[Samba] winbind authentication mystery
Hi Chris, Were you able to solve this. Regards, David. Greetings, I'm running Fedora 11 (Samba 3.3.2) and am trying to configure winbind authentication against a Windows 2003 server. I've run kinit and net join successfully, and can wbinfo -u, -g, and -t successfully, as well as getent passwd and getent group successfully. I can even use passwd to change domain user passwords. However, when I try to log in via gdm, ssh, or even su, I do not succeed. I believe am I suffering from one, possibly two separate issues. The first is that all users except the Administrator are told that their password is expiring, which is not true. Here are the logs of this event: Jun 24 15:29:58 history-20 sshd[4656]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain user=cmthielen Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): [pamh: 0x1f06f48] ENTER: pam_sm_authenticate (flags: 0x0001) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): getting password (0x0011) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): pam_get_item returned a password Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): Verify user 'cmthielen' Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): request wbcLogonUser succeeded Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): user 'cmthielen' granted access Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): Password has expired (Password was last set: 1245880658, the policy says it should expire here 1245880657 (now it's: 1245882598)) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): [pamh: 0x1f06f48] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): [pamh: 0x1f06f48] ENTER: pam_sm_acct_mgmt (flags: 0x) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): user 'cmthielen' needs new password Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): [pamh: 0x1f06f48] LEAVE: pam_sm_acct_mgmt returning 12 (PAM_NEW_AUTHTOK_REQD) Jun 24 15:29:58 history-20 sshd[4656]: Accepted password for cmthielen from 127.0.0.1 port 36881 ssh2 Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:setcred): [pamh: 0x1f06f48] ENTER: pam_sm_setcred (flags: 0x0002) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:setcred): [pamh: 0x1f06f48] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) Jun 24 15:29:58 history-20 sshd[4656]: pam_unix(sshd:session): session opened for user cmthielen by (uid=0) Jun 24 15:29:58 history-20 sshd[4660]: pam_winbind(sshd:setcred): [pamh: 0x1f06f48] ENTER: pam_sm_setcred (flags: 0x0002) Jun 24 15:29:58 history-20 sshd[4660]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented Jun 24 15:29:58 history-20 sshd[4660]: pam_winbind(sshd:setcred): [pamh: 0x1f06f48] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) Jun 24 15:29:58 history-20 passwd: pam_unix(passwd:chauthtok): user cmthielen does not exist in /etc/passwd Jun 24 15:29:58 history-20 passwd: pam_winbind(passwd:chauthtok): getting password (0x0020) Jun 24 15:30:01 history-20 passwd: pam_winbind(passwd:chauthtok): user 'cmthielen' granted access Jun 24 15:30:05 history-20 passwd: pam_unix(passwd:chauthtok): user cmthielen does not exist in /etc/passwd Jun 24 15:30:05 history-20 passwd: pam_winbind(passwd:chauthtok): getting password (0x) Jun 24 15:30:11 history-20 passwd: pam_winbind(passwd:chauthtok): user 'cmthielen' OK Jun 24 15:30:11 history-20 passwd: pam_winbind(passwd:chauthtok): user 'cmthielen' password changed Jun 24 15:30:11 history-20 passwd: pam_winbind(passwd:chauthtok): user 'cmthielen' granted access Jun 24 15:30:11 history-20 passwd: Couldn't access gnome keyring socket: /tmp/keyring-4jRNoE/socket: Permission denied Jun 24 15:30:11 history-20 passwd: gkr-pam: couldn't change password for 'login' keyring: 255 Jun 24 15:30:13 history-20 sshd[4656]: pam_winbind(sshd:setcred): [pamh: 0x1f06f48] ENTER: pam_sm_setcred (flags: 0x0004) Jun 24 15:30:13 history-20 sshd[4656]: pam_winbind(sshd:setcred): [pamh: 0x1f06f48] ENTER: _pam_delete_cred (flags: 0x0004) However, if I set my computer back two days, the timestamps work out. The time on the Windows server is set correctly, and the box even has it's ntpdate set to use the Windows server. The second, or possibly the same issue, is that it simply won't log in. If I use the administrator account, I am not told my password expires, but my session ends immediately (note: I have use default domain turned on, so the domain is implied here. If I turn it off and add the correct prepend syntax, the issue is the same): [root at history-20
[Samba] winbind authentication mystery
Greetings, I'm running Fedora 11 (Samba 3.3.2) and am trying to configure winbind authentication against a Windows 2003 server. I've run kinit and net join successfully, and can wbinfo -u, -g, and -t successfully, as well as getent passwd and getent group successfully. I can even use passwd to change domain user passwords. However, when I try to log in via gdm, ssh, or even su, I do not succeed. I believe am I suffering from one, possibly two separate issues. The first is that all users except the Administrator are told that their password is expiring, which is not true. Here are the logs of this event: Jun 24 15:29:58 history-20 sshd[4656]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain user=cmthielen Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): [pamh: 0x1f06f48] ENTER: pam_sm_authenticate (flags: 0x0001) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): getting password (0x0011) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): pam_get_item returned a password Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): Verify user 'cmthielen' Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): request wbcLogonUser succeeded Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): user 'cmthielen' granted access Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): Password has expired (Password was last set: 1245880658, the policy says it should expire here 1245880657 (now it's: 1245882598)) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): [pamh: 0x1f06f48] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): [pamh: 0x1f06f48] ENTER: pam_sm_acct_mgmt (flags: 0x) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): user 'cmthielen' needs new password Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): [pamh: 0x1f06f48] LEAVE: pam_sm_acct_mgmt returning 12 (PAM_NEW_AUTHTOK_REQD) Jun 24 15:29:58 history-20 sshd[4656]: Accepted password for cmthielen from 127.0.0.1 port 36881 ssh2 Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:setcred): [pamh: 0x1f06f48] ENTER: pam_sm_setcred (flags: 0x0002) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:setcred): [pamh: 0x1f06f48] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) Jun 24 15:29:58 history-20 sshd[4656]: pam_unix(sshd:session): session opened for user cmthielen by (uid=0) Jun 24 15:29:58 history-20 sshd[4660]: pam_winbind(sshd:setcred): [pamh: 0x1f06f48] ENTER: pam_sm_setcred (flags: 0x0002) Jun 24 15:29:58 history-20 sshd[4660]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented Jun 24 15:29:58 history-20 sshd[4660]: pam_winbind(sshd:setcred): [pamh: 0x1f06f48] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) Jun 24 15:29:58 history-20 passwd: pam_unix(passwd:chauthtok): user cmthielen does not exist in /etc/passwd Jun 24 15:29:58 history-20 passwd: pam_winbind(passwd:chauthtok): getting password (0x0020) Jun 24 15:30:01 history-20 passwd: pam_winbind(passwd:chauthtok): user 'cmthielen' granted access Jun 24 15:30:05 history-20 passwd: pam_unix(passwd:chauthtok): user cmthielen does not exist in /etc/passwd Jun 24 15:30:05 history-20 passwd: pam_winbind(passwd:chauthtok): getting password (0x) Jun 24 15:30:11 history-20 passwd: pam_winbind(passwd:chauthtok): user 'cmthielen' OK Jun 24 15:30:11 history-20 passwd: pam_winbind(passwd:chauthtok): user 'cmthielen' password changed Jun 24 15:30:11 history-20 passwd: pam_winbind(passwd:chauthtok): user 'cmthielen' granted access Jun 24 15:30:11 history-20 passwd: Couldn't access gnome keyring socket: /tmp/keyring-4jRNoE/socket: Permission denied Jun 24 15:30:11 history-20 passwd: gkr-pam: couldn't change password for 'login' keyring: 255 Jun 24 15:30:13 history-20 sshd[4656]: pam_winbind(sshd:setcred): [pamh: 0x1f06f48] ENTER: pam_sm_setcred (flags: 0x0004) Jun 24 15:30:13 history-20 sshd[4656]: pam_winbind(sshd:setcred): [pamh: 0x1f06f48] ENTER: _pam_delete_cred (flags: 0x0004) However, if I set my computer back two days, the timestamps work out. The time on the Windows server is set correctly, and the box even has it's ntpdate set to use the Windows server. The second, or possibly the same issue, is that it simply won't log in. If I use the administrator account, I am not told my password expires, but my session ends immediately (note: I have use default domain turned on, so the domain is implied here. If I turn it off and add the correct prepend syntax, the issue is the same): [r...@history-20 pam.d]# ssh administra...@localhost administra...@localhost's password:
