need help on gdm, PAM, samba domain login


Results 1 to 8 of 8

Thread: need help on gdm, PAM, samba domain login

  1. #1
    Join Date
    Sep 2002
    Location
    BBY
    Posts
    6

    need help on gdm, PAM, samba domain login

    Hello,

    In my attempt to learn linux, I installed and configured samba so that Windows 2003 Server Active Directory users can login into Fedora 12 Linux PCs.

    Using terminal mode /CLI console, all AD users can login into Fedora 12 system.

    At the moment, I boot into init 4 mode first, login as AD domain user, then give startx command to get Gnome.

    But in normal GDM boot up, AD domain users can't login, only local linux users can.

    I think this to be a GDM + PAM configuration issue considering I am getting gdm-password error log in /var/log/secure file when AD domain user tries to login.

    Expecting valuable suggestions from all...

  2. #2
    Join Date
    Sep 2002
    Location
    BBY
    Posts
    6
    wakeup

  3. #3
    Join Date
    Sep 1999
    Location
    Cambridge, UK
    Posts
    509
    You didn't say how you granted access to AD users on the console. The right way would be to edit /etc/pam.d/system-auth so I'll assume that that's what you did. Before Fedora 11 that would have been sufficient but now you also have to edit /etc/pam.d/password-auth because the PAM rules for gdm-password include that.

  4. #4
    Join Date
    Sep 2002
    Location
    BBY
    Posts
    6
    thanks very much for response.

    lines in my system-auth file is given below (purposefully gave 0777 in umask which I will change later) :

    ----- system-auth-----

    #%PAM-1.0
    auth required /lib/security/$ISA/pam_env.so
    auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
    auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
    auth required /lib/security/$ISA/pam_deny.so

    account required /lib/security/$ISA/pam_unix.so
    account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
    account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
    account required /lib/security/$ISA/pam_permit.so

    password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type=
    password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
    password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
    password required /lib/security/$ISA/pam_deny.so

    session required /lib/security/$ISA/pam_limits.so
    session required /lib/security/$ISA/pam_unix.so
    session required /lib/security/$ISA/pam_winbind.so use_first_pass
    session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0777

    -------

    I didn't know about password-auth, so I havent changed it. The content is as given below:

    -----password-auth-----

    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth required pam_env.so
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid >= 500 quiet
    auth required pam_deny.so

    account required pam_unix.so
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid < 500 quiet
    account required pam_permit.so

    password requisite pam_cracklib.so try_first_pass retry=3
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
    password required pam_deny.so

    session optional pam_keyinit.so revoke
    session required pam_limits.so
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session required pam_unix.so

    -----

    What more changes I need to make ?

    Thanks...

  5. #5
    Join Date
    Sep 1999
    Location
    Cambridge, UK
    Posts
    509
    Copy the pam_winbind lines. They should do it. You can copy the pam_mkhomedir as well if you want the users' home directories to be created locally when they log on for the first time.

  6. #6
    Join Date
    Sep 2002
    Location
    BBY
    Posts
    6

    still facing error

    Hello,

    Troubleshooting a bit, still getting error. These are last few lines from /var/log/secure:

    Apr 24 01:07:41 localhost login: pam_winbind(login:auth): getting password (0x00000010)
    Apr 24 01:07:41 localhost login: pam_winbind(login:auth): pam_get_item returned a password
    Apr 24 01:07:41 localhost login: pam_winbind(login:auth): user 'tuser1' granted access
    Apr 24 01:07:41 localhost login: pam_unix(login:account): could not identify user (from getpwnam(tuser1))
    Apr 24 01:07:41 localhost login: pam_succeed_if(login:account): error retrieving information about user tuser1
    Apr 24 01:07:41 localhost login: User not known to the underlying authentication module


    Now, I can;t login in console /cli mode too.

    AD Server: svr1.testsys.home (ip: 192.168.0.254 Windows 2003 SP2)
    Client: Fedora 12 XFCE Spin ip: 192.168.0.45
    realm: TESTSYS.HOME

    kinit, klist, wbinfo -u : all these commands works and give proper results. Problem is that I cant login.

    Am attaching all files in which I made changes in a .zip file for better review.

    After this troubleshooting is over, I will make a document with all steps involved in doing this

    Thanks...
    Attached Files Attached Files

  7. #7
    Join Date
    Sep 1999
    Location
    Cambridge, UK
    Posts
    509
    You don't have winbind in the nsswitch.conf from your Zip which may explain why your logs show complaints about the user not being known. But it's weird that you could log in before. That said your archive of files you changed doesn't include the password-auth one you were going to edit so perhaps I'm missing something.

    Disclaimer: I never actually used winbind. I usually join the machine to the Active Directory domain and use nss_ldap and pam_krb5. winbind was mostly working for you, however, so I'm sure we can get there.

  8. #8
    Join Date
    Sep 2002
    Location
    BBY
    Posts
    6

    its working, I can login now using AD usernames...

    Hi all,

    Special thanks to furrycat, I can login now...

    Corrected nsswitch.conf, in PAM config am now using umask=0022 and initial login is happening.

    When initially tried login, I was forced outside after just showing wallpaper. So, went to CLI mode, went to /home/TESTSYS/, executed chgrp command to change group of tuser1 directory to 'tuser1' 'domain users' group.

    Will further test these steps on few more systems and will update here a step by step document.

    Updating current config files in a .zip file here.

    Thanks again...
    Jeeson.
    Attached Files Attached Files
    Last edited by jeeson; 04-24-2010 at 04:16 PM. Reason: edit re. initial login

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •