[Samba] Centos 7 member server login fails
Rowland Penny
rpenny at samba.org
Wed Dec 27 09:39:03 UTC 2017
On Tue, 26 Dec 2017 18:08:11 -0700
"Paul R. Ganci via samba" <samba at lists.samba.org> wrote:
> I have a problem that is now becoming very annoying. Namely I have a
> Centos 7 member server running Sernet Samba 4.7.4 for which
> everything seems to work except gdm or ftp logins. On the linux
> client it seems winbindd is set up correctly. For example (the data
> shown below has been sanitized):
>
> > getent passwd
> testuser2:*:3001108:3000513::/home/testuser1:/bin/bash
> testuser1:*:3001107:3000513::/home/testuser2:/bin/bash
>
> > getent group
> domain admins:x:3000512:administrator
> domain users:x:3000513:testuser2,testuser1,administrator,krbtgt
Have you actually given your users & groups a uidNumber or gidNumber
attribute, or are you using the 'rid' backend
>
> > kinit Administrator
> Password for Administrator at MYDC.TEST.COM:
> > klist
> Ticket cache: KEYRING:persistent:3001107:3001107
> Default principal: Administrator at MYDC.TEST.COM
This gets stranger and stranger, if you are using the 'rid' backend,
why does 'Administrator' have the 'RID' 1107 ? and if you aren't, why
isn't it '0:0' ?
>
> Valid starting Expires Service principal
> 12/26/2017 14:24:36 12/27/2017 00:24:36
> krbtgt/MYDC.TEST.COM at MYDC.TEST.COM renew until 01/02/2018 14:24:32
>
> >cat /etc/nsswitch.conf
> passwd: files winbind
> group: files winbind
You should only have winbind on the two lines above, remove it from any
other lines.
>
> After a console or ftp login I see these errors:
>
> > cat /var/log/messages
> Dec 26 14:31:26 testhost gdm-password]: AccountsService:
> ActUserManager: user (null) has no username (uid: -1)
> Dec 26 14:31:28 testhost gdm-password]: AccountsService:
> ActUserManager: user (null) has no username (uid: -1)
> Dec 26 14:31:30 testhost gdm-password]: AccountsService:
> ActUserManager: user (null) has no username (uid: -1)
>
> >cat /var/log/secure
> Dec 26 14:31:26 testhost gdm-password]:
> pam_winbind(gdm-password:auth): getting password (0x00000010)
> Dec 26 14:31:26 testhost gdm-password]:
> pam_winbind(gdm-password:auth): Could not retrieve user's password
> Dec 26 14:31:26 testhost gdm-password]: gkr-pam: no password is
> available for user
> Dec 26 14:31:28 testhost gdm-password]:
> pam_winbind(gdm-password:auth): getting password (0x00000010)
> Dec 26 14:31:28 testhost gdm-password]:
> pam_winbind(gdm-password:auth): Could not retrieve user's password
> Dec 26 14:31:28 testhost gdm-password]: gkr-pam: no password is
> available for user
> Dec 26 14:31:30 testhost gdm-password]:
> pam_winbind(gdm-password:auth): getting password (0x00000010)
> Dec 26 14:31:30 testhost gdm-password]:
> pam_winbind(gdm-password:auth): Could not retrieve user's password
> Dec 26 14:31:30 testhost gdm-password]: gkr-pam: no password is
> available for user
Winbind cannot find your user
>
> So you can see pam_winbind is called but there is no password for the
> user. And what is really strange is that I can login to the member
> server via ssh using a public/private key (username/password
> authentication is turned off). After an ssh login I see this in
> /var/log/secure:
This will work because kerberos is used instead of winbind.
>
> Logins on the DC do work properly. Plus I have 3 other member server
> linux boxes all running SSSD which have no issues. I am pretty sure
> the issue is on the client box running winbindd. Does anyone have any
> suggestions as to how to debug this issue or what might be going
> wrong?
You have purged sssd haven't you ?
It interfers with winbind, at least it did when I tested winbind on a
centos 7 VM, removing sssd fixed everything.
Rowland
More information about the samba
mailing list