Web lists-archives.com

[Samba] Centos 7 member server login fails




I have a problem that is now becoming very annoying. Namely I have a Centos 7 member server running Sernet Samba 4.7.4 for which everything seems to work except gdm or ftp logins. On the linux client it seems winbindd is set up correctly. For example (the data shown below has been sanitized):

> getent passwd
testuser2:*:3001108:3000513::/home/testuser1:/bin/bash
testuser1:*:3001107:3000513::/home/testuser2:/bin/bash

> getent group
domain admins:x:3000512:administrator
domain users:x:3000513:testuser2,testuser1,administrator,krbtgt

> kinit Administrator
Password for Administrator@xxxxxxxxxxxxx:
> klist
Ticket cache: KEYRING:persistent:3001107:3001107
Default principal: Administrator@xxxxxxxxxxxxx

Valid starting       Expires              Service principal
12/26/2017 14:24:36  12/27/2017 00:24:36 krbtgt/MYDC.TEST.COM@xxxxxxxxxxxxx
    renew until 01/02/2018 14:24:32

>cat /etc/nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind
#initgroups: files winbind

#hosts:     db files nisplus nis dns
hosts:      files dns myhostname

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files winbind

netgroup:   files winbind

publickey:  nisplus

automount:  files
aliases:    files nisplus

After a console or ftp login I see these errors:

> cat /var/log/messages
Dec 26 14:31:26 testhost gdm-password]: AccountsService: ActUserManager: user (null) has no username (uid: -1) Dec 26 14:31:28 testhost gdm-password]: AccountsService: ActUserManager: user (null) has no username (uid: -1) Dec 26 14:31:30 testhost gdm-password]: AccountsService: ActUserManager: user (null) has no username (uid: -1)

>cat /var/log/secure
Dec 26 14:31:26 testhost gdm-password]: pam_winbind(gdm-password:auth): getting password (0x00000010) Dec 26 14:31:26 testhost gdm-password]: pam_winbind(gdm-password:auth): Could not retrieve user's password Dec 26 14:31:26 testhost gdm-password]: gkr-pam: no password is available for user Dec 26 14:31:28 testhost gdm-password]: pam_winbind(gdm-password:auth): getting password (0x00000010) Dec 26 14:31:28 testhost gdm-password]: pam_winbind(gdm-password:auth): Could not retrieve user's password Dec 26 14:31:28 testhost gdm-password]: gkr-pam: no password is available for user Dec 26 14:31:30 testhost gdm-password]: pam_winbind(gdm-password:auth): getting password (0x00000010) Dec 26 14:31:30 testhost gdm-password]: pam_winbind(gdm-password:auth): Could not retrieve user's password Dec 26 14:31:30 testhost gdm-password]: gkr-pam: no password is available for user

So you can see pam_winbind is called but there is no password for the user. And what is really strange is that I can login to the member server via ssh using a public/private key (username/password authentication is turned off). After an ssh login I see this in /var/log/secure:

> cat /var/log/secureDec 26 14:38:03 testhost sshd[32407]: pam_unix(sshd:session): session closed for user testuser1 Dec 26 14:38:07 testhost sshd[32501]: pam_winbind(sshd:account): user 'testuser1' granted access Dec 26 14:38:07 testhost sshd[32501]: Accepted publickey for testuser1 from 192.168.1.3 port 53174 ssh2: RSA SHA256:CVb5dqn5xUPXO0iVbUyHlNuXUZeW4J6k42Kg94teayg Dec 26 14:38:07 testhost sshd[32501]: pam_systemd(sshd:session): Failed to create session: No such file or directory Dec 26 14:38:07 testhost sshd[32501]: pam_unix(sshd:session): session opened for user testuser1 by (uid=0)

Logins on the DC do work properly. Plus I have 3 other member server linux boxes all running SSSD which have no issues. I am pretty sure the issue is on the client box running winbindd. Does anyone have any suggestions as to how to debug this issue or what might be going wrong?

--
Paul (ganci@xxxxxxxx)
Cell: (303)257-5208

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba