1

I had my Fedora 21 workstation connected to my AD domain and working for about a month and all was well and then I came in one morning and couldn't login. My initial response was blaming Win2013 and AD but after a little digging in the event viewer I wasn't able to find any errors, and coupled with the fact that I can successfully log in to all other Linux AD members (Fedora 19/20, CentOS 6, Debian 6/7) it does not appear to be the source of the issue.

When I attempt to log in via su all I get is su: Authentication failure, and /var/log/audit/audit.log contains the message:

type=USER_AUTH msg=audit(1421174144.121:1306): pid=25524 uid=1000 auid=1000
ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
msg='op=PAM:authentication grantor=? acct="gjohn" exe="/usr/bin/su"
hostname=? addr=? terminal=pts/1 res=failed'

SELinux is enabled, but I have tried with it disabled and get the same error/message.

Things worth mentioning:

  • The password I'm entering is correct
  • I haven't pressed Caps Lock by accident and there are no other trivial user errors at play as far as I can tell
  • Samba/Winbind are functioning and I get correct output when I do getent passwd all domain users are displayed with correct UID/GID
  • It isn't only my account that is unable to login, all accounts are unable and receive the same error
  • The same thing happens on login attempts through GDM, su, and SSH

I use a Samba/Winbind setup because as far as I can tell if you require idmap ranges for file services you have to. I've tried to use sssd and realmd but have never been able to control the UID and GID ranges which for me matters.

I'm at a loss now because there's very little useful information in /var/log/samba/* despite having increased the log level. I assume it's pam related but I'm still trying to figure out how to monitor output for that end.

Relevant configuration files:

/etc/samba/smb.conf:

[global]
   workgroup = DOMAIN
   realm = DOMAIN.NET
   security = ads
   server string = Workstation
   winbind use default domain = true
   winbind nested groups = yes
   winbind enum users = yes
   winbind enum groups = yes
   winbind offline logon = true
   winbind refresh tickets = yes
   winbind cache time = 5
   template shell = /bin/bash
   template homedir = /home/%U
   idmap config * : backend = rid
   idmap config * : range = 10000-20000
   passdb backend = tdbsam
   encrypt passwords = yes
   # logging
   log level = 3
   log file = /var/log/samba/log.%m
   max log size = 50

/etc/krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.NET
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false

/etc/pam.d/password-auth & /etc/pam.d/system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_winbind.so cached_login use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_winbind.so cached_login

Edit: I didn't see this at first because /var/log/messages is now journalctl, at every login attempt I get the error:

Jan 13 11:41:38 ws.domain.net su[27383]: pam_winbind(su-l:auth): getting password (0x00000210)
Jan 13 11:41:38 ws.domain.net su[27383]: pam_winbind(su-l:auth): pam_get_item returned a password
Jan 13 11:41:38 ws.domain.net su[27383]: pam_winbind(su-l:auth): internal module error (retval = PAM_SERVICE_ERR(3), user = 'gjohn')
Jan 13 11:41:40 ws.domain.net su[27383]: FAILED SU (to gjohn) crdc on pts/11
Geoff Johnson
  • 115
  • 2
  • 10
  • Have you checked system time? That one is always a killer. >300s difference in time will cause kerberos to puke. I dont recall, but i think F21 still has /var/log/secure, what errors do you get there? – Steve Butler Jan 13 '15 at 19:20
  • I forgot to mention that, it was the first thing that I checked. The times are the same and I double checked by setting the local system time using 'net time' to the PDC. I think /var/log/secure was replaced by /var/log/audit/audit.log, the former is no longer present. – Geoff Johnson Jan 13 '15 at 19:34

1 Answers1

0

Turns out that it was the account being joined with. I was trying to connect using:

net ads join -U administrator

I figured that because my DNS was resolving correctly that would be fine, it wasn't. I needed to use administrator@DOMAIN.NET as the account to join with.

Geoff Johnson
  • 115
  • 2
  • 10