[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Session closes immediately (pam + winbind)

Christopher Thielen wrote:
Hi folks,
	Running Fedora 11, Samba 3.3.2, all the patches applied, selinux
disabled. I've joined my computer to a Windows 2003 directory, getent
passwd, wbinfo -u, -g, -t all work fine, but when I try to log in (gdm,
ssh, etc.) with a domain user, the session closes immediately.
	According to /var/log/secure, it detects good and bad passwords, but
upon receiving the correct password, /var/log/secure shows a "session
opened for user" but that's the last line - nothing about  the session
closing, though it does.
	Here's a complete date with /var/log/secure when I try to log in via
SSH using a winbind account:

Jul  6 10:31:35 history-20 sshd[3189]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=localhost.localdomain  user=cmthielen
Jul  6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth): getting
password (0x00000210)
Jul  6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth):
pam_get_item returned a password
Jul  6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth): user
'cmthielen' granted access
Jul  6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:account): user
'cmthielen' granted access
Jul  6 10:31:35 history-20 sshd[3189]: Accepted password for cmthielen
from port 55696 ssh2
Jul  6 10:31:35 history-20 sshd[3189]: pam_unix(sshd:session): session
opened for user cmthielen by (uid=0)

	Any idea why the session closes immediately? A Debian user following a
Ubuntu wiki guide had a similar problem and did not detail his solution,
though he said it had to do with the syntax of his pam files. Here are
the relevant files:


#======================= Global Settings

# Generated by authconfig on 2009/07/06 09:15:29
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = A.WORKGROUP # "censored"
   password server = 555.555.555.555 # "censored"
   realm = THE.REALM # "censored"
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/false
   winbind use default domain = true
   winbind offline logon = true
   winbind enum users = true
   winbind enum groups = true

;	workgroup = MYGROUP
	server string = Samba Server Version %v
;	netbios name = MYSERVER
; interfaces = lo eth0 ; hosts allow = 127. 192.168.12. 192.168.13.
	# logs split per machine
	log file = /var/log/samba/log.%m
	# max 50KB per log file, then rotate
	max log size = 50

;	security = user
	passdb backend = tdbsam

;	security = domain
;	passdb backend = tdbsam
;	realm = MY_REALM

;	password server = <NT-Server-Name>

;	security = user
;	passdb backend = tdbsam
; domain master = yes ; domain logons = yes
	# the login script name depends on the machine name
;	logon script = %m.bat
	# the login script name depends on the unix user used
;	logon script = %u.bat
;	logon path = \\%L\Profiles\%u
	# disables profiles support by specifing an empty path
; logon path =
;	add user script = /usr/sbin/useradd "%u" -n -g users
;	add group script = /usr/sbin/groupadd "%g"
;	add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M
-d /nohome -s /bin/false "%u"
;	delete user script = /usr/sbin/userdel "%u"
;	delete user from group script = /usr/sbin/userdel "%u" "%g"
;	delete group script = /usr/sbin/groupdel "%g"
;	local master = no
;	os level = 33
;	preferred master = yes
;	wins support = yes
;	wins server = w.x.y.z
;	wins proxy = yes
;	dns proxy = yes
	load printers = yes
	cups options = raw

;	printcap name = /etc/printcap
	#obtain list of printers automatically on SystemV
;	printcap name = lpstat
;	printing = cups

;	map archive = no
;	map hidden = no
;	map read only = no
;	map system = no
;	store dos attributes = yes

#============================ Share Definitions
	comment = Home Directories
	browseable = no
	writable = yes
;	valid users = %S
;	valid users = MYDOMAIN\%S
	comment = All Printers
	path = /var/spool/samba
	browseable = no
	guest ok = no
	writable = no
	printable = yes
# Un-comment the following and create the netlogon directory for Domain
;	[netlogon]
;	comment = Network Logon Service
;	path = /var/lib/samba/netlogon
;	guest ok = yes
;	writable = no
;	share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;	[Profiles]
;	path = /var/lib/samba/profiles
;	browseable = no
;	guest ok = yes


# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so cached_login use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    sufficient    pam_winbind.so cached_login use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so

/etc/pam.d/sshd # because the /var/log/secure above is an attempt to log
in via sshd though I don't think sshd is specifically the problem (exact
same behavior with gdm)
auth	   required	pam_sepermit.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed
in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      system-auth

Uh, uhm, in the "getent passwd" entry for the user you're trying to
authenticate as ("cmthielen"), does it have a valid shell?  Your
template is /bin/false, which would close the session straight away.
- Rick Stevens, Systems Engineer                      ricks nerd com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-  "Men occasionally stumble over the truth, but most of them pick"  -
-     themselves up and hurry off as if nothing had happened."       -
-                                  -- Winston Churchill              -

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]