Christopher Thielen wrote:
Hi folks,
Running Fedora 11, Samba 3.3.2, all the patches applied, selinux
disabled. I've joined my computer to a Windows 2003 directory, getent
passwd, wbinfo -u, -g, -t all work fine, but when I try to log in (gdm,
ssh, etc.) with a domain user, the session closes immediately.
According to /var/log/secure, it detects good and bad passwords, but
upon receiving the correct password, /var/log/secure shows a "session
opened for user" but that's the last line - nothing about the session
closing, though it does.
Here's a complete date with /var/log/secure when I try to log in via
SSH using a winbind account:
Jul 6 10:31:35 history-20 sshd[3189]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=localhost.localdomain user=cmthielen
Jul 6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth): getting
password (0x00000210)
Jul 6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth):
pam_get_item returned a password
Jul 6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth): user
'cmthielen' granted access
Jul 6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:account): user
'cmthielen' granted access
Jul 6 10:31:35 history-20 sshd[3189]: Accepted password for cmthielen
from 127.0.0.1 port 55696 ssh2
Jul 6 10:31:35 history-20 sshd[3189]: pam_unix(sshd:session): session
opened for user cmthielen by (uid=0)
Any idea why the session closes immediately? A Debian user following a
Ubuntu wiki guide had a similar problem and did not detail his solution,
though he said it had to do with the syntax of his pam files. Here are
the relevant files:
smb.conf:
#======================= Global Settings
=====================================
[global]
#--authconfig--start-line--
# Generated by authconfig on 2009/07/06 09:15:29
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = A.WORKGROUP # "censored"
password server = 555.555.555.555 # "censored"
realm = THE.REALM # "censored"
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = true
winbind offline logon = true
winbind enum users = true
winbind enum groups = true
#--authconfig--end-line--
; workgroup = MYGROUP
server string = Samba Server Version %v
; netbios name = MYSERVER
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
; hosts allow = 127. 192.168.12. 192.168.13.
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
; security = user
passdb backend = tdbsam
; security = domain
; passdb backend = tdbsam
; realm = MY_REALM
; password server = <NT-Server-Name>
; security = user
; passdb backend = tdbsam
; domain master = yes
; domain logons = yes
# the login script name depends on the machine name
; logon script = %m.bat
# the login script name depends on the unix user used
; logon script = %u.bat
; logon path = \\%L\Profiles\%u
# disables profiles support by specifing an empty path
; logon path =
; add user script = /usr/sbin/useradd "%u" -n -g users
; add group script = /usr/sbin/groupadd "%g"
; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M
-d /nohome -s /bin/false "%u"
; delete user script = /usr/sbin/userdel "%u"
; delete user from group script = /usr/sbin/userdel "%u" "%g"
; delete group script = /usr/sbin/groupdel "%g"
; local master = no
; os level = 33
; preferred master = yes
; wins support = yes
; wins server = w.x.y.z
; wins proxy = yes
; dns proxy = yes
load printers = yes
cups options = raw
; printcap name = /etc/printcap
#obtain list of printers automatically on SystemV
; printcap name = lpstat
; printing = cups
; map archive = no
; map hidden = no
; map read only = no
; map system = no
; store dos attributes = yes
#============================ Share Definitions
==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
# Un-comment the following and create the netlogon directory for Domain
Logons
; [netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
; [Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes
=========================================================================
/etc/pam.d/system-auth-ac:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so cached_login use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
cached_login
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_winbind.so cached_login use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
==============================================
/etc/pam.d/sshd # because the /var/log/secure above is an attempt to log
in via sshd though I don't think sshd is specifically the problem (exact
same behavior with gdm)
#%PAM-1.0
auth required pam_sepermit.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed
in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include system-auth
Uh, uhm, in the "getent passwd" entry for the user you're trying to
authenticate as ("cmthielen"), does it have a valid shell? Your
template is /bin/false, which would close the session straight away.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer ricks@xxxxxxxx -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- "Men occasionally stumble over the truth, but most of them pick" -
- themselves up and hurry off as if nothing had happened." -
- -- Winston Churchill -
----------------------------------------------------------------------
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
