pam/winbind user not found problem
Terry
td3201 at gmail.com
Wed Jul 15 18:10:54 UTC 2009
On Wed, Jul 15, 2009 at 12:04 PM, Terry<td3201 at gmail.com> wrote:
> On Wed, Jul 15, 2009 at 12:01 PM, Gary Greene<greeneg at tolharadys.net> wrote:
>> On 7/15/09 9:29 AM, "Landon M. Kelsey, III" <landonmkelsey at hotmail.com>
>> wrote:
>>> What is the best starter documentation on pam?
>>> Save me a web search!
>>>
>>> -----Original Message-----
>>> From: pam-list-bounces at redhat.com [mailto:pam-list-bounces at redhat.com] On
>>> Behalf Of Terry
>>> Sent: Wednesday, July 15, 2009 10:49 AM
>>> To: pam-list at redhat.com
>>> Subject: pam/winbind user not found problem
>>>
>>> Hello,
>>>
>>> Sorry for the generic subject. I am not sure how to classify the
>>> problem more accurately.
>>>
>>> I am running pam-0.99.6.2-4.el5 on RHEL 5.3. I have an application
>>> that uses pam. Out of the box, it has this configuration file in
>>> /etc/pam.d:
>>> #%PAM-1.0
>>> auth include system-auth
>>> account include system-auth
>>> password include system-auth
>>>
>>> My system auth contains this:
>>> auth required pam_env.so
>>> auth sufficient pam_unix.so nullok try_first_pass
>>> auth requisite pam_succeed_if.so uid >= 500 quiet
>>> auth sufficient pam_winbind.so use_first_pass
>>> auth required pam_deny.so
>>> account required pam_unix.so broken_shadow
>>> account sufficient pam_localuser.so
>>> account sufficient pam_succeed_if.so uid < 500 quiet
>>> account [default=bad success=ok user_unknown=ignore] pam_winbind.so
>>> account required pam_permit.so
>>> password requisite pam_cracklib.so try_first_pass retry=3
>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>>> use_authtok
>>> password sufficient pam_winbind.so use_authtok
>>> password required pam_deny.so
>>> session optional pam_keyinit.so revoke
>>> session required pam_limits.so
>>> session [success=1 default=ignore] pam_succeed_if.so service in
>>> crond quiet use_uid
>>> session required pam_unix.so
>>> session required pam_mkhomedir.so skel=/etc/skel umask=077
>>>
>>> SSH authentication with active directory accounts works just fine.
>>> The usernames are formatted as DOMAIN+username. However, they do not
>>> work with this application for some reason. The developer claims that
>>> the formatting shouldn't be a problem with their app so I am double
>>> checking here. When I try to auth with the application, I get this
>>> in /var/log/secure:
>>>
>>> Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth):
>>> check pass; user unknown
>>> Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth):
>>> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
>>> Jul 15 10:40:59 omadvdss01c DS-System[6827]:
>>> pam_succeed_if(dssystem:auth): error retrieving information about user
>>> DOMAIN+username
>>>
>>> Just to prove I can see that user, here is a 'getent passwd':
>>> DOMAIN+username:*:15000:15019:User Name:/home/DOMAIN/username:/bin/bash
>>>
>>> Any ideas?
>>>
>>> _______________________________________________
>>> Pam-list mailing list
>>> Pam-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pam-list
>>>
>>> _______________________________________________
>>> Pam-list mailing list
>>> Pam-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pam-list
>>
>> You haven't got nscd running have you? If you do, turn it off. It causes
>> weird auth issues with Winbind.
>
> Thanks for the response. No, I disable it.
>
I think I found the issue. It was giving the users because of this:
auth requisite pam_succeed_if.so uid >= 500 quiet
I am not sure why either. This should allow the conversation to
continue if the uid is greater than or equal to 500? Well, this user
in question has a uid of 15000. I'm reviewing the docs just to see
what I am missing.
More information about the Pam-list
mailing list