pam/winbind user not found problem

Terry td3201 at gmail.com
Wed Jul 15 17:04:35 UTC 2009 

On Wed, Jul 15, 2009 at 12:01 PM, Gary Greene<greeneg at tolharadys.net> wrote:
> On 7/15/09 9:29 AM, "Landon M. Kelsey, III" <landonmkelsey at hotmail.com>
> wrote:
>> What is the best starter documentation on pam?
>> Save me a web search!
>>
>> -----Original Message-----
>> From: pam-list-bounces at redhat.com [mailto:pam-list-bounces at redhat.com] On
>> Behalf Of Terry
>> Sent: Wednesday, July 15, 2009 10:49 AM
>> To: pam-list at redhat.com
>> Subject: pam/winbind user not found problem
>>
>> Hello,
>>
>> Sorry for the generic subject. I am not sure how to classify the
>> problem more accurately.
>>
>> I am running pam-0.99.6.2-4.el5 on RHEL 5.3.  I have an application
>> that uses pam.  Out of the box, it has this configuration file in
>> /etc/pam.d:
>> #%PAM-1.0
>> auth       include      system-auth
>> account    include      system-auth
>> password   include      system-auth
>>
>> My system auth contains this:
>> auth        required      pam_env.so
>> auth        sufficient    pam_unix.so nullok try_first_pass
>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>> auth        sufficient    pam_winbind.so use_first_pass
>> auth        required      pam_deny.so
>> account     required      pam_unix.so broken_shadow
>> account     sufficient    pam_localuser.so
>> account     sufficient    pam_succeed_if.so uid < 500 quiet
>> account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
>> account     required      pam_permit.so
>> password    requisite     pam_cracklib.so try_first_pass retry=3
>> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
>> use_authtok
>> password    sufficient    pam_winbind.so use_authtok
>> password    required      pam_deny.so
>> session     optional      pam_keyinit.so revoke
>> session     required      pam_limits.so
>> session     [success=1 default=ignore] pam_succeed_if.so service in
>> crond quiet use_uid
>> session     required      pam_unix.so
>> session     required      pam_mkhomedir.so skel=/etc/skel umask=077
>>
>> SSH authentication with active directory accounts works just fine.
>> The usernames are formatted as DOMAIN+username.  However, they do not
>> work with this application for some reason.  The developer claims that
>> the formatting shouldn't be a problem with their app so I am double
>> checking here.   When I try to auth with the application, I get this
>> in /var/log/secure:
>>
>> Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth):
>> check pass; user unknown
>> Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth):
>> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
>> Jul 15 10:40:59 omadvdss01c DS-System[6827]:
>> pam_succeed_if(dssystem:auth): error retrieving information about user
>> DOMAIN+username
>>
>> Just to prove I can see that user, here is a 'getent passwd':
>> DOMAIN+username:*:15000:15019:User Name:/home/DOMAIN/username:/bin/bash
>>
>> Any ideas?
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/pam-list
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/pam-list
>
> You haven't got nscd running have you? If you do, turn it off. It causes
> weird auth issues with Winbind.

Thanks for the response. No, I disable it.

More information about the Pam-list mailing list