I have a problem that is now becoming very annoying. Namely I have a Centos 7 member server running Sernet Samba 4.7.4 for which everything seems to work except gdm or ftp logins. On the linux client it seems winbindd is set up correctly. For example (the data shown below has been sanitized): > getent passwd testuser2:*:3001108:3000513::/home/testuser1:/bin/bash testuser1:*:3001107:3000513::/home/testuser2:/bin/bash > getent group domain admins:x:3000512:administrator domain users:x:3000513:testuser2,testuser1,administrator,krbtgt > kinit Administrator Password for Administrator at MYDC.TEST.COM: > klist Ticket cache: KEYRING:persistent:3001107:3001107 Default principal: Administrator at MYDC.TEST.COM Valid starting Expires Service principal 12/26/2017 14:24:36 12/27/2017 00:24:36 krbtgt/MYDC.TEST.COM at MYDC.TEST.COM renew until 01/02/2018 14:24:32 >cat /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind #initgroups: files winbind #hosts: db files nisplus nis dns hosts: files dns myhostname # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files winbind netgroup: files winbind publickey: nisplus automount: files aliases: files nisplus After a console or ftp login I see these errors: > cat /var/log/messages Dec 26 14:31:26 testhost gdm-password]: AccountsService: ActUserManager: user (null) has no username (uid: -1) Dec 26 14:31:28 testhost gdm-password]: AccountsService: ActUserManager: user (null) has no username (uid: -1) Dec 26 14:31:30 testhost gdm-password]: AccountsService: ActUserManager: user (null) has no username (uid: -1) >cat /var/log/secure Dec 26 14:31:26 testhost gdm-password]: pam_winbind(gdm-password:auth): getting password (0x00000010) Dec 26 14:31:26 testhost gdm-password]: pam_winbind(gdm-password:auth): Could not retrieve user's password Dec 26 14:31:26 testhost gdm-password]: gkr-pam: no password is available for user Dec 26 14:31:28 testhost gdm-password]: pam_winbind(gdm-password:auth): getting password (0x00000010) Dec 26 14:31:28 testhost gdm-password]: pam_winbind(gdm-password:auth): Could not retrieve user's password Dec 26 14:31:28 testhost gdm-password]: gkr-pam: no password is available for user Dec 26 14:31:30 testhost gdm-password]: pam_winbind(gdm-password:auth): getting password (0x00000010) Dec 26 14:31:30 testhost gdm-password]: pam_winbind(gdm-password:auth): Could not retrieve user's password Dec 26 14:31:30 testhost gdm-password]: gkr-pam: no password is available for user So you can see pam_winbind is called but there is no password for the user. And what is really strange is that I can login to the member server via ssh using a public/private key (username/password authentication is turned off). After an ssh login I see this in /var/log/secure: > cat /var/log/secureDec 26 14:38:03 testhost sshd[32407]: pam_unix(sshd:session): session closed for user testuser1 Dec 26 14:38:07 testhost sshd[32501]: pam_winbind(sshd:account): user 'testuser1' granted access Dec 26 14:38:07 testhost sshd[32501]: Accepted publickey for testuser1 from 192.168.1.3 port 53174 ssh2: RSA SHA256:CVb5dqn5xUPXO0iVbUyHlNuXUZeW4J6k42Kg94teayg Dec 26 14:38:07 testhost sshd[32501]: pam_systemd(sshd:session): Failed to create session: No such file or directory Dec 26 14:38:07 testhost sshd[32501]: pam_unix(sshd:session): session opened for user testuser1 by (uid=0) Logins on the DC do work properly. Plus I have 3 other member server linux boxes all running SSSD which have no issues. I am pretty sure the issue is on the client box running winbindd. Does anyone have any suggestions as to how to debug this issue or what might be going wrong? -- Paul (ganci at TEST.com) Cell: (303)257-5208
On 12/26/2017 06:08 PM, Paul R. Ganci via samba wrote:> >cat /var/log/secure > Dec 26 14:31:26 testhost gdm-password]: > pam_winbind(gdm-password:auth): getting password (0x00000010) > Dec 26 14:31:26 testhost gdm-password]: > pam_winbind(gdm-password:auth): Could not retrieve user's password > Dec 26 14:31:26 testhost gdm-password]: gkr-pam: no password is > available for user > Dec 26 14:31:28 testhost gdm-password]: > pam_winbind(gdm-password:auth): getting password (0x00000010) > Dec 26 14:31:28 testhost gdm-password]: > pam_winbind(gdm-password:auth): Could not retrieve user's password > Dec 26 14:31:28 testhost gdm-password]: gkr-pam: no password is > available for user > Dec 26 14:31:30 testhost gdm-password]: > pam_winbind(gdm-password:auth): getting password (0x00000010) > Dec 26 14:31:30 testhost gdm-password]: > pam_winbind(gdm-password:auth): Could not retrieve user's password > Dec 26 14:31:30 testhost gdm-password]: gkr-pam: no password is > available for user >Okay I will answer my own question. I ran authconfig-tui to redo the PAM configuration and everything started to work again. I guess the manual version I had placed into the /etc/pam.d directory had a problem. Things are good again. -- Paul (ganci at nurdog.com) Cell: (303)257-5208
On Tue, 26 Dec 2017 18:08:11 -0700 "Paul R. Ganci via samba" <samba at lists.samba.org> wrote:> I have a problem that is now becoming very annoying. Namely I have a > Centos 7 member server running Sernet Samba 4.7.4 for which > everything seems to work except gdm or ftp logins. On the linux > client it seems winbindd is set up correctly. For example (the data > shown below has been sanitized): > > > getent passwd > testuser2:*:3001108:3000513::/home/testuser1:/bin/bash > testuser1:*:3001107:3000513::/home/testuser2:/bin/bash > > > getent group > domain admins:x:3000512:administrator > domain users:x:3000513:testuser2,testuser1,administrator,krbtgtHave you actually given your users & groups a uidNumber or gidNumber attribute, or are you using the 'rid' backend> > > kinit Administrator > Password for Administrator at MYDC.TEST.COM: > > klist > Ticket cache: KEYRING:persistent:3001107:3001107 > Default principal: Administrator at MYDC.TEST.COMThis gets stranger and stranger, if you are using the 'rid' backend, why does 'Administrator' have the 'RID' 1107 ? and if you aren't, why isn't it '0:0' ?> > Valid starting Expires Service principal > 12/26/2017 14:24:36 12/27/2017 00:24:36 > krbtgt/MYDC.TEST.COM at MYDC.TEST.COM renew until 01/02/2018 14:24:32 > > >cat /etc/nsswitch.conf > passwd: files winbind > group: files winbindYou should only have winbind on the two lines above, remove it from any other lines.> > After a console or ftp login I see these errors: > > > cat /var/log/messages > Dec 26 14:31:26 testhost gdm-password]: AccountsService: > ActUserManager: user (null) has no username (uid: -1) > Dec 26 14:31:28 testhost gdm-password]: AccountsService: > ActUserManager: user (null) has no username (uid: -1) > Dec 26 14:31:30 testhost gdm-password]: AccountsService: > ActUserManager: user (null) has no username (uid: -1) > > >cat /var/log/secure > Dec 26 14:31:26 testhost gdm-password]: > pam_winbind(gdm-password:auth): getting password (0x00000010) > Dec 26 14:31:26 testhost gdm-password]: > pam_winbind(gdm-password:auth): Could not retrieve user's password > Dec 26 14:31:26 testhost gdm-password]: gkr-pam: no password is > available for user > Dec 26 14:31:28 testhost gdm-password]: > pam_winbind(gdm-password:auth): getting password (0x00000010) > Dec 26 14:31:28 testhost gdm-password]: > pam_winbind(gdm-password:auth): Could not retrieve user's password > Dec 26 14:31:28 testhost gdm-password]: gkr-pam: no password is > available for user > Dec 26 14:31:30 testhost gdm-password]: > pam_winbind(gdm-password:auth): getting password (0x00000010) > Dec 26 14:31:30 testhost gdm-password]: > pam_winbind(gdm-password:auth): Could not retrieve user's password > Dec 26 14:31:30 testhost gdm-password]: gkr-pam: no password is > available for userWinbind cannot find your user> > So you can see pam_winbind is called but there is no password for the > user. And what is really strange is that I can login to the member > server via ssh using a public/private key (username/password > authentication is turned off). After an ssh login I see this in > /var/log/secure:This will work because kerberos is used instead of winbind.> > Logins on the DC do work properly. Plus I have 3 other member server > linux boxes all running SSSD which have no issues. I am pretty sure > the issue is on the client box running winbindd. Does anyone have any > suggestions as to how to debug this issue or what might be going > wrong?You have purged sssd haven't you ? It interfers with winbind, at least it did when I tested winbind on a centos 7 VM, removing sssd fixed everything. Rowland
0n 12/27/2017 02:39 AM, Rowland Penny via samba wrote:> > Have you actually given your users & groups a uidNumber or gidNumber > attribute, or are you using the 'rid' backendYes I am using the AD backend and they have these uidNumber &gidNumbers. They come from when I was originally using rid (back in the 4.0 days) and switched to the AD backend. I just happened to make the uidNumber/gidNumber the number one would get if using rid. I never changed them to anything more reasonable since I didn't want to deal with the issues that creates. So yes it seems strange but everything is correct. There is actually another list message in the archives where the use of these uidNumber/gidNumber caused confusion. Maybe one of these days I will changeover to something more reasonable if just to avoid that confusion.> This gets stranger and stranger, if you are using the 'rid' backend, > why does 'Administrator' have the 'RID' 1107 ? and if you aren't, why > isn't it '0:0' ?The kinit command was issued from the testuser1 account. I will go out on a limb and suggest that 3001107 is correct since that is the keyring owner. If it makes you feel better here is the same getent passwd on the DC (note the "0" in the administrator user): > getent passwd MYDC\administrator:*:0:3000513::/home/administrator:/bin/bash MYDC\testuser2:*:3001108:3000513::/home/testuser2:/bin/bash MYDC\testuser1:*:3001107:3000513::/home/testuser1:/bin/bash I did give domain users and domain admin groups gidNumbers so that is what you see. That is why it is not 0:0. My understanding is that is okay. You just cannot give administrator a uidNumber if I recall other list messages correctly. Also if I do the kinit/klist commands on the member server as root I get this: > kinit administrator Password for administrator at MYDC.TEST.COM: > klist Ticket cache: KEYRING:persistent:0:krb_ccache_kgkyAS7 Default principal: administrator at MYDC.TEST.COM Valid starting Expires Service principal 12/27/2017 18:24:49 12/28/2017 04:24:49 krbtgt/MYDC.TEST.COM at MYDC.TEST.COM renew until 01/03/2018 18:24:46> Winbind cannot find your userYes sssd was completely removed. The SERNET samba distribution will not install if sssd is installed. Yum errors will occur. And as I said in my other message the problem disappears once I re-ran authconfig-tui. Authconfig-tui changes /etc/nsswitch.conf file per your suggestion, and it recreates /etc/pam.d/passwd-auth-ac file and /etc/pam.d/system-auth-ac for use with winbind. I had been using /etc/pam.d/ files created from those used by sssd and hand edited with vi to change over to winbind. While that worked at one time it failed this time with my upgrade from samba 4.6 to 4.7. They were admittedly pretty old versions of the PAM files so I guess I should have expected this day to come. In any event, I will reiterate that everything is working like it is supposed to now. Thank you for your help. -- Paul (ganci at nurdog.com) Cell: (303)257-5208