[Samba] Centos 7 member server login fails

Paul R. Ganci ganci at nurdog.com
Wed Dec 27 01:08:11 UTC 2017 

I have a problem that is now becoming very annoying. Namely I have a 
Centos 7 member server running Sernet Samba 4.7.4 for which everything 
seems to work except gdm or ftp logins. On the linux client it seems 
winbindd is set up correctly. For example (the data shown below has been 
sanitized):

 > getent passwd
testuser2:*:3001108:3000513::/home/testuser1:/bin/bash
testuser1:*:3001107:3000513::/home/testuser2:/bin/bash

 > getent group
domain admins:x:3000512:administrator
domain users:x:3000513:testuser2,testuser1,administrator,krbtgt

 > kinit Administrator
Password for Administrator at MYDC.TEST.COM:
 > klist
Ticket cache: KEYRING:persistent:3001107:3001107
Default principal: Administrator at MYDC.TEST.COM

Valid starting       Expires              Service principal
12/26/2017 14:24:36  12/27/2017 00:24:36 krbtgt/MYDC.TEST.COM at MYDC.TEST.COM
     renew until 01/02/2018 14:24:32

 >cat /etc/nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind
#initgroups: files winbind

#hosts:     db files nisplus nis dns
hosts:      files dns myhostname

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files winbind

netgroup:   files winbind

publickey:  nisplus

automount:  files
aliases:    files nisplus

After a console or ftp login I see these errors:

 > cat /var/log/messages
Dec 26 14:31:26 testhost gdm-password]: AccountsService: ActUserManager: 
user (null) has no username (uid: -1)
Dec 26 14:31:28 testhost gdm-password]: AccountsService: ActUserManager: 
user (null) has no username (uid: -1)
Dec 26 14:31:30 testhost gdm-password]: AccountsService: ActUserManager: 
user (null) has no username (uid: -1)

 >cat /var/log/secure
Dec 26 14:31:26 testhost gdm-password]: pam_winbind(gdm-password:auth): 
getting password (0x00000010)
Dec 26 14:31:26 testhost gdm-password]: pam_winbind(gdm-password:auth): 
Could not retrieve user's password
Dec 26 14:31:26 testhost gdm-password]: gkr-pam: no password is 
available for user
Dec 26 14:31:28 testhost gdm-password]: pam_winbind(gdm-password:auth): 
getting password (0x00000010)
Dec 26 14:31:28 testhost gdm-password]: pam_winbind(gdm-password:auth): 
Could not retrieve user's password
Dec 26 14:31:28 testhost gdm-password]: gkr-pam: no password is 
available for user
Dec 26 14:31:30 testhost gdm-password]: pam_winbind(gdm-password:auth): 
getting password (0x00000010)
Dec 26 14:31:30 testhost gdm-password]: pam_winbind(gdm-password:auth): 
Could not retrieve user's password
Dec 26 14:31:30 testhost gdm-password]: gkr-pam: no password is 
available for user

So you can see pam_winbind is called but there is no password for the 
user. And what is really strange is that I can login to the member 
server via ssh using a public/private key (username/password 
authentication is turned off). After an ssh login I see this in 
/var/log/secure:

 > cat /var/log/secureDec 26 14:38:03 testhost sshd[32407]: 
pam_unix(sshd:session): session closed for user testuser1
Dec 26 14:38:07 testhost sshd[32501]: pam_winbind(sshd:account): user 
'testuser1' granted access
Dec 26 14:38:07 testhost sshd[32501]: Accepted publickey for testuser1 
from 192.168.1.3 port 53174 ssh2: RSA 
SHA256:CVb5dqn5xUPXO0iVbUyHlNuXUZeW4J6k42Kg94teayg
Dec 26 14:38:07 testhost sshd[32501]: pam_systemd(sshd:session): Failed 
to create session: No such file or directory
Dec 26 14:38:07 testhost sshd[32501]: pam_unix(sshd:session): session 
opened for user testuser1 by (uid=0)

Logins on the DC do work properly. Plus I have 3 other member server 
linux boxes all running SSSD which have no issues. I am pretty sure the 
issue is on the client box running winbindd. Does anyone have any 
suggestions as to how to debug this issue or what might be going wrong?

-- 
Paul (ganci at TEST.com)
Cell: (303)257-5208

More information about the samba mailing list