On 7/15/09 9:29 AM, "Landon M. Kelsey, III" <landonmkelsey@xxxxxxxxxxx> wrote: > What is the best starter documentation on pam? > Save me a web search! > > -----Original Message----- > From: pam-list-bounces@xxxxxxxxxx [mailto:pam-list-bounces@xxxxxxxxxx] On > Behalf Of Terry > Sent: Wednesday, July 15, 2009 10:49 AM > To: pam-list@xxxxxxxxxx > Subject: pam/winbind user not found problem > > Hello, > > Sorry for the generic subject. I am not sure how to classify the > problem more accurately. > > I am running pam-0.99.6.2-4.el5 on RHEL 5.3. I have an application > that uses pam. Out of the box, it has this configuration file in > /etc/pam.d: > #%PAM-1.0 > auth include system-auth > account include system-auth > password include system-auth > > My system auth contains this: > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_winbind.so use_first_pass > auth required pam_deny.so > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_winbind.so > account required pam_permit.so > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_winbind.so use_authtok > password required pam_deny.so > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session required pam_mkhomedir.so skel=/etc/skel umask=077 > > SSH authentication with active directory accounts works just fine. > The usernames are formatted as DOMAIN+username. However, they do not > work with this application for some reason. The developer claims that > the formatting shouldn't be a problem with their app so I am double > checking here. When I try to auth with the application, I get this > in /var/log/secure: > > Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth): > check pass; user unknown > Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > Jul 15 10:40:59 omadvdss01c DS-System[6827]: > pam_succeed_if(dssystem:auth): error retrieving information about user > DOMAIN+username > > Just to prove I can see that user, here is a 'getent passwd': > DOMAIN+username:*:15000:15019:User Name:/home/DOMAIN/username:/bin/bash > > Any ideas? > > _______________________________________________ > Pam-list mailing list > Pam-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/pam-list > > _______________________________________________ > Pam-list mailing list > Pam-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/pam-list You haven't got nscd running have you? If you do, turn it off. It causes weird auth issues with Winbind. -- Gary L. Greene, Jr. ========================================================================== Developer and Project Lead for the AltimatOS open source project Volunteer Developer for the KDE open source project See http://www.altimatos.com/ and http://www.kde.org/ for more information ========================================================================== Please avoid sending me Word or PowerPoint attachments. _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
