I cant get a login from an FC3 setup unless the user has a local account. Jun 10 11:53:12 fc3 login(pam_unix)[12082]: check pass; user (elina) unknown Jun 10 11:53:12 fc3 login(pam_unix)[12082]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=elina Jun 10 11:53:12 fc3 pam_winbind[12082]: user 'elina' granted access Jun 10 11:53:12 fc3 login(pam_unix)[12082]: could not identify user (from getpwnam(elina)) Jun 10 11:53:12 fc3 login[12082]: User not known to the underlying authentication module any ideas dave ==========================/etc/pam.d/login #%PAM-1.0 auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_stack.so service=system-auth session optional pam_console.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 # pam_selinux.so open should be the last session rule session required pam_selinux.so multiple open /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_winbind.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so
Hello David I experience the same problem. wbinfo -u, wbinfo -g, wbinfo -t, getent passwd, kinit, kpassw work fine. It seem the problem is getpwnam function. Getpwnam search in the passwd file ? Giuseppe David Rigler wrote:> > I cant get a login from an FC3 setup unless the user has a local account. > > Jun 10 11:53:12 fc3 login(pam_unix)[12082]: check pass; user (elina) > unknown > Jun 10 11:53:12 fc3 login(pam_unix)[12082]: authentication failure; > logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=elina > Jun 10 11:53:12 fc3 pam_winbind[12082]: user 'elina' granted access > Jun 10 11:53:12 fc3 login(pam_unix)[12082]: could not identify user > (from getpwnam(elina)) > Jun 10 11:53:12 fc3 login[12082]: User not known to the underlying > authentication module > > any ideas > > dave >
Hi giuseppe after some more investigation ive found the following sequence to be 100% repeatable. 2 users, dave & elina. dave has a local account, elina does not. After reboot or restart of the winbindd daemon, dave can login but elina can not. After logging in as dave, "wbinfo -n dave" returns "Could not lookup name dave". Huh !! it just logged me in but now cant find my details ?? Same with "wbinfo -n elina". Now run "getent passwd", result of which kind of looks like the passwd file with the AD domain users tacked onto the end. After this "wbinfo -n dave" returns the windows SID. Now run "wbinfo -n elina" which again should show the Windows SID for elina. log out as dave and TRA-LA I can log in as elina. as to why "wbinfo -n" cannot get the Windows SID ?? and does the "getent passwd" result in the SID being cached ?? giuseppe panei wrote:> Hi dave > > I have found the following items in the htmldocs: > > "The pam_winbind module in the 2.2.2 release only supports the auth > and account module-types. The latter simply performs a getpwnam() to > verify that the system can obtain a uid for the user. If the > libnss_winbind library has been correctly installed, this should > always succeed." > > Well, then is failing the account module ???> > > From Using Samba, cap 9: > > "Be careful when adding local users after domain users have started > accessing the Samba server. The domain users will have entries created > for them by winbind in /etc/passwd, with UIDs in the range you specify. > ................ > ................"> > In my /etc/passwd there are no entities for domain users. >I dont believe this is true, it does not add teh AD users to the local passwd file. Although "getent passwd" produces a list that looks like a cat of passwd + the AD users> > > I apologize for my bad english. > Giuseppe >much better than my non-existant italian dave> > > David Rigler wrote: > >> >> Hi Giuseppe >> >> I was thinking that getpwnam should fail, that user doesnt exist >> locally. >> But the pam_unix and/or pam stack should be able to cope with that ? >> >> dave >> >