Hello to all, I’m a new member hoping the Linux community can help. We have several lab computers that we would like to upgrade from RHEL5-Server to RHEL6-Server as the OS. They authenticate via Kerberos and pull the user’s login info from Microsoft AD, currently Server 2008 running in 2003 Forest mode. We also auto mount their AD network share to /home. This has worked flawlessly for RHEL5, but we are experiencing login problems while testing RHEL6. Here’s what we did: Added the samba-client packages during installation. Added samba-winbind via yum since it was not included. Added “allow_weak_crypto = true” to krb5.conf so the host could join AD domain. Verified that “wbinfo –u” and “wbinfo –g” both return user and group list successfully. Copied /etc/pam.d/system-auth-ac to /etc/pam.d/password-auth-ac. This allowed us to get through the “auth” portion of pam but now the login is failing during the “account” portion. Users attempting to login receive a “User is not known to the underlying authentication model” on the login screen. Looking at /var/log/secure reveals the following: <snip> Mar 17 09:30:01 linux16 pam: gdm-password[16778]: pam_winbind(gdm-password:auth): getting password (0x00000000) Mar 17 09:30:08 linux16 pam: gdm-password[16778]: pam_winbind(gdm-password:auth): user 'ahh321' granted access Mar 17 09:30:08 linux16 pam: gdm-password[16778]: gkr-pam: error looking up user information for: ahh321 Mar 17 09:30:08 linux16 pam: gdm-password[16778]: pam_unix(gdm-password:account): could not identify user (from getpwnam(ahh321)) Mar 17 09:30:08 linux16 pam: gdm-password[16778]: pam_succeed_if(gdm-password:account): error retrieving information about user ahh321 </snip> It looks like winbind is not working correctly but maybe it is a completely different issue. No changes have been made to the AD domain controller. Any ideas or suggestions would be greatly appreciated. I have included pam.d/system-auth-ac (password-auth-ac is the same) and smb.conf and can send krb5.conf or nsswitch.conf if needed. Thanks in advance. [root@linux16 ~]# cat /etc/pam.d/system-auth-ac ### Also copied this file to /etc/pam.d/password-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_winbind.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account sufficient pam_winbind.so account required pam_unix.so try_first_pass account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_winbind.so password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so [root@linux16 ~]# cat /etc/samba/smb.conf [global] #--authconfig--start-line-- # Generated by authconfig on 2011/02/25 15:14:14 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future workgroup = labs password server = lab01.labdomain.psu.edu lab02.labdomain.psu.edu realm = LABDOMAIN.PSU.EDU security = ads idmap uid = 10000-20000 idmap gid = 1000-2000 template homedir = /home/%U template shell = /bin/bash winbind use default domain = true winbind offline logon = false #--authconfig--end-line-- # ----------- Network Related Options------- netbios name = linux16 unix extensions = yes idmap backend = ad winbind nss info = rfc2307 use kerberos keytab = yes winbind cache time = 10 winbind enum users = yes winbind enum groups = yes
same issues well im new to centos and am trying to do the same. im replying so i can get notification if someone is able to help you. my problem is that i think i need a walkthrough step-by-step
Hello, seems that samba want to get user from gdbm, what is incorrect. I assume in /etc/krb5.conf you have something like it: Code: [libdefaults] default_realm = LABDOMAIN.PSU.EDU [realms] LABDOMAIN.PSU.EDU = { kdc = lab01.labdomain.psu.edu lab02.labdomain.psu.edu } [domain_realm] .labdomain.psu.edu = LABDOMAIN.PSU.EDU /etc/samba/smb.conf - add this to config - you may not add socket options - it's just for performance. Code: auth methods = winbind encrypt passwords = yes allow trusted domains = No socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 time server = Yes winbind use default domain = true winbind refresh tickets = yes what you have in /etc/nsswitch.conf ? (you must add winbind here if you dont have it) for example - it's just example - dont copy it to your switch - you may not login to system if you have something special configured - just add winbind. Code: passwd: files winbind shadow: files winbind group: files winbind to make kerberos function properly you must synchronize time with AD server. add this to crontab if you dont have it */5 * * * * root /usr/sbin/ntpdate lab01.labdomain.psu.edu next service smb start service winbind start kinit adm (adm - change it to your administrator account name from AD) - we are trying to get a ticket from AD. klist - drop here what it says if error - if it's shows that it got the ticket and its starting time and expire time - then everything is fine net ads join -U adm (adm - change it to your administrator account) we join to active directory by this command hope that help you.
Beandip408, No, I did not get it working yet. Now that the school year has started we will stick with RHEL5 and take a look at RHEL6 again next year.