Session closes immediately (pam + winbind)

Rick Stevens ricks at nerd.com
Mon Jul 6 17:58:03 UTC 2009 

Christopher Thielen wrote:
> Hi folks,
> 	Running Fedora 11, Samba 3.3.2, all the patches applied, selinux
> disabled. I've joined my computer to a Windows 2003 directory, getent
> passwd, wbinfo -u, -g, -t all work fine, but when I try to log in (gdm,
> ssh, etc.) with a domain user, the session closes immediately.
> 	According to /var/log/secure, it detects good and bad passwords, but
> upon receiving the correct password, /var/log/secure shows a "session
> opened for user" but that's the last line - nothing about  the session
> closing, though it does.
> 	Here's a complete date with /var/log/secure when I try to log in via
> SSH using a winbind account:
> 
> Jul  6 10:31:35 history-20 sshd[3189]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=localhost.localdomain  user=cmthielen
> Jul  6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth): getting
> password (0x00000210)
> Jul  6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth):
> pam_get_item returned a password
> Jul  6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth): user
> 'cmthielen' granted access
> Jul  6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:account): user
> 'cmthielen' granted access
> Jul  6 10:31:35 history-20 sshd[3189]: Accepted password for cmthielen
> from 127.0.0.1 port 55696 ssh2
> Jul  6 10:31:35 history-20 sshd[3189]: pam_unix(sshd:session): session
> opened for user cmthielen by (uid=0)
> 
> 
> 	Any idea why the session closes immediately? A Debian user following a
> Ubuntu wiki guide had a similar problem and did not detail his solution,
> though he said it had to do with the syntax of his pam files. Here are
> the relevant files:
> 
> smb.conf:
> 
> #======================= Global Settings
> =====================================
> 	
> [global]
> #--authconfig--start-line--
> 
> # Generated by authconfig on 2009/07/06 09:15:29
> # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
> # Any modification may be deleted or altered by authconfig in future
> 
>    workgroup = A.WORKGROUP # "censored"
>    password server = 555.555.555.555 # "censored"
>    realm = THE.REALM # "censored"
>    security = ads
>    idmap uid = 16777216-33554431
>    idmap gid = 16777216-33554431
>    template shell = /bin/false
>    winbind use default domain = true
>    winbind offline logon = true
>    winbind enum users = true
>    winbind enum groups = true
> 
> #--authconfig--end-line--
> 	
> ;	workgroup = MYGROUP
> 	server string = Samba Server Version %v
> 	
> ;	netbios name = MYSERVER
> 	
> ;	interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 
> ;	hosts allow = 127. 192.168.12. 192.168.13.
> 	
> 	
> 	# logs split per machine
> 	log file = /var/log/samba/log.%m
> 	# max 50KB per log file, then rotate
> 	max log size = 50
> 	
> 
> ;	security = user
> 	passdb backend = tdbsam
> 
> ;	security = domain
> ;	passdb backend = tdbsam
> ;	realm = MY_REALM
> 
> ;	password server = <NT-Server-Name>
> 
> ;	security = user
> ;	passdb backend = tdbsam
> 	
> ;	domain master = yes 
> ;	domain logons = yes
> 	
> 	# the login script name depends on the machine name
> ;	logon script = %m.bat
> 	# the login script name depends on the unix user used
> ;	logon script = %u.bat
> ;	logon path = \\%L\Profiles\%u
> 	# disables profiles support by specifing an empty path
> ;	logon path =          
> 	
> ;	add user script = /usr/sbin/useradd "%u" -n -g users
> ;	add group script = /usr/sbin/groupadd "%g"
> ;	add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M
> -d /nohome -s /bin/false "%u"
> ;	delete user script = /usr/sbin/userdel "%u"
> ;	delete user from group script = /usr/sbin/userdel "%u" "%g"
> ;	delete group script = /usr/sbin/groupdel "%g"
> 	
> 	
> ;	local master = no
> ;	os level = 33
> ;	preferred master = yes
> 	
> 	
> ;	wins support = yes
> ;	wins server = w.x.y.z
> ;	wins proxy = yes
> 	
> ;	dns proxy = yes
> 	
> 	
> 	load printers = yes
> 	cups options = raw
> 
> ;	printcap name = /etc/printcap
> 	#obtain list of printers automatically on SystemV
> ;	printcap name = lpstat
> ;	printing = cups
> 
> 
> ;	map archive = no
> ;	map hidden = no
> ;	map read only = no
> ;	map system = no
> ;	store dos attributes = yes
> 
> 
> #============================ Share Definitions
> ==============================
> 	
> [homes]
> 	comment = Home Directories
> 	browseable = no
> 	writable = yes
> ;	valid users = %S
> ;	valid users = MYDOMAIN\%S
> 	
> [printers]
> 	comment = All Printers
> 	path = /var/spool/samba
> 	browseable = no
> 	guest ok = no
> 	writable = no
> 	printable = yes
> 	
> # Un-comment the following and create the netlogon directory for Domain
> Logons
> ;	[netlogon]
> ;	comment = Network Logon Service
> ;	path = /var/lib/samba/netlogon
> ;	guest ok = yes
> ;	writable = no
> ;	share modes = no
> 	
> 	
> # Un-comment the following to provide a specific roving profile share
> # the default is to use the user's home directory
> ;	[Profiles]
> ;	path = /var/lib/samba/profiles
> ;	browseable = no
> ;	guest ok = yes
> 	
> 
> =========================================================================
> 
> /etc/pam.d/system-auth-ac:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_winbind.so cached_login use_first_pass
> auth        required      pam_deny.so
> 
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
> cached_login
> account     required      pam_permit.so
> 
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password    sufficient    pam_winbind.so cached_login use_authtok
> password    required      pam_deny.so
> 
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     optional      pam_mkhomedir.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> 
> ==============================================
> /etc/pam.d/sshd # because the /var/log/secure above is an attempt to log
> in via sshd though I don't think sshd is specifically the problem (exact
> same behavior with gdm)
> #%PAM-1.0
> auth	   required	pam_sepermit.so
> auth       include      system-auth
> account    required     pam_nologin.so
> account    include      system-auth
> password   include      system-auth
> # pam_selinux.so close should be the first session rule
> session    required     pam_selinux.so close
> session    required     pam_loginuid.so
> # pam_selinux.so open should only be followed by sessions to be executed
> in the user context
> session    required     pam_selinux.so open env_params
> session    optional     pam_keyinit.so force revoke
> session    include      system-auth

Uh, uhm, in the "getent passwd" entry for the user you're trying to
authenticate as ("cmthielen"), does it have a valid shell?  Your
template is /bin/false, which would close the session straight away.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks at nerd.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-  "Men occasionally stumble over the truth, but most of them pick"  -
-     themselves up and hurry off as if nothing had happened."       -
-                                  -- Winston Churchill              -
----------------------------------------------------------------------

More information about the fedora-list mailing list