I had my Fedora 21 workstation connected to my AD domain and working for about a month and all was well and then I came in one morning and couldn't login. My initial response was blaming Win2013 and AD but after a little digging in the event viewer I wasn't able to find any errors, and coupled with the fact that I can successfully log in to all other Linux AD members (Fedora 19/20, CentOS 6, Debian 6/7) it does not appear to be the source of the issue.
When I attempt to log in via su
all I get is su: Authentication failure
, and /var/log/audit/audit.log
contains the message:
type=USER_AUTH msg=audit(1421174144.121:1306): pid=25524 uid=1000 auid=1000
ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:authentication grantor=? acct="gjohn" exe="/usr/bin/su"
hostname=? addr=? terminal=pts/1 res=failed'
SELinux is enabled, but I have tried with it disabled and get the same error/message.
Things worth mentioning:
- The password I'm entering is correct
- I haven't pressed Caps Lock by accident and there are no other trivial user errors at play as far as I can tell
- Samba/Winbind are functioning and I get correct output when I do
getent passwd
all domain users are displayed with correct UID/GID - It isn't only my account that is unable to login, all accounts are unable and receive the same error
- The same thing happens on login attempts through GDM, su, and SSH
I use a Samba/Winbind setup because as far as I can tell if you require idmap ranges for file services you have to. I've tried to use sssd and realmd but have never been able to control the UID and GID ranges which for me matters.
I'm at a loss now because there's very little useful information in /var/log/samba/*
despite having increased the log level. I assume it's pam related but I'm still trying to figure out how to monitor output for that end.
Relevant configuration files:
/etc/samba/smb.conf:
[global]
workgroup = DOMAIN
realm = DOMAIN.NET
security = ads
server string = Workstation
winbind use default domain = true
winbind nested groups = yes
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = true
winbind refresh tickets = yes
winbind cache time = 5
template shell = /bin/bash
template homedir = /home/%U
idmap config * : backend = rid
idmap config * : range = 10000-20000
passdb backend = tdbsam
encrypt passwords = yes
# logging
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
/etc/pam.d/password-auth & /etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_winbind.so cached_login use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_winbind.so cached_login
Edit: I didn't see this at first because /var/log/messages
is now journalctl
, at every login attempt I get the error:
Jan 13 11:41:38 ws.domain.net su[27383]: pam_winbind(su-l:auth): getting password (0x00000210)
Jan 13 11:41:38 ws.domain.net su[27383]: pam_winbind(su-l:auth): pam_get_item returned a password
Jan 13 11:41:38 ws.domain.net su[27383]: pam_winbind(su-l:auth): internal module error (retval = PAM_SERVICE_ERR(3), user = 'gjohn')
Jan 13 11:41:40 ws.domain.net su[27383]: FAILED SU (to gjohn) crdc on pts/11