Problem with RHEL6 login and Active Directory

Discussion in 'Installation/Configuration' started by Al Howard, Mar 17, 2011.

  1. Al Howard

    Al Howard New Member

    Hello to all,
    I’m a new member hoping the Linux community can help. We have several lab computers that we would like to upgrade from RHEL5-Server to RHEL6-Server as the OS. They authenticate via Kerberos and pull the user’s login info from Microsoft AD, currently Server 2008 running in 2003 Forest mode. We also auto mount their AD network share to /home. This has worked flawlessly for RHEL5, but we are experiencing login problems while testing RHEL6.
    Here’s what we did:
    Added the samba-client packages during installation. Added samba-winbind via yum since it was not included. Added “allow_weak_crypto = true” to krb5.conf so the host could join AD domain. Verified that “wbinfo –u” and “wbinfo –g” both return user and group list successfully. Copied /etc/pam.d/system-auth-ac to /etc/pam.d/password-auth-ac. This allowed us to get through the “auth” portion of pam but now the login is failing during the “account” portion. Users attempting to login receive a “User is not known to the underlying authentication model” on the login screen.

    Looking at /var/log/secure reveals the following:
    <snip>
    Mar 17 09:30:01 linux16 pam: gdm-password[16778]: pam_winbind(gdm-password:auth): getting password (0x00000000)
    Mar 17 09:30:08 linux16 pam: gdm-password[16778]: pam_winbind(gdm-password:auth): user 'ahh321' granted access
    Mar 17 09:30:08 linux16 pam: gdm-password[16778]: gkr-pam: error looking up user information for: ahh321
    Mar 17 09:30:08 linux16 pam: gdm-password[16778]: pam_unix(gdm-password:account): could not identify user (from getpwnam(ahh321))
    Mar 17 09:30:08 linux16 pam: gdm-password[16778]: pam_succeed_if(gdm-password:account): error retrieving information about user ahh321
    </snip>

    It looks like winbind is not working correctly but maybe it is a completely different issue. No changes have been made to the AD domain controller. Any ideas or suggestions would be greatly appreciated. I have included pam.d/system-auth-ac (password-auth-ac is the same) and smb.conf and can send krb5.conf or nsswitch.conf if needed. Thanks in advance.

    [root@linux16 ~]# cat /etc/pam.d/system-auth-ac
    ### Also copied this file to /etc/pam.d/password-auth-ac

    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth required pam_env.so
    auth sufficient pam_winbind.so
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid >= 500 quiet
    auth required pam_deny.so

    account sufficient pam_winbind.so
    account required pam_unix.so try_first_pass
    account sufficient pam_succeed_if.so uid < 500 quiet
    account required pam_permit.so

    password requisite pam_cracklib.so try_first_pass retry=3
    password sufficient pam_winbind.so
    password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
    password required pam_deny.so

    session optional pam_keyinit.so revoke
    session required pam_limits.so
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session required pam_unix.so

    [root@linux16 ~]# cat /etc/samba/smb.conf

    [global]
    #--authconfig--start-line--

    # Generated by authconfig on 2011/02/25 15:14:14
    # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
    # Any modification may be deleted or altered by authconfig in future

    workgroup = labs
    password server = lab01.labdomain.psu.edu lab02.labdomain.psu.edu
    realm = LABDOMAIN.PSU.EDU
    security = ads
    idmap uid = 10000-20000
    idmap gid = 1000-2000
    template homedir = /home/%U
    template shell = /bin/bash
    winbind use default domain = true
    winbind offline logon = false

    #--authconfig--end-line--

    # ----------- Network Related Options-------

    netbios name = linux16
    unix extensions = yes
    idmap backend = ad
    winbind nss info = rfc2307
    use kerberos keytab = yes
    winbind cache time = 10
    winbind enum users = yes
    winbind enum groups = yes
     
  2. Beandip408

    Beandip408 New Member

    same issues

    well im new to centos and am trying to do the same. im replying so i can get notification if someone is able to help you. my problem is that i think i need a walkthrough step-by-step
     
  3. inky

    inky New Member

    Hello, seems that samba want to get user from gdbm, what is incorrect.

    I assume in /etc/krb5.conf you have something like it:

    Code:
    [libdefaults]
    default_realm = LABDOMAIN.PSU.EDU
    
    [realms]
    LABDOMAIN.PSU.EDU = {
        kdc = lab01.labdomain.psu.edu lab02.labdomain.psu.edu
    }
    
    [domain_realm]
    .labdomain.psu.edu = LABDOMAIN.PSU.EDU
     
    /etc/samba/smb.conf - add this to config - you may not add socket options - it's just for performance.

    Code:
    auth methods = winbind
    encrypt passwords = yes
    allow trusted domains = No
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    time server = Yes
    winbind use default domain = true
    winbind refresh tickets = yes
    
    what you have in /etc/nsswitch.conf ?
    (you must add winbind here if you dont have it)

    for example - it's just example - dont copy it to your switch - you may not login to system if you have something special configured - just add winbind.
    Code:
    passwd:     files winbind
    shadow:     files winbind
    group:      files winbind 
    
    to make kerberos function properly you must synchronize time with AD server. add this to crontab if you dont have it

    */5 * * * * root /usr/sbin/ntpdate lab01.labdomain.psu.edu

    next
    service smb start
    service winbind start
    kinit adm (adm - change it to your administrator account name from AD) - we are trying to get a ticket from AD.
    klist - drop here what it says if error - if it's shows that it got the ticket and its starting time and expire time - then everything is fine
    net ads join -U adm (adm - change it to your administrator account) we join to active directory by this command

    hope that help you.
     
    Last edited: Sep 17, 2011
  4. Al Howard

    Al Howard New Member

    Beandip408,

    No, I did not get it working yet. Now that the school year has started we will stick with RHEL5 and take a look at RHEL6 again next year.
     
    Last edited: Sep 21, 2011

Share This Page