Centos 7 member server login fails

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Centos 7 member server login fails

Samba - General mailing list
I have a problem that is now becoming very annoying. Namely I have a
Centos 7 member server running Sernet Samba 4.7.4 for which everything
seems to work except gdm or ftp logins. On the linux client it seems
winbindd is set up correctly. For example (the data shown below has been
sanitized):

 > getent passwd
testuser2:*:3001108:3000513::/home/testuser1:/bin/bash
testuser1:*:3001107:3000513::/home/testuser2:/bin/bash

 > getent group
domain admins:x:3000512:administrator
domain users:x:3000513:testuser2,testuser1,administrator,krbtgt

 > kinit Administrator
Password for [hidden email]:
 > klist
Ticket cache: KEYRING:persistent:3001107:3001107
Default principal: [hidden email]

Valid starting       Expires              Service principal
12/26/2017 14:24:36  12/27/2017 00:24:36 krbtgt/[hidden email]
     renew until 01/02/2018 14:24:32

 >cat /etc/nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind
#initgroups: files winbind

#hosts:     db files nisplus nis dns
hosts:      files dns myhostname

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files winbind

netgroup:   files winbind

publickey:  nisplus

automount:  files
aliases:    files nisplus

After a console or ftp login I see these errors:

 > cat /var/log/messages
Dec 26 14:31:26 testhost gdm-password]: AccountsService: ActUserManager:
user (null) has no username (uid: -1)
Dec 26 14:31:28 testhost gdm-password]: AccountsService: ActUserManager:
user (null) has no username (uid: -1)
Dec 26 14:31:30 testhost gdm-password]: AccountsService: ActUserManager:
user (null) has no username (uid: -1)

 >cat /var/log/secure
Dec 26 14:31:26 testhost gdm-password]: pam_winbind(gdm-password:auth):
getting password (0x00000010)
Dec 26 14:31:26 testhost gdm-password]: pam_winbind(gdm-password:auth):
Could not retrieve user's password
Dec 26 14:31:26 testhost gdm-password]: gkr-pam: no password is
available for user
Dec 26 14:31:28 testhost gdm-password]: pam_winbind(gdm-password:auth):
getting password (0x00000010)
Dec 26 14:31:28 testhost gdm-password]: pam_winbind(gdm-password:auth):
Could not retrieve user's password
Dec 26 14:31:28 testhost gdm-password]: gkr-pam: no password is
available for user
Dec 26 14:31:30 testhost gdm-password]: pam_winbind(gdm-password:auth):
getting password (0x00000010)
Dec 26 14:31:30 testhost gdm-password]: pam_winbind(gdm-password:auth):
Could not retrieve user's password
Dec 26 14:31:30 testhost gdm-password]: gkr-pam: no password is
available for user

So you can see pam_winbind is called but there is no password for the
user. And what is really strange is that I can login to the member
server via ssh using a public/private key (username/password
authentication is turned off). After an ssh login I see this in
/var/log/secure:

 > cat /var/log/secureDec 26 14:38:03 testhost sshd[32407]:
pam_unix(sshd:session): session closed for user testuser1
Dec 26 14:38:07 testhost sshd[32501]: pam_winbind(sshd:account): user
'testuser1' granted access
Dec 26 14:38:07 testhost sshd[32501]: Accepted publickey for testuser1
from 192.168.1.3 port 53174 ssh2: RSA
SHA256:CVb5dqn5xUPXO0iVbUyHlNuXUZeW4J6k42Kg94teayg
Dec 26 14:38:07 testhost sshd[32501]: pam_systemd(sshd:session): Failed
to create session: No such file or directory
Dec 26 14:38:07 testhost sshd[32501]: pam_unix(sshd:session): session
opened for user testuser1 by (uid=0)

Logins on the DC do work properly. Plus I have 3 other member server
linux boxes all running SSSD which have no issues. I am pretty sure the
issue is on the client box running winbindd. Does anyone have any
suggestions as to how to debug this issue or what might be going wrong?

--
Paul ([hidden email])
Cell: (303)257-5208

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Centos 7 member server login fails

Samba - General mailing list
On 12/26/2017 06:08 PM, Paul R. Ganci via samba wrote:

> >cat /var/log/secure
> Dec 26 14:31:26 testhost gdm-password]:
> pam_winbind(gdm-password:auth): getting password (0x00000010)
> Dec 26 14:31:26 testhost gdm-password]:
> pam_winbind(gdm-password:auth): Could not retrieve user's password
> Dec 26 14:31:26 testhost gdm-password]: gkr-pam: no password is
> available for user
> Dec 26 14:31:28 testhost gdm-password]:
> pam_winbind(gdm-password:auth): getting password (0x00000010)
> Dec 26 14:31:28 testhost gdm-password]:
> pam_winbind(gdm-password:auth): Could not retrieve user's password
> Dec 26 14:31:28 testhost gdm-password]: gkr-pam: no password is
> available for user
> Dec 26 14:31:30 testhost gdm-password]:
> pam_winbind(gdm-password:auth): getting password (0x00000010)
> Dec 26 14:31:30 testhost gdm-password]:
> pam_winbind(gdm-password:auth): Could not retrieve user's password
> Dec 26 14:31:30 testhost gdm-password]: gkr-pam: no password is
> available for user
>
Okay I will answer my own question. I ran authconfig-tui to redo the PAM
configuration and everything started to work again. I guess the manual
version I had placed into the /etc/pam.d directory had a problem. Things
are good again.

--
Paul ([hidden email])
Cell: (303)257-5208

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Centos 7 member server login fails

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 26 Dec 2017 18:08:11 -0700
"Paul R. Ganci via samba" <[hidden email]> wrote:

> I have a problem that is now becoming very annoying. Namely I have a
> Centos 7 member server running Sernet Samba 4.7.4 for which
> everything seems to work except gdm or ftp logins. On the linux
> client it seems winbindd is set up correctly. For example (the data
> shown below has been sanitized):
>
>  > getent passwd
> testuser2:*:3001108:3000513::/home/testuser1:/bin/bash
> testuser1:*:3001107:3000513::/home/testuser2:/bin/bash
>
>  > getent group
> domain admins:x:3000512:administrator
> domain users:x:3000513:testuser2,testuser1,administrator,krbtgt

Have you actually given your users & groups a uidNumber or gidNumber
attribute, or are you using the 'rid' backend

>
>  > kinit Administrator
> Password for [hidden email]:
>  > klist
> Ticket cache: KEYRING:persistent:3001107:3001107
> Default principal: [hidden email]

This gets stranger and stranger, if you are using the 'rid' backend,
why does 'Administrator' have the 'RID' 1107 ? and if you aren't, why
isn't it '0:0' ?

>
> Valid starting       Expires              Service principal
> 12/26/2017 14:24:36  12/27/2017 00:24:36
> krbtgt/[hidden email] renew until 01/02/2018 14:24:32
>
>  >cat /etc/nsswitch.conf
> passwd:     files winbind
> group:      files winbind

You should only have winbind on the two lines above, remove it from any
other lines.

>
> After a console or ftp login I see these errors:
>
>  > cat /var/log/messages
> Dec 26 14:31:26 testhost gdm-password]: AccountsService:
> ActUserManager: user (null) has no username (uid: -1)
> Dec 26 14:31:28 testhost gdm-password]: AccountsService:
> ActUserManager: user (null) has no username (uid: -1)
> Dec 26 14:31:30 testhost gdm-password]: AccountsService:
> ActUserManager: user (null) has no username (uid: -1)
>
>  >cat /var/log/secure
> Dec 26 14:31:26 testhost gdm-password]:
> pam_winbind(gdm-password:auth): getting password (0x00000010)
> Dec 26 14:31:26 testhost gdm-password]:
> pam_winbind(gdm-password:auth): Could not retrieve user's password
> Dec 26 14:31:26 testhost gdm-password]: gkr-pam: no password is
> available for user
> Dec 26 14:31:28 testhost gdm-password]:
> pam_winbind(gdm-password:auth): getting password (0x00000010)
> Dec 26 14:31:28 testhost gdm-password]:
> pam_winbind(gdm-password:auth): Could not retrieve user's password
> Dec 26 14:31:28 testhost gdm-password]: gkr-pam: no password is
> available for user
> Dec 26 14:31:30 testhost gdm-password]:
> pam_winbind(gdm-password:auth): getting password (0x00000010)
> Dec 26 14:31:30 testhost gdm-password]:
> pam_winbind(gdm-password:auth): Could not retrieve user's password
> Dec 26 14:31:30 testhost gdm-password]: gkr-pam: no password is
> available for user

Winbind cannot find your user

>
> So you can see pam_winbind is called but there is no password for the
> user. And what is really strange is that I can login to the member
> server via ssh using a public/private key (username/password
> authentication is turned off). After an ssh login I see this in
> /var/log/secure:

This will work because kerberos is used instead of winbind.

>
> Logins on the DC do work properly. Plus I have 3 other member server
> linux boxes all running SSSD which have no issues. I am pretty sure
> the issue is on the client box running winbindd. Does anyone have any
> suggestions as to how to debug this issue or what might be going
> wrong?

You have purged sssd haven't you ?
It interfers with winbind, at least it did when I tested winbind on a
centos 7 VM, removing sssd fixed everything.

Rowland
 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Centos 7 member server login fails

Samba - General mailing list

0n 12/27/2017 02:39 AM, Rowland Penny via samba wrote:
>
> Have you actually given your users & groups a uidNumber or gidNumber
> attribute, or are you using the 'rid' backend
Yes I am using the AD backend and they have these uidNumber &gidNumbers.
They come from when I was originally using rid (back in the 4.0 days)
and switched to the AD backend. I just happened to make the
uidNumber/gidNumber the number one would get if using rid. I never
changed them to anything more reasonable since I didn't want to deal
with the issues that creates. So yes it seems strange but everything is
correct.

There is actually another list message in the archives where the use of
these uidNumber/gidNumber caused confusion. Maybe one of these days I
will changeover to something more reasonable if just to avoid that
confusion.
> This gets stranger and stranger, if you are using the 'rid' backend,
> why does 'Administrator' have the 'RID' 1107 ? and if you aren't, why
> isn't it '0:0' ?
The kinit command was issued from the testuser1 account. I will go out
on a limb and suggest that 3001107 is correct since that is the keyring
owner. If it makes you feel better here is the same getent passwd on the
DC (note the "0" in the administrator user):

 > getent passwd
MYDC\administrator:*:0:3000513::/home/administrator:/bin/bash
MYDC\testuser2:*:3001108:3000513::/home/testuser2:/bin/bash
MYDC\testuser1:*:3001107:3000513::/home/testuser1:/bin/bash

I did give domain users and domain admin groups gidNumbers so that is
what you see. That is why it is not 0:0. My understanding is that is
okay. You just cannot give administrator a uidNumber if I recall other
list messages correctly.

Also if I do the kinit/klist commands on the member server as root I get
this:
 > kinit administrator
Password for [hidden email]:
 > klist
Ticket cache: KEYRING:persistent:0:krb_ccache_kgkyAS7
Default principal: [hidden email]

Valid starting       Expires              Service principal
12/27/2017 18:24:49  12/28/2017 04:24:49 krbtgt/[hidden email]
     renew until 01/03/2018 18:24:46
> Winbind cannot find your user
Yes sssd was completely removed. The SERNET samba distribution will not
install if sssd is installed. Yum errors will occur. And as I said in my
other message the problem disappears once I re-ran authconfig-tui. 
Authconfig-tui changes /etc/nsswitch.conf file per your suggestion, and
it recreates /etc/pam.d/passwd-auth-ac file and
/etc/pam.d/system-auth-ac for use with winbind. I had been using
/etc/pam.d/ files created from those used by sssd and hand edited with
vi to change over to winbind. While that worked at one time it failed
this time with my upgrade from samba 4.6 to 4.7. They were admittedly
pretty old versions of the PAM files so I guess I should have expected
this day to come.

In any event, I will reiterate that everything is working like it is
supposed to now. Thank you for your help.

--
Paul ([hidden email])
Cell: (303)257-5208

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba