Session closes immediately (pam + winbind)
Rick Stevens
ricks at nerd.com
Mon Jul 6 17:58:03 UTC 2009
Christopher Thielen wrote:
> Hi folks,
> Running Fedora 11, Samba 3.3.2, all the patches applied, selinux
> disabled. I've joined my computer to a Windows 2003 directory, getent
> passwd, wbinfo -u, -g, -t all work fine, but when I try to log in (gdm,
> ssh, etc.) with a domain user, the session closes immediately.
> According to /var/log/secure, it detects good and bad passwords, but
> upon receiving the correct password, /var/log/secure shows a "session
> opened for user" but that's the last line - nothing about the session
> closing, though it does.
> Here's a complete date with /var/log/secure when I try to log in via
> SSH using a winbind account:
>
> Jul 6 10:31:35 history-20 sshd[3189]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=localhost.localdomain user=cmthielen
> Jul 6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth): getting
> password (0x00000210)
> Jul 6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth):
> pam_get_item returned a password
> Jul 6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth): user
> 'cmthielen' granted access
> Jul 6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:account): user
> 'cmthielen' granted access
> Jul 6 10:31:35 history-20 sshd[3189]: Accepted password for cmthielen
> from 127.0.0.1 port 55696 ssh2
> Jul 6 10:31:35 history-20 sshd[3189]: pam_unix(sshd:session): session
> opened for user cmthielen by (uid=0)
>
>
> Any idea why the session closes immediately? A Debian user following a
> Ubuntu wiki guide had a similar problem and did not detail his solution,
> though he said it had to do with the syntax of his pam files. Here are
> the relevant files:
>
> smb.conf:
>
> #======================= Global Settings
> =====================================
>
> [global]
> #--authconfig--start-line--
>
> # Generated by authconfig on 2009/07/06 09:15:29
> # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
> # Any modification may be deleted or altered by authconfig in future
>
> workgroup = A.WORKGROUP # "censored"
> password server = 555.555.555.555 # "censored"
> realm = THE.REALM # "censored"
> security = ads
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> template shell = /bin/false
> winbind use default domain = true
> winbind offline logon = true
> winbind enum users = true
> winbind enum groups = true
>
> #--authconfig--end-line--
>
> ; workgroup = MYGROUP
> server string = Samba Server Version %v
>
> ; netbios name = MYSERVER
>
> ; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
> ; hosts allow = 127. 192.168.12. 192.168.13.
>
>
> # logs split per machine
> log file = /var/log/samba/log.%m
> # max 50KB per log file, then rotate
> max log size = 50
>
>
> ; security = user
> passdb backend = tdbsam
>
> ; security = domain
> ; passdb backend = tdbsam
> ; realm = MY_REALM
>
> ; password server = <NT-Server-Name>
>
> ; security = user
> ; passdb backend = tdbsam
>
> ; domain master = yes
> ; domain logons = yes
>
> # the login script name depends on the machine name
> ; logon script = %m.bat
> # the login script name depends on the unix user used
> ; logon script = %u.bat
> ; logon path = \\%L\Profiles\%u
> # disables profiles support by specifing an empty path
> ; logon path =
>
> ; add user script = /usr/sbin/useradd "%u" -n -g users
> ; add group script = /usr/sbin/groupadd "%g"
> ; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M
> -d /nohome -s /bin/false "%u"
> ; delete user script = /usr/sbin/userdel "%u"
> ; delete user from group script = /usr/sbin/userdel "%u" "%g"
> ; delete group script = /usr/sbin/groupdel "%g"
>
>
> ; local master = no
> ; os level = 33
> ; preferred master = yes
>
>
> ; wins support = yes
> ; wins server = w.x.y.z
> ; wins proxy = yes
>
> ; dns proxy = yes
>
>
> load printers = yes
> cups options = raw
>
> ; printcap name = /etc/printcap
> #obtain list of printers automatically on SystemV
> ; printcap name = lpstat
> ; printing = cups
>
>
> ; map archive = no
> ; map hidden = no
> ; map read only = no
> ; map system = no
> ; store dos attributes = yes
>
>
> #============================ Share Definitions
> ==============================
>
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
> ; valid users = %S
> ; valid users = MYDOMAIN\%S
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> browseable = no
> guest ok = no
> writable = no
> printable = yes
>
> # Un-comment the following and create the netlogon directory for Domain
> Logons
> ; [netlogon]
> ; comment = Network Logon Service
> ; path = /var/lib/samba/netlogon
> ; guest ok = yes
> ; writable = no
> ; share modes = no
>
>
> # Un-comment the following to provide a specific roving profile share
> # the default is to use the user's home directory
> ; [Profiles]
> ; path = /var/lib/samba/profiles
> ; browseable = no
> ; guest ok = yes
>
>
> =========================================================================
>
> /etc/pam.d/system-auth-ac:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_winbind.so cached_login use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_winbind.so
> cached_login
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password sufficient pam_winbind.so cached_login use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session optional pam_mkhomedir.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
>
> ==============================================
> /etc/pam.d/sshd # because the /var/log/secure above is an attempt to log
> in via sshd though I don't think sshd is specifically the problem (exact
> same behavior with gdm)
> #%PAM-1.0
> auth required pam_sepermit.so
> auth include system-auth
> account required pam_nologin.so
> account include system-auth
> password include system-auth
> # pam_selinux.so close should be the first session rule
> session required pam_selinux.so close
> session required pam_loginuid.so
> # pam_selinux.so open should only be followed by sessions to be executed
> in the user context
> session required pam_selinux.so open env_params
> session optional pam_keyinit.so force revoke
> session include system-auth
Uh, uhm, in the "getent passwd" entry for the user you're trying to
authenticate as ("cmthielen"), does it have a valid shell? Your
template is /bin/false, which would close the session straight away.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer ricks at nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- "Men occasionally stumble over the truth, but most of them pick" -
- themselves up and hurry off as if nothing had happened." -
- -- Winston Churchill -
----------------------------------------------------------------------
More information about the fedora-list
mailing list