pam/winbind user not found problem
Terry
td3201 at gmail.com
Wed Jul 15 15:48:55 UTC 2009
Hello,
Sorry for the generic subject. I am not sure how to classify the
problem more accurately.
I am running pam-0.99.6.2-4.el5 on RHEL 5.3. I have an application
that uses pam. Out of the box, it has this configuration file in
/etc/pam.d:
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
My system auth contains this:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel umask=077
SSH authentication with active directory accounts works just fine.
The usernames are formatted as DOMAIN+username. However, they do not
work with this application for some reason. The developer claims that
the formatting shouldn't be a problem with their app so I am double
checking here. When I try to auth with the application, I get this
in /var/log/secure:
Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth):
check pass; user unknown
Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jul 15 10:40:59 omadvdss01c DS-System[6827]:
pam_succeed_if(dssystem:auth): error retrieving information about user
DOMAIN+username
Just to prove I can see that user, here is a 'getent passwd':
DOMAIN+username:*:15000:15019:User Name:/home/DOMAIN/username:/bin/bash
Any ideas?
More information about the Pam-list
mailing list