[Samba] Centos 7 member server login fails
Paul R. Ganci
ganci at nurdog.com
Wed Dec 27 01:08:11 UTC 2017
I have a problem that is now becoming very annoying. Namely I have a
Centos 7 member server running Sernet Samba 4.7.4 for which everything
seems to work except gdm or ftp logins. On the linux client it seems
winbindd is set up correctly. For example (the data shown below has been
sanitized):
> getent passwd
testuser2:*:3001108:3000513::/home/testuser1:/bin/bash
testuser1:*:3001107:3000513::/home/testuser2:/bin/bash
> getent group
domain admins:x:3000512:administrator
domain users:x:3000513:testuser2,testuser1,administrator,krbtgt
> kinit Administrator
Password for Administrator at MYDC.TEST.COM:
> klist
Ticket cache: KEYRING:persistent:3001107:3001107
Default principal: Administrator at MYDC.TEST.COM
Valid starting Expires Service principal
12/26/2017 14:24:36 12/27/2017 00:24:36 krbtgt/MYDC.TEST.COM at MYDC.TEST.COM
renew until 01/02/2018 14:24:32
>cat /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
#initgroups: files winbind
#hosts: db files nisplus nis dns
hosts: files dns myhostname
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files
aliases: files nisplus
After a console or ftp login I see these errors:
> cat /var/log/messages
Dec 26 14:31:26 testhost gdm-password]: AccountsService: ActUserManager:
user (null) has no username (uid: -1)
Dec 26 14:31:28 testhost gdm-password]: AccountsService: ActUserManager:
user (null) has no username (uid: -1)
Dec 26 14:31:30 testhost gdm-password]: AccountsService: ActUserManager:
user (null) has no username (uid: -1)
>cat /var/log/secure
Dec 26 14:31:26 testhost gdm-password]: pam_winbind(gdm-password:auth):
getting password (0x00000010)
Dec 26 14:31:26 testhost gdm-password]: pam_winbind(gdm-password:auth):
Could not retrieve user's password
Dec 26 14:31:26 testhost gdm-password]: gkr-pam: no password is
available for user
Dec 26 14:31:28 testhost gdm-password]: pam_winbind(gdm-password:auth):
getting password (0x00000010)
Dec 26 14:31:28 testhost gdm-password]: pam_winbind(gdm-password:auth):
Could not retrieve user's password
Dec 26 14:31:28 testhost gdm-password]: gkr-pam: no password is
available for user
Dec 26 14:31:30 testhost gdm-password]: pam_winbind(gdm-password:auth):
getting password (0x00000010)
Dec 26 14:31:30 testhost gdm-password]: pam_winbind(gdm-password:auth):
Could not retrieve user's password
Dec 26 14:31:30 testhost gdm-password]: gkr-pam: no password is
available for user
So you can see pam_winbind is called but there is no password for the
user. And what is really strange is that I can login to the member
server via ssh using a public/private key (username/password
authentication is turned off). After an ssh login I see this in
/var/log/secure:
> cat /var/log/secureDec 26 14:38:03 testhost sshd[32407]:
pam_unix(sshd:session): session closed for user testuser1
Dec 26 14:38:07 testhost sshd[32501]: pam_winbind(sshd:account): user
'testuser1' granted access
Dec 26 14:38:07 testhost sshd[32501]: Accepted publickey for testuser1
from 192.168.1.3 port 53174 ssh2: RSA
SHA256:CVb5dqn5xUPXO0iVbUyHlNuXUZeW4J6k42Kg94teayg
Dec 26 14:38:07 testhost sshd[32501]: pam_systemd(sshd:session): Failed
to create session: No such file or directory
Dec 26 14:38:07 testhost sshd[32501]: pam_unix(sshd:session): session
opened for user testuser1 by (uid=0)
Logins on the DC do work properly. Plus I have 3 other member server
linux boxes all running SSSD which have no issues. I am pretty sure the
issue is on the client box running winbindd. Does anyone have any
suggestions as to how to debug this issue or what might be going wrong?
--
Paul (ganci at TEST.com)
Cell: (303)257-5208
More information about the samba
mailing list