Thanks Rick, setting my template shell to /bin/bash and restarting
winbind fixed the problem, but the set up leaves me with a few
questions:
1. template shell = /bin/bash leaves every domain user with the ability
to log onto the workstation. This is fine for my case, but out of
curiosity, is there a way to only set certain domain users to have a
real shell? Normally I would edit /etc/passwd, but domain users do not
appear there.
2. I could only get this working after shutting down nscd completely and
keeping it off. Is there a workaround to this? Is this a known problem?
3. system-config-authentication didn't work at all. Granted, it edited
smb.conf and krb5.conf mostly right, but it did not generate the
Kerberos ticket, join the domain, set the correct template shell (why
would an option to allow winbind logins set the template shell
to /bin/false?), or resolve the issue with nscd, which I've heard in
other places before. It seems to me Fedora's winbind authentication
support has been misconfigured for many releases now. Who do I talk to
about this?! :)
On Mon, 2009-07-06 at 10:58 -0700, Rick Stevens wrote:
> Christopher Thielen wrote:
> > Hi folks,
> > Running Fedora 11, Samba 3.3.2, all the patches applied, selinux
> > disabled. I've joined my computer to a Windows 2003 directory, getent
> > passwd, wbinfo -u, -g, -t all work fine, but when I try to log in (gdm,
> > ssh, etc.) with a domain user, the session closes immediately.
> > According to /var/log/secure, it detects good and bad passwords, but
> > upon receiving the correct password, /var/log/secure shows a "session
> > opened for user" but that's the last line - nothing about the session
> > closing, though it does.
> > Here's a complete date with /var/log/secure when I try to log in via
> > SSH using a winbind account:
> >
> > Jul 6 10:31:35 history-20 sshd[3189]: pam_unix(sshd:auth):
> > authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> > rhost=localhost.localdomain user=cmthielen
> > Jul 6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth): getting
> > password (0x00000210)
> > Jul 6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth):
> > pam_get_item returned a password
> > Jul 6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth): user
> > 'cmthielen' granted access
> > Jul 6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:account): user
> > 'cmthielen' granted access
> > Jul 6 10:31:35 history-20 sshd[3189]: Accepted password for cmthielen
> > from 127.0.0.1 port 55696 ssh2
> > Jul 6 10:31:35 history-20 sshd[3189]: pam_unix(sshd:session): session
> > opened for user cmthielen by (uid=0)
> >
> >
> > Any idea why the session closes immediately? A Debian user following a
> > Ubuntu wiki guide had a similar problem and did not detail his solution,
> > though he said it had to do with the syntax of his pam files. Here are
> > the relevant files:
> >
> > smb.conf:
> >
> > #======================= Global Settings
> > =====================================
> >
> > [global]
> > #--authconfig--start-line--
> >
> > # Generated by authconfig on 2009/07/06 09:15:29
> > # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
> > # Any modification may be deleted or altered by authconfig in future
> >
> > workgroup = A.WORKGROUP # "censored"
> > password server = 555.555.555.555 # "censored"
> > realm = THE.REALM # "censored"
> > security = ads
> > idmap uid = 16777216-33554431
> > idmap gid = 16777216-33554431
> > template shell = /bin/false
> > winbind use default domain = true
> > winbind offline logon = true
> > winbind enum users = true
> > winbind enum groups = true
> >
> > #--authconfig--end-line--
> >
> > ; workgroup = MYGROUP
> > server string = Samba Server Version %v
> >
> > ; netbios name = MYSERVER
> >
> > ; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
> > ; hosts allow = 127. 192.168.12. 192.168.13.
> >
> >
> > # logs split per machine
> > log file = /var/log/samba/log.%m
> > # max 50KB per log file, then rotate
> > max log size = 50
> >
> >
> > ; security = user
> > passdb backend = tdbsam
> >
> > ; security = domain
> > ; passdb backend = tdbsam
> > ; realm = MY_REALM
> >
> > ; password server = <NT-Server-Name>
> >
> > ; security = user
> > ; passdb backend = tdbsam
> >
> > ; domain master = yes
> > ; domain logons = yes
> >
> > # the login script name depends on the machine name
> > ; logon script = %m.bat
> > # the login script name depends on the unix user used
> > ; logon script = %u.bat
> > ; logon path = \\%L\Profiles\%u
> > # disables profiles support by specifing an empty path
> > ; logon path =
> >
> > ; add user script = /usr/sbin/useradd "%u" -n -g users
> > ; add group script = /usr/sbin/groupadd "%g"
> > ; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M
> > -d /nohome -s /bin/false "%u"
> > ; delete user script = /usr/sbin/userdel "%u"
> > ; delete user from group script = /usr/sbin/userdel "%u" "%g"
> > ; delete group script = /usr/sbin/groupdel "%g"
> >
> >
> > ; local master = no
> > ; os level = 33
> > ; preferred master = yes
> >
> >
> > ; wins support = yes
> > ; wins server = w.x.y.z
> > ; wins proxy = yes
> >
> > ; dns proxy = yes
> >
> >
> > load printers = yes
> > cups options = raw
> >
> > ; printcap name = /etc/printcap
> > #obtain list of printers automatically on SystemV
> > ; printcap name = lpstat
> > ; printing = cups
> >
> >
> > ; map archive = no
> > ; map hidden = no
> > ; map read only = no
> > ; map system = no
> > ; store dos attributes = yes
> >
> >
> > #============================ Share Definitions
> > ==============================
> >
> > [homes]
> > comment = Home Directories
> > browseable = no
> > writable = yes
> > ; valid users = %S
> > ; valid users = MYDOMAIN\%S
> >
> > [printers]
> > comment = All Printers
> > path = /var/spool/samba
> > browseable = no
> > guest ok = no
> > writable = no
> > printable = yes
> >
> > # Un-comment the following and create the netlogon directory for Domain
> > Logons
> > ; [netlogon]
> > ; comment = Network Logon Service
> > ; path = /var/lib/samba/netlogon
> > ; guest ok = yes
> > ; writable = no
> > ; share modes = no
> >
> >
> > # Un-comment the following to provide a specific roving profile share
> > # the default is to use the user's home directory
> > ; [Profiles]
> > ; path = /var/lib/samba/profiles
> > ; browseable = no
> > ; guest ok = yes
> >
> >
> > =========================================================================
> >
> > /etc/pam.d/system-auth-ac:
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth required pam_env.so
> > auth sufficient pam_unix.so nullok try_first_pass
> > auth requisite pam_succeed_if.so uid >= 500 quiet
> > auth sufficient pam_winbind.so cached_login use_first_pass
> > auth required pam_deny.so
> >
> > account required pam_unix.so broken_shadow
> > account sufficient pam_localuser.so
> > account sufficient pam_succeed_if.so uid < 500 quiet
> > account [default=bad success=ok user_unknown=ignore] pam_winbind.so
> > cached_login
> > account required pam_permit.so
> >
> > password requisite pam_cracklib.so try_first_pass retry=3
> > password sufficient pam_unix.so sha512 shadow nullok
> > try_first_pass use_authtok
> > password sufficient pam_winbind.so cached_login use_authtok
> > password required pam_deny.so
> >
> > session optional pam_keyinit.so revoke
> > session required pam_limits.so
> > session optional pam_mkhomedir.so
> > session [success=1 default=ignore] pam_succeed_if.so service in
> > crond quiet use_uid
> > session required pam_unix.so
> >
> > ==============================================
> > /etc/pam.d/sshd # because the /var/log/secure above is an attempt to log
> > in via sshd though I don't think sshd is specifically the problem (exact
> > same behavior with gdm)
> > #%PAM-1.0
> > auth required pam_sepermit.so
> > auth include system-auth
> > account required pam_nologin.so
> > account include system-auth
> > password include system-auth
> > # pam_selinux.so close should be the first session rule
> > session required pam_selinux.so close
> > session required pam_loginuid.so
> > # pam_selinux.so open should only be followed by sessions to be executed
> > in the user context
> > session required pam_selinux.so open env_params
> > session optional pam_keyinit.so force revoke
> > session include system-auth
>
> Uh, uhm, in the "getent passwd" entry for the user you're trying to
> authenticate as ("cmthielen"), does it have a valid shell? Your
> template is /bin/false, which would close the session straight away.
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer ricks@xxxxxxxx -
> - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
> - -
> - "Men occasionally stumble over the truth, but most of them pick" -
> - themselves up and hurry off as if nothing had happened." -
> - -- Winston Churchill -
> ----------------------------------------------------------------------
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
