Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Thread Tools Display Modes
Old 17th March 2011, 19:19
Al Howard Al Howard is offline
Junior Member
Join Date: Mar 2011
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default Problem with RHEL6 login and Active Directory

Hello to all,
I’m a new member hoping the Linux community can help. We have several lab computers that we would like to upgrade from RHEL5-Server to RHEL6-Server as the OS. They authenticate via Kerberos and pull the user’s login info from Microsoft AD, currently Server 2008 running in 2003 Forest mode. We also auto mount their AD network share to /home. This has worked flawlessly for RHEL5, but we are experiencing login problems while testing RHEL6.
Here’s what we did:
Added the samba-client packages during installation. Added samba-winbind via yum since it was not included. Added “allow_weak_crypto = true” to krb5.conf so the host could join AD domain. Verified that “wbinfo –u” and “wbinfo –g” both return user and group list successfully. Copied /etc/pam.d/system-auth-ac to /etc/pam.d/password-auth-ac. This allowed us to get through the “auth” portion of pam but now the login is failing during the “account” portion. Users attempting to login receive a “User is not known to the underlying authentication model” on the login screen.

Looking at /var/log/secure reveals the following:
Mar 17 09:30:01 linux16 pam: gdm-password[16778]: pam_winbind(gdm-password:auth): getting password (0x00000000)
Mar 17 09:30:08 linux16 pam: gdm-password[16778]: pam_winbind(gdm-password:auth): user 'ahh321' granted access
Mar 17 09:30:08 linux16 pam: gdm-password[16778]: gkr-pam: error looking up user information for: ahh321
Mar 17 09:30:08 linux16 pam: gdm-password[16778]: pam_unix(gdm-password:account): could not identify user (from getpwnam(ahh321))
Mar 17 09:30:08 linux16 pam: gdm-password[16778]: pam_succeed_if(gdm-password:account): error retrieving information about user ahh321

It looks like winbind is not working correctly but maybe it is a completely different issue. No changes have been made to the AD domain controller. Any ideas or suggestions would be greatly appreciated. I have included pam.d/system-auth-ac (password-auth-ac is the same) and smb.conf and can send krb5.conf or nsswitch.conf if needed. Thanks in advance.

[root@linux16 ~]# cat /etc/pam.d/system-auth-ac
### Also copied this file to /etc/pam.d/password-auth-ac

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account sufficient pam_winbind.so
account required pam_unix.so try_first_pass
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_winbind.so
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

[root@linux16 ~]# cat /etc/samba/smb.conf


# Generated by authconfig on 2011/02/25 15:14:14
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

workgroup = labs
password server = lab01.labdomain.psu.edu lab02.labdomain.psu.edu
security = ads
idmap uid = 10000-20000
idmap gid = 1000-2000
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false


# ----------- Network Related Options-------

netbios name = linux16
unix extensions = yes
idmap backend = ad
winbind nss info = rfc2307
use kerberos keytab = yes
winbind cache time = 10
winbind enum users = yes
winbind enum groups = yes
Reply With Quote
Sponsored Links
Old 16th September 2011, 23:23
Beandip408 Beandip408 is offline
Junior Member
Join Date: Sep 2011
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default same issues

well im new to centos and am trying to do the same. im replying so i can get notification if someone is able to help you. my problem is that i think i need a walkthrough step-by-step
Reply With Quote
Old 17th September 2011, 16:44
inky inky is offline
Junior Member
Join Date: Sep 2011
Posts: 2
Thanks: 0
Thanked 1 Time in 1 Post

Hello, seems that samba want to get user from gdbm, what is incorrect.

I assume in /etc/krb5.conf you have something like it:

default_realm = LABDOMAIN.PSU.EDU

    kdc = lab01.labdomain.psu.edu lab02.labdomain.psu.edu

.labdomain.psu.edu = LABDOMAIN.PSU.EDU
/etc/samba/smb.conf - add this to config - you may not add socket options - it's just for performance.

auth methods = winbind
encrypt passwords = yes
allow trusted domains = No
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
time server = Yes
winbind use default domain = true
winbind refresh tickets = yes
what you have in /etc/nsswitch.conf ?
(you must add winbind here if you dont have it)

for example - it's just example - dont copy it to your switch - you may not login to system if you have something special configured - just add winbind.
passwd:     files winbind
shadow:     files winbind
group:      files winbind
to make kerberos function properly you must synchronize time with AD server. add this to crontab if you dont have it

*/5 * * * * root /usr/sbin/ntpdate lab01.labdomain.psu.edu

service smb start
service winbind start
kinit adm (adm - change it to your administrator account name from AD) - we are trying to get a ticket from AD.
klist - drop here what it says if error - if it's shows that it got the ticket and its starting time and expire time - then everything is fine
net ads join -U adm (adm - change it to your administrator account) we join to active directory by this command

hope that help you.

Last edited by inky; 17th September 2011 at 16:50.
Reply With Quote
Old 21st September 2011, 16:43
Al Howard Al Howard is offline
Junior Member
Join Date: Mar 2011
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts


No, I did not get it working yet. Now that the school year has started we will stick with RHEL5 and take a look at RHEL6 again next year.

Last edited by Al Howard; 21st September 2011 at 16:48.
Reply With Quote


login failed, pam-winbind, rhel6

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
MySQL Error Nolan Installation/Configuration 13 27th November 2014 06:04
Unable to Receve Email walner8080 Installation/Configuration 8 30th September 2010 06:58
ISPConfig 3 Send/Receive mail not working. Acidut General 6 4th April 2010 12:24
squirrelmail and postfix witoszek General 12 1st December 2009 19:07
Is my postfix is hacked? bzzik Server Operation 21 15th July 2009 15:13

All times are GMT +2. The time now is 03:00.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.