[Samba] Issue with pam_winbind for MS AD authentication and moduleoptions

Miles, Noal noal.miles at tdstelecom.com
Wed Apr 4 19:07:08 GMT 2007 

I haven't tested but perhaps this pam entry in system-auth will help
(insert before winbind account entry)

account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet

Noal

-----Original Message-----
From: Andre Fernando Goldacker [mailto:samba at teka.com.br] 
Sent: Wednesday, April 04, 2007 11:06 AM
To: Andre Fernando Goldacker
Cc: Miles, Noal; samba at lists.samba.org
Subject: Re: [Samba] Issue with pam_winbind for MS AD authentication and
moduleoptions


I made a mistake, group in nsswitch.conf looks like this:

group:    files winbind

sorry about that!!

Andre

Andre Fernando Goldacker wrote:
> Hello!
>
> passwd, shadow and group looks as follows in nsswitch.conf:
>
> passwd:  files winbind
> shadow:  files
> group:     files group
>
> What really confuses me is that when my AD server is up and running, 
> root or any local user logs in with no problem. And even when AD 
> server is down, after trying a zillion times, root and other local 
> users login, and then if I log them out and try again a few minutes 
> later it won't go again, then again after a few minutes it works again

> and it keeps going like that.
>
> My guess is that when it's not going pam_winbind and winbind are 
> trying to connect to the AD Server resulting in a huge delay in the 
> login process afecting also local users login. That's why I was 
> wondering if there is a "timeout" option or something for pam_winbind 
> to avoid that. Well, that's my guess I could be wrong and maybe the 
> problem is something else.
>
> Anyway thank's so far for your help, if you or anyone has a light...
>
> Andre
>
>
>
> Miles, Noal wrote:
>   
>> You have files before winbind in /etc/nsswitch.conf for passwd, 
>> shadow, group?
>>
>> Noal
>>
>> -----Original Message-----
>> From: samba-bounces+noal.miles=tdstelecom.com at lists.samba.org
>> [mailto:samba-bounces+noal.miles=tdstelecom.com at lists.samba.org] On 
>> Behalf Of Andre Fernando Goldacker
>> Sent: Wednesday, April 04, 2007 8:40 AM
>> To: samba at lists.samba.org
>> Subject: [Samba] Issue with pam_winbind for MS AD authentication and 
>> moduleoptions
>>
>>
>> Hello!
>>
>> I've configured samba with winbind and pam_winbind module to 
>> authenticate users that connect to my linux box against MS AD.
>>
>> Works like a charm. If a user exists both in AD and locally, login 
>> should assume local users. Again, it works pretty well (It seems at 
>> least with my current config).
>>
>> If my AD server goes down for any reason, local users should be able 
>> to login. For example, root has to login always no matter if my AD 
>> server exploded.
>>
>> That's where is the problem. When I shutdown my AD server and I try 
>> to login with a local user (root as well), my guess is that it seems 
>> that pam_winbind waits for a very very long time trying to find my AD

>> server to authenticate that even the local login times out. I don't 
>> really know if that is the reason for this behaviour, but if it is, 
>> I'm wondering if there is a hidden or maybe a new "timeout" option 
>> for pam_winbind module as I didn't found anything related in the man 
>> pages and the mailing lists archive. Or maybe if login finds the user

>> in the local database, bypass winbind authentication, don't know if 
>> that is possible.
>>
>> The reason why I came up with this idea is that when the AD server is

>> down and I try to login with root for eg. over and over many times, 
>> after a while it goes (looks like pam config order is right), but a 
>> few minutes later it won't again, which made me thought that perhaps 
>> winbind or pam_winbind are trying to estabilish a connection with AD 
>> and somehow because of that the whole process slows down so much that

>> even local login times out.
>>
>> Samba is configured to catch UID's, GID's from AD using SFU and ad 
>> idmap backend. Only users that are members of a specified AD group 
>> are able to login. The purpose of the machine is to be an application

>> server and share folders based on AD users and group permissions.
>>
>> My system is RHEL AS3 with update 7 and samba-3.0.24
>>
>> Below are my pam lines in the system-auth file:
>>
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth        required      /lib/security/$ISA/pam_env.so
>> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth
nullok
>> auth        sufficient    /lib/security/$ISA/pam_winbind.so
>> try_first_pass require_membership_of=DOMAIN+group
>> auth        required      /lib/security/$ISA/pam_deny.so
>>
>> account     required      /lib/security/$ISA/pam_unix.so
nullok_secure
>> account     sufficient    /lib/security/$ISA/pam_winbind.so
>>
>> password    required      /lib/security/$ISA/pam_cracklib.so retry=3
>> password    sufficient    /lib/security/$ISA/pam_unix.so nullok
>> use_authtok md5 shadow
>> password    required      /lib/security/$ISA/pam_deny.so
>>
>> session     required      /lib/security/$ISA/pam_limits.so
>> session     required      /lib/security/$ISA/pam_unix.so
>> session     required      /lib/security/$ISA/pam_mkhomedir.so
umask=0022
>> skel=/etc/skel
>>
>> Considering that if a user exists both in the local user database and

>> AD, login has to assume local user (seems to be working fine), could 
>> someone give me a hint if I'm in the right path, and maybe an idea 
>> why or what I could do when my AD servers goes down to my local users

>> (including root) log in normally??
>>
>> Any help will be greatly appreciated,
>>
>> Andre
>>
>>   
>>

More information about the samba mailing list