On Wed, Jul 15, 2009 at 12:04 PM, Terry<td3201@xxxxxxxxx> wrote: > On Wed, Jul 15, 2009 at 12:01 PM, Gary Greene<greeneg@xxxxxxxxxxxxxx> wrote: >> On 7/15/09 9:29 AM, "Landon M. Kelsey, III" <landonmkelsey@xxxxxxxxxxx> >> wrote: >>> What is the best starter documentation on pam? >>> Save me a web search! >>> >>> -----Original Message----- >>> From: pam-list-bounces@xxxxxxxxxx [mailto:pam-list-bounces@xxxxxxxxxx] On >>> Behalf Of Terry >>> Sent: Wednesday, July 15, 2009 10:49 AM >>> To: pam-list@xxxxxxxxxx >>> Subject: pam/winbind user not found problem >>> >>> Hello, >>> >>> Sorry for the generic subject. I am not sure how to classify the >>> problem more accurately. >>> >>> I am running pam-0.99.6.2-4.el5 on RHEL 5.3. I have an application >>> that uses pam. Out of the box, it has this configuration file in >>> /etc/pam.d: >>> #%PAM-1.0 >>> auth include system-auth >>> account include system-auth >>> password include system-auth >>> >>> My system auth contains this: >>> auth required pam_env.so >>> auth sufficient pam_unix.so nullok try_first_pass >>> auth requisite pam_succeed_if.so uid >= 500 quiet >>> auth sufficient pam_winbind.so use_first_pass >>> auth required pam_deny.so >>> account required pam_unix.so broken_shadow >>> account sufficient pam_localuser.so >>> account sufficient pam_succeed_if.so uid < 500 quiet >>> account [default=bad success=ok user_unknown=ignore] pam_winbind.so >>> account required pam_permit.so >>> password requisite pam_cracklib.so try_first_pass retry=3 >>> password sufficient pam_unix.so md5 shadow nullok try_first_pass >>> use_authtok >>> password sufficient pam_winbind.so use_authtok >>> password required pam_deny.so >>> session optional pam_keyinit.so revoke >>> session required pam_limits.so >>> session [success=1 default=ignore] pam_succeed_if.so service in >>> crond quiet use_uid >>> session required pam_unix.so >>> session required pam_mkhomedir.so skel=/etc/skel umask=077 >>> >>> SSH authentication with active directory accounts works just fine. >>> The usernames are formatted as DOMAIN+username. However, they do not >>> work with this application for some reason. The developer claims that >>> the formatting shouldn't be a problem with their app so I am double >>> checking here. When I try to auth with the application, I get this >>> in /var/log/secure: >>> >>> Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth): >>> check pass; user unknown >>> Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth): >>> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= >>> Jul 15 10:40:59 omadvdss01c DS-System[6827]: >>> pam_succeed_if(dssystem:auth): error retrieving information about user >>> DOMAIN+username >>> >>> Just to prove I can see that user, here is a 'getent passwd': >>> DOMAIN+username:*:15000:15019:User Name:/home/DOMAIN/username:/bin/bash >>> >>> Any ideas? >>> >>> _______________________________________________ >>> Pam-list mailing list >>> Pam-list@xxxxxxxxxx >>> https://www.redhat.com/mailman/listinfo/pam-list >>> >>> _______________________________________________ >>> Pam-list mailing list >>> Pam-list@xxxxxxxxxx >>> https://www.redhat.com/mailman/listinfo/pam-list >> >> You haven't got nscd running have you? If you do, turn it off. It causes >> weird auth issues with Winbind. > > Thanks for the response. No, I disable it. > I think I found the issue. It was giving the users because of this: auth requisite pam_succeed_if.so uid >= 500 quiet I am not sure why either. This should allow the conversation to continue if the uid is greater than or equal to 500? Well, this user in question has a uid of 15000. I'm reviewing the docs just to see what I am missing. _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
