Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 17th March 2011, 18:19
Al Howard Al Howard is offline
Junior Member
 
Join Date: Mar 2011
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default Problem with RHEL6 login and Active Directory

Hello to all,
I’m a new member hoping the Linux community can help. We have several lab computers that we would like to upgrade from RHEL5-Server to RHEL6-Server as the OS. They authenticate via Kerberos and pull the user’s login info from Microsoft AD, currently Server 2008 running in 2003 Forest mode. We also auto mount their AD network share to /home. This has worked flawlessly for RHEL5, but we are experiencing login problems while testing RHEL6.
Here’s what we did:
Added the samba-client packages during installation. Added samba-winbind via yum since it was not included. Added “allow_weak_crypto = true” to krb5.conf so the host could join AD domain. Verified that “wbinfo –u” and “wbinfo –g” both return user and group list successfully. Copied /etc/pam.d/system-auth-ac to /etc/pam.d/password-auth-ac. This allowed us to get through the “auth” portion of pam but now the login is failing during the “account” portion. Users attempting to login receive a “User is not known to the underlying authentication model” on the login screen.

Looking at /var/log/secure reveals the following:
<snip>
Mar 17 09:30:01 linux16 pam: gdm-password[16778]: pam_winbind(gdm-password:auth): getting password (0x00000000)
Mar 17 09:30:08 linux16 pam: gdm-password[16778]: pam_winbind(gdm-password:auth): user 'ahh321' granted access
Mar 17 09:30:08 linux16 pam: gdm-password[16778]: gkr-pam: error looking up user information for: ahh321
Mar 17 09:30:08 linux16 pam: gdm-password[16778]: pam_unix(gdm-password:account): could not identify user (from getpwnam(ahh321))
Mar 17 09:30:08 linux16 pam: gdm-password[16778]: pam_succeed_if(gdm-password:account): error retrieving information about user ahh321
</snip>

It looks like winbind is not working correctly but maybe it is a completely different issue. No changes have been made to the AD domain controller. Any ideas or suggestions would be greatly appreciated. I have included pam.d/system-auth-ac (password-auth-ac is the same) and smb.conf and can send krb5.conf or nsswitch.conf if needed. Thanks in advance.

[root@linux16 ~]# cat /etc/pam.d/system-auth-ac
### Also copied this file to /etc/pam.d/password-auth-ac

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account sufficient pam_winbind.so
account required pam_unix.so try_first_pass
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_winbind.so
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

[root@linux16 ~]# cat /etc/samba/smb.conf

[global]
#--authconfig--start-line--

# Generated by authconfig on 2011/02/25 15:14:14
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

workgroup = labs
password server = lab01.labdomain.psu.edu lab02.labdomain.psu.edu
realm = LABDOMAIN.PSU.EDU
security = ads
idmap uid = 10000-20000
idmap gid = 1000-2000
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false

#--authconfig--end-line--

# ----------- Network Related Options-------

netbios name = linux16
unix extensions = yes
idmap backend = ad
winbind nss info = rfc2307
use kerberos keytab = yes
winbind cache time = 10
winbind enum users = yes
winbind enum groups = yes
Reply With Quote
Sponsored Links
  #2  
Old 16th September 2011, 22:23
Beandip408 Beandip408 is offline
Junior Member
 
Join Date: Sep 2011
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default same issues

well im new to centos and am trying to do the same. im replying so i can get notification if someone is able to help you. my problem is that i think i need a walkthrough step-by-step
Reply With Quote
  #3  
Old 17th September 2011, 15:44
inky inky is offline
Junior Member
 
Join Date: Sep 2011
Posts: 2
Thanks: 0
Thanked 1 Time in 1 Post
Default

Hello, seems that samba want to get user from gdbm, what is incorrect.

I assume in /etc/krb5.conf you have something like it:

Code:
[libdefaults]
default_realm = LABDOMAIN.PSU.EDU

[realms]
LABDOMAIN.PSU.EDU = {
    kdc = lab01.labdomain.psu.edu lab02.labdomain.psu.edu
}

[domain_realm]
.labdomain.psu.edu = LABDOMAIN.PSU.EDU
/etc/samba/smb.conf - add this to config - you may not add socket options - it's just for performance.

Code:
auth methods = winbind
encrypt passwords = yes
allow trusted domains = No
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
time server = Yes
winbind use default domain = true
winbind refresh tickets = yes
what you have in /etc/nsswitch.conf ?
(you must add winbind here if you dont have it)

for example - it's just example - dont copy it to your switch - you may not login to system if you have something special configured - just add winbind.
Code:
passwd:     files winbind
shadow:     files winbind
group:      files winbind
to make kerberos function properly you must synchronize time with AD server. add this to crontab if you dont have it

*/5 * * * * root /usr/sbin/ntpdate lab01.labdomain.psu.edu

next
service smb start
service winbind start
kinit adm (adm - change it to your administrator account name from AD) - we are trying to get a ticket from AD.
klist - drop here what it says if error - if it's shows that it got the ticket and its starting time and expire time - then everything is fine
net ads join -U adm (adm - change it to your administrator account) we join to active directory by this command

hope that help you.

Last edited by inky; 17th September 2011 at 15:50.
Reply With Quote
  #4  
Old 21st September 2011, 15:43
Al Howard Al Howard is offline
Junior Member
 
Join Date: Mar 2011
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

Beandip408,

No, I did not get it working yet. Now that the school year has started we will stick with RHEL5 and take a look at RHEL6 again next year.

Last edited by Al Howard; 21st September 2011 at 15:48.
Reply With Quote
Reply

Bookmarks

Tags
login failed, pam-winbind, rhel6

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
MySQL Error Nolan Installation/Configuration 12 16th February 2011 02:15
Unable to Receve Email walner8080 Installation/Configuration 8 30th September 2010 05:58
ISPConfig 3 Send/Receive mail not working. Acidut General 6 4th April 2010 11:24
squirrelmail and postfix witoszek General 12 1st December 2009 18:07
Is my postfix is hacked? bzzik Server Operation 21 15th July 2009 14:13


All times are GMT +2. The time now is 18:12.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.