search for: user_unknown

...winbind group: files winbind --------------------------------------------------------------------- And finally PAM configuration (only winbind related stuffs): --------------------------------------------------------------------- /etc/pam.d/fingerprint-auth:account [default=bad success=ok user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING /etc/pam.d/fingerprint-auth:session optional pam_winbind.so krb5_auth krb5_ccache_type=KEYRING /etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING...

...mode = rfc2307 idmap config DOMAIN:range = 100-20000 dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab /etc/nsswitch.conf passwd: compat winbind group: compat winbind grep -r winbind /etc/pam.d /etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_winbind.so /etc/pam.d/system-auth-ac:auth sufficient pam_winbind.so use_first_pass /etc/pam.d/system-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_winbind.so /etc/pam.d/system-auth-ac:password sufficient pam_winbind.so use_authtok /etc/pam.d/smartc...

...:14:00 mgprisvr pam_winbind[8346]: request failed, but PAM error 0! Aug 22 12:14:00 mgprisvr pam_winbind[8346]: internal module error (retval = 3, user = `test') There were no errors in the winbind.log file. In my /etc/pam.d/system-auth, I found this line: account [default=bad success=ok user_unknown=ignore] pam_winbind.so I Googled that line (and parts of it) but had no luck figuring out what it was doing. I changed it to: account sufficient pam_winbind.so and now I can log in with local accounts, as well as domain (winbind) accounts. I have two questions: A) Is this some kind...

Okay - I've got samba working as a PDC with and ldap backend. I want to have some users not be in ldap (like the built in stuff like cyrus, mail, lp etc) I can get that to work with the pam_ldap and pam_unix but pam_smbpass doesn't seem to return user_unknown as i expect for users who are not in the ldap database does this make sense? --- pam_smb_passwd.c 12 Feb 2002 15:56:19 -0000 1.1.2.8 +++ pam_smb_passwd.c 20 Aug 2002 23:41:57 -0000 @@ -126,9 +126,9 @@ /* obtain user record */ pdb_init_sam(&sampass); - pdb_getsampwnam...

...------ nsswitch.conf: passwd: files winbind shadow: files winbind group: files winbind and pam.d files are both configured: --------------------------------------------------------------------- grep winb /etc/pam.d/* /etc/pam.d/fingerprint-auth:account [default=bad success=ok user_unknown=ignore] pam_winbind.so /etc/pam.d/fingerprint-auth:session optional pam_winbind.so /etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_winbind.so /etc/pam.d/fingerprint-auth-ac:session optional pam_winbind.so /etc/pam.d/password-auth:auth...

...bind > --------------------------------------------------------------------- > > And finally PAM configuration (only winbind related stuffs): > --------------------------------------------------------------------- > /etc/pam.d/fingerprint-auth:account [default=bad success=ok > user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING > /etc/pam.d/fingerprint-auth:session optional pam_winbind.so > krb5_auth krb5_ccache_type=KEYRING > /etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok > user_unknown=ignore] pam_winbind.so krb5_auth krb5...

...s winbind > shadow: files winbind > group: files winbind > > and pam.d files are both configured: > --------------------------------------------------------------------- > grep winb /etc/pam.d/* > /etc/pam.d/fingerprint-auth:account [default=bad success=ok > user_unknown=ignore] pam_winbind.so > /etc/pam.d/fingerprint-auth:session optional pam_winbind.so > /etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok > user_unknown=ignore] pam_winbind.so > /etc/pam.d/fingerprint-auth-ac:session optional pam_winbind.so > /etc/pa...

Hi all, How can we configure winbind to retrieve uidNumber and gidNumber declared in AD? Thanks and regards, mathias

Hi Jonathan, Thank you for that, that solved the issue. Unfortunately I get another issue: on one DC id <user> gives "no such user". Adding domain (id ad.domain\\<user>) does not help. Adding the whole domain (id ad.domain.tld\\<user>) does not help more. I did checked PAM, NSS and Samba configurations, this server is using same configurations as the two working DC.

...files winbind > > > > > >and pam.d files are both configured: > > >--------------------------------------------------------------------- > > >grep winb /etc/pam.d/* > > >/etc/pam.d/fingerprint-auth:account [default=bad success=ok > > >user_unknown=ignore] pam_winbind.so > > >/etc/pam.d/fingerprint-auth:session optional pam_winbind.so > > >/etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok > > >user_unknown=ignore] pam_winbind.so > > >/etc/pam.d/fingerprint-auth-ac:session optio...

...00 > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > /etc/nsswitch.conf > passwd: compat winbind > group: compat winbind > > grep -r winbind /etc/pam.d > /etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok > user_unknown=ignore] pam_winbind.so > /etc/pam.d/system-auth-ac:auth sufficient pam_winbind.so > use_first_pass > /etc/pam.d/system-auth-ac:account [default=bad success=ok > user_unknown=ignore] pam_winbind.so > /etc/pam.d/system-auth-ac:password sufficient pam_winbind.so >...

...iles winbind > >group: files winbind > > > >and pam.d files are both configured: > >--------------------------------------------------------------------- > >grep winb /etc/pam.d/* > >/etc/pam.d/fingerprint-auth:account [default=bad success=ok > >user_unknown=ignore] pam_winbind.so > >/etc/pam.d/fingerprint-auth:session optional pam_winbind.so > >/etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok > >user_unknown=ignore] pam_winbind.so > >/etc/pam.d/fingerprint-auth-ac:session optional pam_winbind...

.../lib/security/$ISA/pam_winbind.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/ security/$ISA/pam_ldap.so account [default=bad success=ok user_unknown=ignore] /lib/ security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/secur...

..._winbind failing. ssh uses /etc/pam.d/system-auth in Redhat, and Redhat has this account related clump: account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so ssh logins using winbind authentication are working well with the above account clump in place....

...ss auth sufficient pam_winbind.so cached_login use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login account required pam_permit.so Some logs from log.wb-DSDEV: [2017/05/09 10:05:36.038999, 3] ../source3/winbindd/winbindd_ads.c:412(query_user_list) ads query_user_list gave 43369 entrie...

...pam_sss.so use_first_pass auth required pam_deny.so auth required pam_env.so auth optional pam_gnome_keyring.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 2000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so account requisite pam_unix.so try_first_pass account sufficient pam_localuser.so account required pam_sss.so use_first_pass account sufficient pam_localuser.so password requisite pam_pwquality.so try_...

...id >= 200 quiet_success > auth sufficient pam_sss.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_succeed_if.so uid < 2000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > password requisite pam_pwquality.so try_first_pass > local_users_only retry=3 authtok_type= > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient...

...th sufficient pam_winbind.so cached_login use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 dcredit=1 ucredit=1 lcredit=1 ocredit=1 password sufficient pam_unix.so...

On 05/09/2015 01:24 PM, Jonathan Billings wrote: > Is it normal to have pam_unix and pam_sss twice for each each section? No. See my previous message. I think it's the result of copying portions of SuSE configurations.

..._unix.so likeauth nullok auth sufficient /lib/security/pam_krb5.so use_first_pass auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_krb5.so password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/secu...