Winbind or Pam-auth issues in logwatch

[buddyj]

enviroment:

Linux mymachine.mydoman.com 2.6.9-42.0.2.ELsmp #1 SMP Thu Aug 17 18:00:32 EDT 2006 i686 i686 i386 GNU/Linux

Samba version 3.0.10-1.4E.9 (Red Hat pre-compiled)

Red Hat updates pam.d/system-auth files with seemly appropriate pam_windbind entries

I'm getting the following messages in logwatch after configuring samba/winbind. Domain users can ssh (home directory is created) and ftp. I wil post my config steps for samba/winbind after this post. Any clues to what I've done wrong would be greatly appreciated

Users logging in through sshd:
mydomain\\don:
it1.mydomain.com (192.168.2.173): 2 times


Received disconnect:
11: All open channels closed
::ffff:192.168.2.173 : 1 Time(s)

**Unmatched Entries**
pam_krb5[24666]: no v5 creds for user 'mydomain\don', skipping session cleanup
pam_krb5[24664]: authentication fails for 'mydomain\don' (fdidon@FDI.com): User not known to the underlying authentication module (Client not found in Kerberos database)
pam_krb5[24664]: account checks fail for 'mydomain\don': user is unknown

This causes problems with certain 3rd party applications such as ROC Easyspooler web interface where neither local or domain users can be validated (except root).

Output from 3rd party authentication test script (caut, verifies trusted, /etc/password and pam flavor of choice) is as follows for local user.

Authentication dump
service (eg "su") - pam_sudo
user name - buddyj
password (will be echoed) - xxxxxxx
auth_auth: debug 1 inline 0
auth_trusted: getspname found entry User buddyj
sp_namp: buddyj
sp_pwdp: imaskedtheoutput
auth_check_passwd_crypt: glibc2 crypt OK - passed
auth_etc_passswd: getpwnam found entry for User buddyj
pw_name: buddyj
pw_passwd: x
auth_check_passwd_crypt: FAILED (Standard crypt) *****
auth_check_passwd_crypt: Salt x passwd x crypt_result xxcxxxxxnNA
Calling pam_start
pam_start succeeded for service pam_sudo, user buddyj
Calling pam_authenticate
[GUI]Authentication failure for buddyj (PAM Err# 7)
[Result]NOK
Authentication failure for buddyj

and for domain user only

Authentication dump
service (eg "su") - pam_sudo
user name - mydomain\don
password (will be echoed) - xxxxx
auth_auth: debug 1 inline 0
auth_trusted: getspname did not find an entry for User fdi\don
auth_etc_passswd: getpwnam found entry for User mydomain\don
pw_name: don
pw_passwd: *
auth_check_passwd_crypt: FAILED (Standard crypt) *****
auth_check_passwd_crypt: Salt * passwd * crypt_result **7xxxxxxxA
Calling pam_start
pam_start succeeded for service pam_sudo, user mydomain\don
Calling pam_authenticate
[GUI]Authentication failure for mydomain\don (PAM Err# 7)
[Result]NOK
Authentication failure for mydomain\don

Thanx for any help!
Buddy

 

[buddyj]

Requires logon as mydomain\username but here is what I've done so far

1. configure kbr5.conf (kerbose authen). FAQ suggested using numeric ip address, not dns name

[libdefaults]
default_realm = MYDOMAIN.com
dns_lookup_realm = false
dns_lookup_kdc = false


[realms]

MYDOMAIN.com = {
kdc = 192.168.2.6:88
admin_server = 192.168.2.6:749
}

MYDOMAIN.COM = {
kdc = 192.168.2.6
kdc = 192.168.2.7
}

[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM



2. stop services:

service winbind stop
service smb stop

net ads join -U ads_administrator_name

This should give you feedback on what it finds t
There are the pertinent changes I made to smb.conf [run testparm to verify typing!]
'#' are my comments for this post, not in my file

[global]
workgroup = mydomain #short domain name
realm = MYDOMAIN.COM #kerbos realm see below should be caps
server string = Test Server #Description type field for server
security = ads #I want Active Directory Service (security?)
password server = 192.168.2.6 192.168.2.7 #my PDC, BDC
template primary group = mycompany #pre-configured group I want as primary
template homedir = /home/%U # for use with pam_mkhomedirso parent has to
# exist. /home/%D/%U will create /home/mydomain/username
template shell = /bin/bash # shell I want them to start up
winbind use default domain = yes # this is supposed to keep you from having to log on as
# as mydomain\username but can just do username
# not working for me yet....
hosts allow = 192.168.2., 192.168.4., 127. #not required but I want to controll what subnets
#can log on

[netlogon] # I uncommented this section, not sure if it wasnecessary


3. Run testparm to make sure it likes the edited file. The FAQ says to restart the services but step 4 requires
a reboot

4. Add

session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=077

above

session required /lib/security/$ISA/pam_limits.so

to the /etc/pam.d/system-auth file. skel=/etc/skel are default files that populate the directory

5. add

wbinfo --set-auth-user myuser

it will prompt to the the password and it will echo on screen and be stored unencrypted.

6. Reboot and test

Sources:
Red hat FAQ
# 5851 (but change '= DOMAIN' to '= ads'
# 5787
# 5402
# 4760

also referred to
# 918
Redhat docs install guide 11.6 User authentication with PAM
# 6047
man page for smb.conf
# 5532
# 5492
# 5402

 

[hercj]

You might want to try sadms.

http://sadms.sourceforge.net/

It has solved some of my integration issues before.