You are not logged in.
Hi,
after complete system update ADS users can't login any more (not locally and not via network). I use a setup as described in the ADS integration wiki page. This worked for the last months, but no more after packet actualization. All on this page described tests (wbinfo, getent, net ads) do succeed. But real ADS-users logins produce these error messages in auth.log and the attempt fails.
Jan 1 19:15:25 lw-2011-01 sshd[778]: pam_winbind(sshd:account): user 'stefanie' granted access
Jan 1 19:15:25 lw-2011-01 sshd[778]: Accepted password for stefanie from 192.168.1.130 port 36802 ssh2
Jan 1 19:15:25 lw-2011-01 sshd[778]: pam_unix(sshd:session): session opened for user stefanie by (uid=0)
Jan 1 19:15:25 lw-2011-01 sshd[778]: pam_systemd(sshd:session): Failed to create session: No such file or directory
Jan 1 19:15:25 lw-2011-01 sshd[778]: fatal: login_get_lastlog: Cannot find account for uid 12103
Jan 1 19:15:25 lw-2011-01 sshd[778]: pam_unix(sshd:session): session closed for user stefanie
Jan 1 19:15:25 lw-2011-01 sshd[778]: syslogin_perform_logout: logout() returned an errorA user directory was correctly automatically created at login attempt and this is also rwx-enabled for the correct user. My nsswitch.conf-file is a bit different from the wiki recommendation because the original version from package also has changed:
# Begin /etc/nsswitch.conf
passwd: compat mymachines systemd winbind
group: compat mymachines systemd winbind
shadow: compat winbind
publickey: files
hosts: files mymachines resolve [!UNAVAIL=return] dns wins myhostname
networks: files
protocols: files
services: files
ethers: files
rpc: files
netgroup: files
# End /etc/nsswitch.confAnyone any ideas to get this to work?
Offline
Same problem here, except that local login still works and homedirs are created. Ssh-ing fails with
Jan 10 09:50:51 vbox sshd[12766]: pam_winbind(sshd:account): user 'test' granted access
Jan 10 09:50:51 vbox sshd[12766]: Accepted password for test from xxx.xxx.xxx.xxx port 45600 ssh2
Jan 10 09:50:51 vbox sshd[12766]: pam_unix(sshd:session): session opened for user test by (uid=0)
Jan 10 09:50:51 vbox sshd[12766]: pam_systemd(sshd:session): Failed to create session: No such file or directory
Jan 10 09:50:51 vbox sshd[12766]: fatal: login_get_lastlog: Cannot find account for uid 12168
Jan 10 09:50:51 vbox sshd[12766]: pam_unix(sshd:session): session closed for user testHow to debug, which file or directory could not be found?
# cat /etc/pam.d/system-auth
#%PAM-1.0
auth [success=1 default=ignore] pam_localuser.so
auth [success=2 default=die] pam_winbind.so
auth [success=1 default=die] pam_unix.so nullok
auth requisite pam_deny.so
auth optional pam_permit.so
auth required pam_env.so
account required pam_unix.so
account [success=1 default=ignore] pam_localuser.so
account required pam_winbind.so
account optional pam_permit.so
account required pam_time.so
password [success=1 default=ignore] pam_localuser.so
password [success=2 default=die] pam_winbind.so
password [success=1 default=die] pam_unix.so sha512 shadow
password requisite pam_deny.so
password optional pam_permit.so
session required pam_limits.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_unix.so
session [success=1 default=ignore] pam_localuser.so
session required pam_winbind.so
session optional pam_permit.soOffline
I am having this exact same problem. I'm also seeing these lines in my log file:
Jan 11 09:30:19 mysql-east systemd[1]: Started OpenSSH Per-Connection Daemon ([::1]:42516).
Jan 11 09:30:24 mysql-east sshd[422]: pam_winbind(sshd:auth): getting password (0x00000000)
Jan 11 09:30:24 mysql-east sshd[422]: pam_winbind(sshd:auth): user 'cmiles' granted access
Jan 11 09:30:24 mysql-east sshd[422]: pam_winbind(sshd:account): user 'cmiles' granted access
Jan 11 09:30:24 mysql-east sshd[422]: Accepted password for cmiles from ::1 port 42516 ssh2
Jan 11 09:30:24 mysql-east sshd[422]: pam_unix(sshd:session): session opened for user cmiles by (uid=0)
Jan 11 09:30:24 mysql-east sshd[422]: pam_systemd(sshd:session): Failed to create session: No such file or directory
Jan 11 09:30:24 mysql-east sshd[422]: fatal: login_get_lastlog: Cannot find account for uid 15240Oddly, if I run a command via SSH ("ssh cmiles@machine ls /"), that does work. It's an interactive session that fails.
When I run "getnet" and "wbinfo", I see all of the information from the Active Directory server. However, when I run "id" or "groups", the Active Directory username can't be found. It looks to me as if user logs in via SSH successfully (their password is validated, at least) and the process dies immediately after.
I've been fighting with this one (when I have time) for the last couple of months. It's been preventing me from upgrading some of the servers our developers use for development and testing. Any help on this issue would be greatly appreciated!
Last edited by cmiles74 (2017-01-11 15:06:00)
Offline
I can't believe it, after all this time I found a solution!
https://bugzilla.samba.org/show_bug.cgi?id=12284
So the relevant section of my smb.conf file now looks like this:
# idmap config * : backend = rid
# idmap config * : range = 10000-20000
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : range = 10000-20000
idmap config * : range = 10000-20000This has resolved the issue, Active Directory users can now log on via SSH sessions.
Last edited by cmiles74 (2017-01-11 19:27:00)
Offline