmap_get_id_from_sid"
error messages are gone. I don't understand why the order of DOMAIN/BUILTIN
should make a difference in winbind being able to map a RID to a SID.
Please explain, or is this a bug?
ISSUE #2
========
I decided to also change "winbind use default domain" to "No". I restarted
winbind and smb and doing a "wbinfo -g" resulted in lowercase group names,
whereas leaving it as "Yes" returned mixed case group names, such as:
With "winbind use default domain = Yes"
# wbinfo -g
.....
WaterGroup
.....
With "winbind use default domain = No"
# wbinfo -g
.....
DOMAIN\watergroup
.....
Is this significant? is WaterGroup interpretted the same as
DOMAIN\watergroup? It appears case is ignored for user and group names. Is
this correct? What is the proper way to specify user and group names in
smb.conf?
ISSUE #3
========
At this point I am able to login using ADS credentials and all is good,
HOWEVER, I CANNOT login using a LOCAL user account. If I comment out the
pam_winbind lines in /etc/pam.d/system-auth, I can login, but now I have no
ADS authenticated logins.
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
require_membership_of=WaterGroup
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_winbind.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel
umask=0077
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
/var/log/messages is as follows:
........
Sep 28 18:31:09 computer1 sshd(pam_unix)[13565]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=computer2.example.com
user=adsuser
Sep 28 18:31:09 computer1 pam_winbind[13565]: user 'adsuser' OK
Sep 28 18:31:09 computer1 pam_winbind[13565]: user 'adsuser' granted access
Sep 28 18:31:09 computer1 pam_winbind[13565]: user 'adsuser' OK
Sep 28 18:31:09 computer1 pam_winbind[13565]: user 'adsuser' granted access
Sep 28 18:31:09 computer1 sshd(pam_unix)[13582]: session opened for user
adsuser by (uid=0)
Sep 28 18:31:28 computer1 sshd(pam_unix)[13582]: session closed for user
adsuser
.........
Sep 28 18:32:07 computer1 pam_winbind[13636]: request failed, but PAM error
0!
Sep 28 18:32:07 computer1 pam_winbind[13636]: internal module error (retval
= 3, user = `localuser')
..........
As you can see, the domain user has no trouble logging in, but the
"localuser" is denied. This worked under 3.0.10. Also, the domain user
(adsuser) is granted access twice!
I need a local user login because I use FreeNX, which uses the nx user
(which is local to the machine) to authenticate the connection prior to
submitting the user's credentials.
I would very much appreciate any help / comments on the above. Please let
me know if I need to provide additional info to help resolve this issue.
Sincerely,
Stefano
More information about the samba
mailing list