[Samba] Issue with pam_winbind for MS AD authentication and
moduleoptions
Andre Fernando Goldacker
samba at teka.com.br
Thu Apr 5 12:55:37 GMT 2007
Have tested it but it didn't made any difference unfortunatelly.
Perhaps my pam config is still wrong, don't know, but it looks like a
small bug to me that maybe has not been noticed yet, and if so, perhaps
a timeout option in pam_winbind could do the job, who knows!!
cheers,
Andre
Miles, Noal wrote:
> I haven't tested but perhaps this pam entry in system-auth will help
> (insert before winbind account entry)
>
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
> quiet
>
> Noal
>
> -----Original Message-----
> From: Andre Fernando Goldacker [mailto:samba at teka.com.br]
> Sent: Wednesday, April 04, 2007 11:06 AM
> To: Andre Fernando Goldacker
> Cc: Miles, Noal; samba at lists.samba.org
> Subject: Re: [Samba] Issue with pam_winbind for MS AD authentication and
> moduleoptions
>
>
> I made a mistake, group in nsswitch.conf looks like this:
>
> group: files winbind
>
> sorry about that!!
>
> Andre
>
> Andre Fernando Goldacker wrote:
>
>> Hello!
>>
>> passwd, shadow and group looks as follows in nsswitch.conf:
>>
>> passwd: files winbind
>> shadow: files
>> group: files group
>>
>> What really confuses me is that when my AD server is up and running,
>> root or any local user logs in with no problem. And even when AD
>> server is down, after trying a zillion times, root and other local
>> users login, and then if I log them out and try again a few minutes
>> later it won't go again, then again after a few minutes it works again
>>
>
>
>> and it keeps going like that.
>>
>> My guess is that when it's not going pam_winbind and winbind are
>> trying to connect to the AD Server resulting in a huge delay in the
>> login process afecting also local users login. That's why I was
>> wondering if there is a "timeout" option or something for pam_winbind
>> to avoid that. Well, that's my guess I could be wrong and maybe the
>> problem is something else.
>>
>> Anyway thank's so far for your help, if you or anyone has a light...
>>
>> Andre
>>
>>
>>
>> Miles, Noal wrote:
>>
>>
>>> You have files before winbind in /etc/nsswitch.conf for passwd,
>>> shadow, group?
>>>
>>> Noal
>>>
>>> -----Original Message-----
>>> From: samba-bounces+noal.miles=tdstelecom.com at lists.samba.org
>>> [mailto:samba-bounces+noal.miles=tdstelecom.com at lists.samba.org] On
>>> Behalf Of Andre Fernando Goldacker
>>> Sent: Wednesday, April 04, 2007 8:40 AM
>>> To: samba at lists.samba.org
>>> Subject: [Samba] Issue with pam_winbind for MS AD authentication and
>>> moduleoptions
>>>
>>>
>>> Hello!
>>>
>>> I've configured samba with winbind and pam_winbind module to
>>> authenticate users that connect to my linux box against MS AD.
>>>
>>> Works like a charm. If a user exists both in AD and locally, login
>>> should assume local users. Again, it works pretty well (It seems at
>>> least with my current config).
>>>
>>> If my AD server goes down for any reason, local users should be able
>>> to login. For example, root has to login always no matter if my AD
>>> server exploded.
>>>
>>> That's where is the problem. When I shutdown my AD server and I try
>>> to login with a local user (root as well), my guess is that it seems
>>> that pam_winbind waits for a very very long time trying to find my AD
>>>
>
>
>>> server to authenticate that even the local login times out. I don't
>>> really know if that is the reason for this behaviour, but if it is,
>>> I'm wondering if there is a hidden or maybe a new "timeout" option
>>> for pam_winbind module as I didn't found anything related in the man
>>> pages and the mailing lists archive. Or maybe if login finds the user
>>>
>
>
>>> in the local database, bypass winbind authentication, don't know if
>>> that is possible.
>>>
>>> The reason why I came up with this idea is that when the AD server is
>>>
>
>
>>> down and I try to login with root for eg. over and over many times,
>>> after a while it goes (looks like pam config order is right), but a
>>> few minutes later it won't again, which made me thought that perhaps
>>> winbind or pam_winbind are trying to estabilish a connection with AD
>>> and somehow because of that the whole process slows down so much that
>>>
>
>
>>> even local login times out.
>>>
>>> Samba is configured to catch UID's, GID's from AD using SFU and ad
>>> idmap backend. Only users that are members of a specified AD group
>>> are able to login. The purpose of the machine is to be an application
>>>
>
>
>>> server and share folders based on AD users and group permissions.
>>>
>>> My system is RHEL AS3 with update 7 and samba-3.0.24
>>>
>>> Below are my pam lines in the system-auth file:
>>>
>>> #%PAM-1.0
>>> # This file is auto-generated.
>>> # User changes will be destroyed the next time authconfig is run.
>>> auth required /lib/security/$ISA/pam_env.so
>>> auth sufficient /lib/security/$ISA/pam_unix.so likeauth
>>>
> nullok
>
>>> auth sufficient /lib/security/$ISA/pam_winbind.so
>>> try_first_pass require_membership_of=DOMAIN+group
>>> auth required /lib/security/$ISA/pam_deny.so
>>>
>>> account required /lib/security/$ISA/pam_unix.so
>>>
> nullok_secure
>
>>> account sufficient /lib/security/$ISA/pam_winbind.so
>>>
>>> password required /lib/security/$ISA/pam_cracklib.so retry=3
>>> password sufficient /lib/security/$ISA/pam_unix.so nullok
>>> use_authtok md5 shadow
>>> password required /lib/security/$ISA/pam_deny.so
>>>
>>> session required /lib/security/$ISA/pam_limits.so
>>> session required /lib/security/$ISA/pam_unix.so
>>> session required /lib/security/$ISA/pam_mkhomedir.so
>>>
> umask=0022
>
>>> skel=/etc/skel
>>>
>>> Considering that if a user exists both in the local user database and
>>>
>
>
>>> AD, login has to assume local user (seems to be working fine), could
>>> someone give me a hint if I'm in the right path, and maybe an idea
>>> why or what I could do when my AD servers goes down to my local users
>>>
>
>
>>> (including root) log in normally??
>>>
>>> Any help will be greatly appreciated,
>>>
>>> Andre
>>>
>>>
>>>
>>>
>
>
More information about the samba
mailing list