pam & winbindd
Peter Huber
huber at uni-wh.de
Tue Apr 17 06:27:02 UTC 2007
I want to authenticate linux logins via winbind. Everything is running, so all
ADS users can login. But I want only some users to log in, so I used a winbind
feature called require_membership_of to restrict to a group. But this does not
work and I think it is a pam config problem.
The log shows the following:
Apr 13 09:03:24 personal pam_winbind[7423]: pam_winbind: pam_sm_authenticate
Apr 13 09:03:29 personal pam_winbind[7423]: Verify user `testuser'
Apr 13 09:03:29 personal pam_winbind[7423]: CONFIG file: require_membership_of
'nagios-user'
Apr 13 09:03:29 personal pam_winbind[7423]: CONFIG file: krb5_ccache_type 'FILE'
Apr 13 09:03:29 personal pam_winbind[7423]: enabling krb5 login flag
Apr 13 09:03:29 personal pam_winbind[7423]: enabling request for a FILE krb5 ccache
Apr 13 09:03:29 personal pam_winbind[7423]: no sid given, looking up: nagios-user
Apr 13 09:03:29 personal pam_winbind[7423]: user 'testuser' OK
Apr 13 09:03:29 personal pam_winbind[7423]: request failed: Logon failure, PAM
error was Authentication failure (7), NT error was NT_STATUS_LOGON_FAILURE
Apr 13 09:03:29 personal pam_winbind[7423]: user `testuser' denied access
(incorrect password or invalid membership)
Apr 13 09:03:29 personal pam_winbind[7423]: request returned KRB5CCNAME:
FILE:/tmp/krb5cc_1002
Apr 13 09:03:29 personal pam_winbind[7423]: user 'testuser' OK
Apr 13 09:03:29 personal pam_winbind[7423]: user 'testuser' granted access
Apr 13 09:03:48 personal pam_winbind[7423]: pam_winbind: pam_sm_close_session
handler
Apr 13 09:03:48 personal pam_winbind[7423]: username [testuser] obtained
Apr 13 09:03:48 personal pam_winbind[7423]: user 'testuser' OK
I realy dont understand why the testuser is authenticated and can login although
there is a access denied (invalid membership).
Can you help me?
Thanks
Peter
More information about the Pam-list
mailing list