[Samba] Centos 7 member server login fails

Rowland Penny rpenny at samba.org
Wed Dec 27 09:39:03 UTC 2017 

On Tue, 26 Dec 2017 18:08:11 -0700
"Paul R. Ganci via samba" <samba at lists.samba.org> wrote:

> I have a problem that is now becoming very annoying. Namely I have a 
> Centos 7 member server running Sernet Samba 4.7.4 for which
> everything seems to work except gdm or ftp logins. On the linux
> client it seems winbindd is set up correctly. For example (the data
> shown below has been sanitized):
> 
>  > getent passwd
> testuser2:*:3001108:3000513::/home/testuser1:/bin/bash
> testuser1:*:3001107:3000513::/home/testuser2:/bin/bash
> 
>  > getent group
> domain admins:x:3000512:administrator
> domain users:x:3000513:testuser2,testuser1,administrator,krbtgt

Have you actually given your users & groups a uidNumber or gidNumber
attribute, or are you using the 'rid' backend

> 
>  > kinit Administrator
> Password for Administrator at MYDC.TEST.COM:
>  > klist
> Ticket cache: KEYRING:persistent:3001107:3001107
> Default principal: Administrator at MYDC.TEST.COM

This gets stranger and stranger, if you are using the 'rid' backend,
why does 'Administrator' have the 'RID' 1107 ? and if you aren't, why
isn't it '0:0' ?

> 
> Valid starting       Expires              Service principal
> 12/26/2017 14:24:36  12/27/2017 00:24:36
> krbtgt/MYDC.TEST.COM at MYDC.TEST.COM renew until 01/02/2018 14:24:32
> 
>  >cat /etc/nsswitch.conf
> passwd:     files winbind
> group:      files winbind

You should only have winbind on the two lines above, remove it from any
other lines.

> 
> After a console or ftp login I see these errors:
> 
>  > cat /var/log/messages
> Dec 26 14:31:26 testhost gdm-password]: AccountsService:
> ActUserManager: user (null) has no username (uid: -1)
> Dec 26 14:31:28 testhost gdm-password]: AccountsService:
> ActUserManager: user (null) has no username (uid: -1)
> Dec 26 14:31:30 testhost gdm-password]: AccountsService:
> ActUserManager: user (null) has no username (uid: -1)
> 
>  >cat /var/log/secure
> Dec 26 14:31:26 testhost gdm-password]:
> pam_winbind(gdm-password:auth): getting password (0x00000010)
> Dec 26 14:31:26 testhost gdm-password]:
> pam_winbind(gdm-password:auth): Could not retrieve user's password
> Dec 26 14:31:26 testhost gdm-password]: gkr-pam: no password is 
> available for user
> Dec 26 14:31:28 testhost gdm-password]:
> pam_winbind(gdm-password:auth): getting password (0x00000010)
> Dec 26 14:31:28 testhost gdm-password]:
> pam_winbind(gdm-password:auth): Could not retrieve user's password
> Dec 26 14:31:28 testhost gdm-password]: gkr-pam: no password is 
> available for user
> Dec 26 14:31:30 testhost gdm-password]:
> pam_winbind(gdm-password:auth): getting password (0x00000010)
> Dec 26 14:31:30 testhost gdm-password]:
> pam_winbind(gdm-password:auth): Could not retrieve user's password
> Dec 26 14:31:30 testhost gdm-password]: gkr-pam: no password is 
> available for user

Winbind cannot find your user

> 
> So you can see pam_winbind is called but there is no password for the 
> user. And what is really strange is that I can login to the member 
> server via ssh using a public/private key (username/password 
> authentication is turned off). After an ssh login I see this in 
> /var/log/secure:

This will work because kerberos is used instead of winbind.

> 
> Logins on the DC do work properly. Plus I have 3 other member server 
> linux boxes all running SSSD which have no issues. I am pretty sure
> the issue is on the client box running winbindd. Does anyone have any 
> suggestions as to how to debug this issue or what might be going
> wrong?

You have purged sssd haven't you ?
It interfers with winbind, at least it did when I tested winbind on a
centos 7 VM, removing sssd fixed everything.

Rowland

More information about the samba mailing list