Session closes immediately (pam + winbind)

Christopher Thielen cmthielen at ucdavis.edu
Mon Jul 6 18:24:48 UTC 2009 

Thanks Rick, setting my template shell to /bin/bash and restarting
winbind fixed the problem, but the set up leaves me with a few
questions:

1. template shell = /bin/bash leaves every domain user with the ability
to log onto the workstation. This is fine for my case, but out of
curiosity, is there a way to only set certain domain users to have a
real shell? Normally I would edit /etc/passwd, but domain users do not
appear there.

2. I could only get this working after shutting down nscd completely and
keeping it off. Is there a workaround to this? Is this a known problem?

3. system-config-authentication didn't work at all. Granted, it edited
smb.conf and krb5.conf mostly right, but it did not generate the
Kerberos ticket, join the domain, set the correct template shell (why
would an option to allow winbind logins set the template shell
to /bin/false?), or resolve the issue with nscd, which I've heard in
other places before. It seems to me Fedora's winbind authentication
support has been misconfigured for many releases now. Who do I talk to
about this?! :)

On Mon, 2009-07-06 at 10:58 -0700, Rick Stevens wrote:
> Christopher Thielen wrote:
> > Hi folks,
> > 	Running Fedora 11, Samba 3.3.2, all the patches applied, selinux
> > disabled. I've joined my computer to a Windows 2003 directory, getent
> > passwd, wbinfo -u, -g, -t all work fine, but when I try to log in (gdm,
> > ssh, etc.) with a domain user, the session closes immediately.
> > 	According to /var/log/secure, it detects good and bad passwords, but
> > upon receiving the correct password, /var/log/secure shows a "session
> > opened for user" but that's the last line - nothing about  the session
> > closing, though it does.
> > 	Here's a complete date with /var/log/secure when I try to log in via
> > SSH using a winbind account:
> > 
> > Jul  6 10:31:35 history-20 sshd[3189]: pam_unix(sshd:auth):
> > authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> > rhost=localhost.localdomain  user=cmthielen
> > Jul  6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth): getting
> > password (0x00000210)
> > Jul  6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth):
> > pam_get_item returned a password
> > Jul  6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:auth): user
> > 'cmthielen' granted access
> > Jul  6 10:31:35 history-20 sshd[3189]: pam_winbind(sshd:account): user
> > 'cmthielen' granted access
> > Jul  6 10:31:35 history-20 sshd[3189]: Accepted password for cmthielen
> > from 127.0.0.1 port 55696 ssh2
> > Jul  6 10:31:35 history-20 sshd[3189]: pam_unix(sshd:session): session
> > opened for user cmthielen by (uid=0)
> > 
> > 
> > 	Any idea why the session closes immediately? A Debian user following a
> > Ubuntu wiki guide had a similar problem and did not detail his solution,
> > though he said it had to do with the syntax of his pam files. Here are
> > the relevant files:
> > 
> > smb.conf:
> > 
> > #======================= Global Settings
> > =====================================
> > 	
> > [global]
> > #--authconfig--start-line--
> > 
> > # Generated by authconfig on 2009/07/06 09:15:29
> > # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
> > # Any modification may be deleted or altered by authconfig in future
> > 
> >    workgroup = A.WORKGROUP # "censored"
> >    password server = 555.555.555.555 # "censored"
> >    realm = THE.REALM # "censored"
> >    security = ads
> >    idmap uid = 16777216-33554431
> >    idmap gid = 16777216-33554431
> >    template shell = /bin/false
> >    winbind use default domain = true
> >    winbind offline logon = true
> >    winbind enum users = true
> >    winbind enum groups = true
> > 
> > #--authconfig--end-line--
> > 	
> > ;	workgroup = MYGROUP
> > 	server string = Samba Server Version %v
> > 	
> > ;	netbios name = MYSERVER
> > 	
> > ;	interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 
> > ;	hosts allow = 127. 192.168.12. 192.168.13.
> > 	
> > 	
> > 	# logs split per machine
> > 	log file = /var/log/samba/log.%m
> > 	# max 50KB per log file, then rotate
> > 	max log size = 50
> > 	
> > 
> > ;	security = user
> > 	passdb backend = tdbsam
> > 
> > ;	security = domain
> > ;	passdb backend = tdbsam
> > ;	realm = MY_REALM
> > 
> > ;	password server = <NT-Server-Name>
> > 
> > ;	security = user
> > ;	passdb backend = tdbsam
> > 	
> > ;	domain master = yes 
> > ;	domain logons = yes
> > 	
> > 	# the login script name depends on the machine name
> > ;	logon script = %m.bat
> > 	# the login script name depends on the unix user used
> > ;	logon script = %u.bat
> > ;	logon path = \\%L\Profiles\%u
> > 	# disables profiles support by specifing an empty path
> > ;	logon path =          
> > 	
> > ;	add user script = /usr/sbin/useradd "%u" -n -g users
> > ;	add group script = /usr/sbin/groupadd "%g"
> > ;	add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M
> > -d /nohome -s /bin/false "%u"
> > ;	delete user script = /usr/sbin/userdel "%u"
> > ;	delete user from group script = /usr/sbin/userdel "%u" "%g"
> > ;	delete group script = /usr/sbin/groupdel "%g"
> > 	
> > 	
> > ;	local master = no
> > ;	os level = 33
> > ;	preferred master = yes
> > 	
> > 	
> > ;	wins support = yes
> > ;	wins server = w.x.y.z
> > ;	wins proxy = yes
> > 	
> > ;	dns proxy = yes
> > 	
> > 	
> > 	load printers = yes
> > 	cups options = raw
> > 
> > ;	printcap name = /etc/printcap
> > 	#obtain list of printers automatically on SystemV
> > ;	printcap name = lpstat
> > ;	printing = cups
> > 
> > 
> > ;	map archive = no
> > ;	map hidden = no
> > ;	map read only = no
> > ;	map system = no
> > ;	store dos attributes = yes
> > 
> > 
> > #============================ Share Definitions
> > ==============================
> > 	
> > [homes]
> > 	comment = Home Directories
> > 	browseable = no
> > 	writable = yes
> > ;	valid users = %S
> > ;	valid users = MYDOMAIN\%S
> > 	
> > [printers]
> > 	comment = All Printers
> > 	path = /var/spool/samba
> > 	browseable = no
> > 	guest ok = no
> > 	writable = no
> > 	printable = yes
> > 	
> > # Un-comment the following and create the netlogon directory for Domain
> > Logons
> > ;	[netlogon]
> > ;	comment = Network Logon Service
> > ;	path = /var/lib/samba/netlogon
> > ;	guest ok = yes
> > ;	writable = no
> > ;	share modes = no
> > 	
> > 	
> > # Un-comment the following to provide a specific roving profile share
> > # the default is to use the user's home directory
> > ;	[Profiles]
> > ;	path = /var/lib/samba/profiles
> > ;	browseable = no
> > ;	guest ok = yes
> > 	
> > 
> > =========================================================================
> > 
> > /etc/pam.d/system-auth-ac:
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth        required      pam_env.so
> > auth        sufficient    pam_unix.so nullok try_first_pass
> > auth        requisite     pam_succeed_if.so uid >= 500 quiet
> > auth        sufficient    pam_winbind.so cached_login use_first_pass
> > auth        required      pam_deny.so
> > 
> > account     required      pam_unix.so broken_shadow
> > account     sufficient    pam_localuser.so
> > account     sufficient    pam_succeed_if.so uid < 500 quiet
> > account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
> > cached_login
> > account     required      pam_permit.so
> > 
> > password    requisite     pam_cracklib.so try_first_pass retry=3
> > password    sufficient    pam_unix.so sha512 shadow nullok
> > try_first_pass use_authtok
> > password    sufficient    pam_winbind.so cached_login use_authtok
> > password    required      pam_deny.so
> > 
> > session     optional      pam_keyinit.so revoke
> > session     required      pam_limits.so
> > session     optional      pam_mkhomedir.so
> > session     [success=1 default=ignore] pam_succeed_if.so service in
> > crond quiet use_uid
> > session     required      pam_unix.so
> > 
> > ==============================================
> > /etc/pam.d/sshd # because the /var/log/secure above is an attempt to log
> > in via sshd though I don't think sshd is specifically the problem (exact
> > same behavior with gdm)
> > #%PAM-1.0
> > auth	   required	pam_sepermit.so
> > auth       include      system-auth
> > account    required     pam_nologin.so
> > account    include      system-auth
> > password   include      system-auth
> > # pam_selinux.so close should be the first session rule
> > session    required     pam_selinux.so close
> > session    required     pam_loginuid.so
> > # pam_selinux.so open should only be followed by sessions to be executed
> > in the user context
> > session    required     pam_selinux.so open env_params
> > session    optional     pam_keyinit.so force revoke
> > session    include      system-auth
> 
> Uh, uhm, in the "getent passwd" entry for the user you're trying to
> authenticate as ("cmthielen"), does it have a valid shell?  Your
> template is /bin/false, which would close the session straight away.
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer                      ricks at nerd.com -
> - AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
> -                                                                    -
> -  "Men occasionally stumble over the truth, but most of them pick"  -
> -     themselves up and hurry off as if nothing had happened."       -
> -                                  -- Winston Churchill              -
> ----------------------------------------------------------------------

More information about the fedora-list mailing list