In my attempt to learn linux, I installed and configured samba so that Windows 2003 Server Active Directory users can login into Fedora 12 Linux PCs.
Using terminal mode /CLI console, all AD users can login into Fedora 12 system.
At the moment, I boot into init 4 mode first, login as AD domain user, then give startx command to get Gnome.
But in normal GDM boot up, AD domain users can't login, only local linux users can.
I think this to be a GDM + PAM configuration issue considering I am getting gdm-password error log in /var/log/secure file when AD domain user tries to login.
You didn't say how you granted access to AD users on the console. The right way would be to edit /etc/pam.d/system-auth so I'll assume that that's what you did. Before Fedora 11 that would have been sufficient but now you also have to edit /etc/pam.d/password-auth because the PAM rules for gdm-password include that.
I didn't know about password-auth, so I havent changed it. The content is as given below:
-----password-auth-----
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
Copy the pam_winbind lines. They should do it. You can copy the pam_mkhomedir as well if you want the users' home directories to be created locally when they log on for the first time.
Troubleshooting a bit, still getting error. These are last few lines from /var/log/secure:
Apr 24 01:07:41 localhost login: pam_winbind(login:auth): getting password (0x00000010)
Apr 24 01:07:41 localhost login: pam_winbind(login:auth): pam_get_item returned a password
Apr 24 01:07:41 localhost login: pam_winbind(login:auth): user 'tuser1' granted access
Apr 24 01:07:41 localhost login: pam_unix(login:account): could not identify user (from getpwnam(tuser1))
Apr 24 01:07:41 localhost login: pam_succeed_if(login:account): error retrieving information about user tuser1
Apr 24 01:07:41 localhost login: User not known to the underlying authentication module
Now, I can;t login in console /cli mode too.
AD Server: svr1.testsys.home (ip: 192.168.0.254 Windows 2003 SP2)
Client: Fedora 12 XFCE Spin ip: 192.168.0.45
realm: TESTSYS.HOME
kinit, klist, wbinfo -u : all these commands works and give proper results. Problem is that I cant login.
Am attaching all files in which I made changes in a .zip file for better review.
After this troubleshooting is over, I will make a document with all steps involved in doing this
You don't have winbind in the nsswitch.conf from your Zip which may explain why your logs show complaints about the user not being known. But it's weird that you could log in before. That said your archive of files you changed doesn't include the password-auth one you were going to edit so perhaps I'm missing something.
Disclaimer: I never actually used winbind. I usually join the machine to the Active Directory domain and use nss_ldap and pam_krb5. winbind was mostly working for you, however, so I'm sure we can get there.
its working, I can login now using AD usernames...
Hi all,
Special thanks to furrycat, I can login now...
Corrected nsswitch.conf, in PAM config am now using umask=0022 and initial login is happening.
When initially tried login, I was forced outside after just showing wallpaper. So, went to CLI mode, went to /home/TESTSYS/, executed chgrp command to change group of tuser1 directory to 'tuser1' 'domain users' group.
Will further test these steps on few more systems and will update here a step by step document.
Updating current config files in a .zip file here.
Thanks again...
Jeeson.
Last edited by jeeson; 04-24-2010 at 04:16 PM.
Reason: edit re. initial login