Session closes immediately (pam + winbind)

Christopher Thielen cmthielen at ucdavis.edu
Mon Jul 6 17:40:33 UTC 2009


Hi folks,
	Running Fedora 11, Samba 3.3.2, all the patches applied, selinux
disabled. I've joined my computer to a Windows 2003 directory, getent
passwd, wbinfo -u, -g, -t all work fine, but when I try to log in (gdm,
ssh, etc.) with a domain user, the session closes immediately.
	According to /var/log/secure, it detects good and bad passwords, but
upon receiving the correct password, /var/log/secure shows a "session
opened for user" but that's the last line - nothing about  the session
closing, though it does.
	Here's a complete date with /var/log/secure when I try to log in via
SSH using a winbind account:

Jul  6 10:31:35 history-20 sshd[3189]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=localhost.localdomain  user=cmthielen
Jul  6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth): getting
password (0x00000210)
Jul  6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth):
pam_get_item returned a password
Jul  6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth): user
'cmthielen' granted access
Jul  6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:account): user
'cmthielen' granted access
Jul  6 10:31:35 history-20 sshd[3189]: Accepted password for cmthielen
from 127.0.0.1 port 55696 ssh2
Jul  6 10:31:35 history-20 sshd[3189]: pam_unix(sshd:session): session
opened for user cmthielen by (uid=0)


	Any idea why the session closes immediately? A Debian user following a
Ubuntu wiki guide had a similar problem and did not detail his solution,
though he said it had to do with the syntax of his pam files. Here are
the relevant files:

smb.conf:

#======================= Global Settings
=====================================
	
[global]
#--authconfig--start-line--

# Generated by authconfig on 2009/07/06 09:15:29
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = A.WORKGROUP # "censored"
   password server = 555.555.555.555 # "censored"
   realm = THE.REALM # "censored"
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/false
   winbind use default domain = true
   winbind offline logon = true
   winbind enum users = true
   winbind enum groups = true

#--authconfig--end-line--
	
;	workgroup = MYGROUP
	server string = Samba Server Version %v
	
;	netbios name = MYSERVER
	
;	interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 
;	hosts allow = 127. 192.168.12. 192.168.13.
	
	
	# logs split per machine
	log file = /var/log/samba/log.%m
	# max 50KB per log file, then rotate
	max log size = 50
	

;	security = user
	passdb backend = tdbsam

;	security = domain
;	passdb backend = tdbsam
;	realm = MY_REALM

;	password server = <NT-Server-Name>

;	security = user
;	passdb backend = tdbsam
	
;	domain master = yes 
;	domain logons = yes
	
	# the login script name depends on the machine name
;	logon script = %m.bat
	# the login script name depends on the unix user used
;	logon script = %u.bat
;	logon path = \\%L\Profiles\%u
	# disables profiles support by specifing an empty path
;	logon path =          
	
;	add user script = /usr/sbin/useradd "%u" -n -g users
;	add group script = /usr/sbin/groupadd "%g"
;	add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M
-d /nohome -s /bin/false "%u"
;	delete user script = /usr/sbin/userdel "%u"
;	delete user from group script = /usr/sbin/userdel "%u" "%g"
;	delete group script = /usr/sbin/groupdel "%g"
	
	
;	local master = no
;	os level = 33
;	preferred master = yes
	
	
;	wins support = yes
;	wins server = w.x.y.z
;	wins proxy = yes
	
;	dns proxy = yes
	
	
	load printers = yes
	cups options = raw

;	printcap name = /etc/printcap
	#obtain list of printers automatically on SystemV
;	printcap name = lpstat
;	printing = cups


;	map archive = no
;	map hidden = no
;	map read only = no
;	map system = no
;	store dos attributes = yes


#============================ Share Definitions
==============================
	
[homes]
	comment = Home Directories
	browseable = no
	writable = yes
;	valid users = %S
;	valid users = MYDOMAIN\%S
	
[printers]
	comment = All Printers
	path = /var/spool/samba
	browseable = no
	guest ok = no
	writable = no
	printable = yes
	
# Un-comment the following and create the netlogon directory for Domain
Logons
;	[netlogon]
;	comment = Network Logon Service
;	path = /var/lib/samba/netlogon
;	guest ok = yes
;	writable = no
;	share modes = no
	
	
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;	[Profiles]
;	path = /var/lib/samba/profiles
;	browseable = no
;	guest ok = yes
	

=========================================================================

/etc/pam.d/system-auth-ac:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so cached_login use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
cached_login
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    sufficient    pam_winbind.so cached_login use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so

==============================================
/etc/pam.d/sshd # because the /var/log/secure above is an attempt to log
in via sshd though I don't think sshd is specifically the problem (exact
same behavior with gdm)
#%PAM-1.0
auth	   required	pam_sepermit.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed
in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      system-auth

-- 
Christopher Thielen <cmthielen at ucdavis.edu>
UC Davis Department of History




More information about the fedora-list mailing list