Re: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions - Samba

This is a discussion on Re: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions - Samba ; Hello! passwd, shadow and group looks as follows in nsswitch.conf: passwd: files winbind shadow: files group: files group What really confuses me is that when my AD server is up and running, root or any local user logs in with ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Re: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions

  1. Re: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions

    Hello!

    passwd, shadow and group looks as follows in nsswitch.conf:

    passwd: files winbind
    shadow: files
    group: files group

    What really confuses me is that when my AD server is up and running,
    root or any local user logs in with no problem.
    And even when AD server is down, after trying a zillion times, root and
    other local users login, and then if I log them out and try again a few
    minutes later it won't go again, then again after a few minutes it works
    again and it keeps going like that.

    My guess is that when it's not going pam_winbind and winbind are trying
    to connect to the AD Server resulting in a huge delay in the login
    process afecting also local users login. That's why I was wondering if
    there is a "timeout" option or something for pam_winbind to avoid that.
    Well, that's my guess I could be wrong and maybe the problem is
    something else.

    Anyway thank's so far for your help, if you or anyone has a light...

    Andre



    Miles, Noal wrote:
    > You have files before winbind in /etc/nsswitch.conf for passwd, shadow,
    > group?
    >
    > Noal
    >
    > -----Original Message-----
    > From: samba-bounces+noal.miles=tdstelecom.com@lists.samba.org
    > [mailto:samba-bounces+noal.miles=tdstelecom.com@lists.samba.org] On
    > Behalf Of Andre Fernando Goldacker
    > Sent: Wednesday, April 04, 2007 8:40 AM
    > To: samba@lists.samba.org
    > Subject: [Samba] Issue with pam_winbind for MS AD authentication and
    > moduleoptions
    >
    >
    > Hello!
    >
    > I've configured samba with winbind and pam_winbind module to
    > authenticate users that connect to my linux box against MS AD.
    >
    > Works like a charm. If a user exists both in AD and locally, login
    > should assume local users. Again, it works pretty well (It seems at
    > least with my current config).
    >
    > If my AD server goes down for any reason, local users should be able to
    > login. For example, root has to login always no matter if my AD server
    > exploded.
    >
    > That's where is the problem. When I shutdown my AD server and I try to
    > login with a local user (root as well), my guess is that it seems that
    > pam_winbind waits for a very very long time trying to find my AD server
    > to authenticate that even the local login times out. I don't really know
    > if that is the reason for this behaviour, but if it is, I'm wondering if
    > there is a hidden or maybe a new "timeout" option for pam_winbind module
    > as I didn't found anything related in the man pages and the mailing
    > lists archive. Or maybe if login finds the user in the local database,
    > bypass winbind authentication, don't know if that is possible.
    >
    > The reason why I came up with this idea is that when the AD server is
    > down and I try to login with root for eg. over and over many times,
    > after a while it goes (looks like pam config order is right), but a few
    > minutes later it won't again, which made me thought that perhaps winbind
    > or pam_winbind are trying to estabilish a connection with AD and somehow
    > because of that the whole process slows down so much that even local
    > login times out.
    >
    > Samba is configured to catch UID's, GID's from AD using SFU and ad idmap
    > backend. Only users that are members of a specified AD group are able to
    > login. The purpose of the machine is to be an application server and
    > share folders based on AD users and group permissions.
    >
    > My system is RHEL AS3 with update 7 and samba-3.0.24
    >
    > Below are my pam lines in the system-auth file:
    >
    > #%PAM-1.0
    > # This file is auto-generated.
    > # User changes will be destroyed the next time authconfig is run.
    > auth required /lib/security/$ISA/pam_env.so
    > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
    > auth sufficient /lib/security/$ISA/pam_winbind.so
    > try_first_pass require_membership_of=DOMAIN+group
    > auth required /lib/security/$ISA/pam_deny.so
    >
    > account required /lib/security/$ISA/pam_unix.so nullok_secure
    > account sufficient /lib/security/$ISA/pam_winbind.so
    >
    > password required /lib/security/$ISA/pam_cracklib.so retry=3
    > password sufficient /lib/security/$ISA/pam_unix.so nullok
    > use_authtok md5 shadow
    > password required /lib/security/$ISA/pam_deny.so
    >
    > session required /lib/security/$ISA/pam_limits.so
    > session required /lib/security/$ISA/pam_unix.so
    > session required /lib/security/$ISA/pam_mkhomedir.so umask=0022
    > skel=/etc/skel
    >
    > Considering that if a user exists both in the local user database and
    > AD, login has to assume local user (seems to be working fine), could
    > someone give me a hint if I'm in the right path, and maybe an idea why
    > or what I could do when my AD servers goes down to my local users
    > (including root) log in normally??
    >
    > Any help will be greatly appreciated,
    >
    > Andre
    >
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions

    I made a mistake, group in nsswitch.conf looks like this:

    group: files winbind

    sorry about that!!

    Andre

    Andre Fernando Goldacker wrote:
    > Hello!
    >
    > passwd, shadow and group looks as follows in nsswitch.conf:
    >
    > passwd: files winbind
    > shadow: files
    > group: files group
    >
    > What really confuses me is that when my AD server is up and running,
    > root or any local user logs in with no problem.
    > And even when AD server is down, after trying a zillion times, root and
    > other local users login, and then if I log them out and try again a few
    > minutes later it won't go again, then again after a few minutes it works
    > again and it keeps going like that.
    >
    > My guess is that when it's not going pam_winbind and winbind are trying
    > to connect to the AD Server resulting in a huge delay in the login
    > process afecting also local users login. That's why I was wondering if
    > there is a "timeout" option or something for pam_winbind to avoid that.
    > Well, that's my guess I could be wrong and maybe the problem is
    > something else.
    >
    > Anyway thank's so far for your help, if you or anyone has a light...
    >
    > Andre
    >
    >
    >
    > Miles, Noal wrote:
    >
    >> You have files before winbind in /etc/nsswitch.conf for passwd, shadow,
    >> group?
    >>
    >> Noal
    >>
    >> -----Original Message-----
    >> From: samba-bounces+noal.miles=tdstelecom.com@lists.samba.org
    >> [mailto:samba-bounces+noal.miles=tdstelecom.com@lists.samba.org] On
    >> Behalf Of Andre Fernando Goldacker
    >> Sent: Wednesday, April 04, 2007 8:40 AM
    >> To: samba@lists.samba.org
    >> Subject: [Samba] Issue with pam_winbind for MS AD authentication and
    >> moduleoptions
    >>
    >>
    >> Hello!
    >>
    >> I've configured samba with winbind and pam_winbind module to
    >> authenticate users that connect to my linux box against MS AD.
    >>
    >> Works like a charm. If a user exists both in AD and locally, login
    >> should assume local users. Again, it works pretty well (It seems at
    >> least with my current config).
    >>
    >> If my AD server goes down for any reason, local users should be able to
    >> login. For example, root has to login always no matter if my AD server
    >> exploded.
    >>
    >> That's where is the problem. When I shutdown my AD server and I try to
    >> login with a local user (root as well), my guess is that it seems that
    >> pam_winbind waits for a very very long time trying to find my AD server
    >> to authenticate that even the local login times out. I don't really know
    >> if that is the reason for this behaviour, but if it is, I'm wondering if
    >> there is a hidden or maybe a new "timeout" option for pam_winbind module
    >> as I didn't found anything related in the man pages and the mailing
    >> lists archive. Or maybe if login finds the user in the local database,
    >> bypass winbind authentication, don't know if that is possible.
    >>
    >> The reason why I came up with this idea is that when the AD server is
    >> down and I try to login with root for eg. over and over many times,
    >> after a while it goes (looks like pam config order is right), but a few
    >> minutes later it won't again, which made me thought that perhaps winbind
    >> or pam_winbind are trying to estabilish a connection with AD and somehow
    >> because of that the whole process slows down so much that even local
    >> login times out.
    >>
    >> Samba is configured to catch UID's, GID's from AD using SFU and ad idmap
    >> backend. Only users that are members of a specified AD group are able to
    >> login. The purpose of the machine is to be an application server and
    >> share folders based on AD users and group permissions.
    >>
    >> My system is RHEL AS3 with update 7 and samba-3.0.24
    >>
    >> Below are my pam lines in the system-auth file:
    >>
    >> #%PAM-1.0
    >> # This file is auto-generated.
    >> # User changes will be destroyed the next time authconfig is run.
    >> auth required /lib/security/$ISA/pam_env.so
    >> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
    >> auth sufficient /lib/security/$ISA/pam_winbind.so
    >> try_first_pass require_membership_of=DOMAIN+group
    >> auth required /lib/security/$ISA/pam_deny.so
    >>
    >> account required /lib/security/$ISA/pam_unix.so nullok_secure
    >> account sufficient /lib/security/$ISA/pam_winbind.so
    >>
    >> password required /lib/security/$ISA/pam_cracklib.so retry=3
    >> password sufficient /lib/security/$ISA/pam_unix.so nullok
    >> use_authtok md5 shadow
    >> password required /lib/security/$ISA/pam_deny.so
    >>
    >> session required /lib/security/$ISA/pam_limits.so
    >> session required /lib/security/$ISA/pam_unix.so
    >> session required /lib/security/$ISA/pam_mkhomedir.so umask=0022
    >> skel=/etc/skel
    >>
    >> Considering that if a user exists both in the local user database and
    >> AD, login has to assume local user (seems to be working fine), could
    >> someone give me a hint if I'm in the right path, and maybe an idea why
    >> or what I could do when my AD servers goes down to my local users
    >> (including root) log in normally??
    >>
    >> Any help will be greatly appreciated,
    >>
    >> Andre
    >>
    >>
    >>

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. RE: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions

    I haven't tested but perhaps this pam entry in system-auth will help
    (insert before winbind account entry)

    account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
    quiet

    Noal

    -----Original Message-----
    From: Andre Fernando Goldacker [mailto:samba@teka.com.br]
    Sent: Wednesday, April 04, 2007 11:06 AM
    To: Andre Fernando Goldacker
    Cc: Miles, Noal; samba@lists.samba.org
    Subject: Re: [Samba] Issue with pam_winbind for MS AD authentication and
    moduleoptions


    I made a mistake, group in nsswitch.conf looks like this:

    group: files winbind

    sorry about that!!

    Andre

    Andre Fernando Goldacker wrote:
    > Hello!
    >
    > passwd, shadow and group looks as follows in nsswitch.conf:
    >
    > passwd: files winbind
    > shadow: files
    > group: files group
    >
    > What really confuses me is that when my AD server is up and running,
    > root or any local user logs in with no problem. And even when AD
    > server is down, after trying a zillion times, root and other local
    > users login, and then if I log them out and try again a few minutes
    > later it won't go again, then again after a few minutes it works again


    > and it keeps going like that.
    >
    > My guess is that when it's not going pam_winbind and winbind are
    > trying to connect to the AD Server resulting in a huge delay in the
    > login process afecting also local users login. That's why I was
    > wondering if there is a "timeout" option or something for pam_winbind
    > to avoid that. Well, that's my guess I could be wrong and maybe the
    > problem is something else.
    >
    > Anyway thank's so far for your help, if you or anyone has a light...
    >
    > Andre
    >
    >
    >
    > Miles, Noal wrote:
    >
    >> You have files before winbind in /etc/nsswitch.conf for passwd,
    >> shadow, group?
    >>
    >> Noal
    >>
    >> -----Original Message-----
    >> From: samba-bounces+noal.miles=tdstelecom.com@lists.samba.org
    >> [mailto:samba-bounces+noal.miles=tdstelecom.com@lists.samba.org] On
    >> Behalf Of Andre Fernando Goldacker
    >> Sent: Wednesday, April 04, 2007 8:40 AM
    >> To: samba@lists.samba.org
    >> Subject: [Samba] Issue with pam_winbind for MS AD authentication and
    >> moduleoptions
    >>
    >>
    >> Hello!
    >>
    >> I've configured samba with winbind and pam_winbind module to
    >> authenticate users that connect to my linux box against MS AD.
    >>
    >> Works like a charm. If a user exists both in AD and locally, login
    >> should assume local users. Again, it works pretty well (It seems at
    >> least with my current config).
    >>
    >> If my AD server goes down for any reason, local users should be able
    >> to login. For example, root has to login always no matter if my AD
    >> server exploded.
    >>
    >> That's where is the problem. When I shutdown my AD server and I try
    >> to login with a local user (root as well), my guess is that it seems
    >> that pam_winbind waits for a very very long time trying to find my AD


    >> server to authenticate that even the local login times out. I don't
    >> really know if that is the reason for this behaviour, but if it is,
    >> I'm wondering if there is a hidden or maybe a new "timeout" option
    >> for pam_winbind module as I didn't found anything related in the man
    >> pages and the mailing lists archive. Or maybe if login finds the user


    >> in the local database, bypass winbind authentication, don't know if
    >> that is possible.
    >>
    >> The reason why I came up with this idea is that when the AD server is


    >> down and I try to login with root for eg. over and over many times,
    >> after a while it goes (looks like pam config order is right), but a
    >> few minutes later it won't again, which made me thought that perhaps
    >> winbind or pam_winbind are trying to estabilish a connection with AD
    >> and somehow because of that the whole process slows down so much that


    >> even local login times out.
    >>
    >> Samba is configured to catch UID's, GID's from AD using SFU and ad
    >> idmap backend. Only users that are members of a specified AD group
    >> are able to login. The purpose of the machine is to be an application


    >> server and share folders based on AD users and group permissions.
    >>
    >> My system is RHEL AS3 with update 7 and samba-3.0.24
    >>
    >> Below are my pam lines in the system-auth file:
    >>
    >> #%PAM-1.0
    >> # This file is auto-generated.
    >> # User changes will be destroyed the next time authconfig is run.
    >> auth required /lib/security/$ISA/pam_env.so
    >> auth sufficient /lib/security/$ISA/pam_unix.so likeauth

    nullok
    >> auth sufficient /lib/security/$ISA/pam_winbind.so
    >> try_first_pass require_membership_of=DOMAIN+group
    >> auth required /lib/security/$ISA/pam_deny.so
    >>
    >> account required /lib/security/$ISA/pam_unix.so

    nullok_secure
    >> account sufficient /lib/security/$ISA/pam_winbind.so
    >>
    >> password required /lib/security/$ISA/pam_cracklib.so retry=3
    >> password sufficient /lib/security/$ISA/pam_unix.so nullok
    >> use_authtok md5 shadow
    >> password required /lib/security/$ISA/pam_deny.so
    >>
    >> session required /lib/security/$ISA/pam_limits.so
    >> session required /lib/security/$ISA/pam_unix.so
    >> session required /lib/security/$ISA/pam_mkhomedir.so

    umask=0022
    >> skel=/etc/skel
    >>
    >> Considering that if a user exists both in the local user database and


    >> AD, login has to assume local user (seems to be working fine), could
    >> someone give me a hint if I'm in the right path, and maybe an idea
    >> why or what I could do when my AD servers goes down to my local users


    >> (including root) log in normally??
    >>
    >> Any help will be greatly appreciated,
    >>
    >> Andre
    >>
    >>
    >>

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  4. Re: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions

    Have tested it but it didn't made any difference unfortunatelly.
    Perhaps my pam config is still wrong, don't know, but it looks like a
    small bug to me that maybe has not been noticed yet, and if so, perhaps
    a timeout option in pam_winbind could do the job, who knows!!

    cheers,

    Andre

    Miles, Noal wrote:
    > I haven't tested but perhaps this pam entry in system-auth will help
    > (insert before winbind account entry)
    >
    > account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
    > quiet
    >
    > Noal
    >
    > -----Original Message-----
    > From: Andre Fernando Goldacker [mailto:samba@teka.com.br]
    > Sent: Wednesday, April 04, 2007 11:06 AM
    > To: Andre Fernando Goldacker
    > Cc: Miles, Noal; samba@lists.samba.org
    > Subject: Re: [Samba] Issue with pam_winbind for MS AD authentication and
    > moduleoptions
    >
    >
    > I made a mistake, group in nsswitch.conf looks like this:
    >
    > group: files winbind
    >
    > sorry about that!!
    >
    > Andre
    >
    > Andre Fernando Goldacker wrote:
    >
    >> Hello!
    >>
    >> passwd, shadow and group looks as follows in nsswitch.conf:
    >>
    >> passwd: files winbind
    >> shadow: files
    >> group: files group
    >>
    >> What really confuses me is that when my AD server is up and running,
    >> root or any local user logs in with no problem. And even when AD
    >> server is down, after trying a zillion times, root and other local
    >> users login, and then if I log them out and try again a few minutes
    >> later it won't go again, then again after a few minutes it works again
    >>

    >
    >
    >> and it keeps going like that.
    >>
    >> My guess is that when it's not going pam_winbind and winbind are
    >> trying to connect to the AD Server resulting in a huge delay in the
    >> login process afecting also local users login. That's why I was
    >> wondering if there is a "timeout" option or something for pam_winbind
    >> to avoid that. Well, that's my guess I could be wrong and maybe the
    >> problem is something else.
    >>
    >> Anyway thank's so far for your help, if you or anyone has a light...
    >>
    >> Andre
    >>
    >>
    >>
    >> Miles, Noal wrote:
    >>
    >>
    >>> You have files before winbind in /etc/nsswitch.conf for passwd,
    >>> shadow, group?
    >>>
    >>> Noal
    >>>
    >>> -----Original Message-----
    >>> From: samba-bounces+noal.miles=tdstelecom.com@lists.samba.org
    >>> [mailto:samba-bounces+noal.miles=tdstelecom.com@lists.samba.org] On
    >>> Behalf Of Andre Fernando Goldacker
    >>> Sent: Wednesday, April 04, 2007 8:40 AM
    >>> To: samba@lists.samba.org
    >>> Subject: [Samba] Issue with pam_winbind for MS AD authentication and
    >>> moduleoptions
    >>>
    >>>
    >>> Hello!
    >>>
    >>> I've configured samba with winbind and pam_winbind module to
    >>> authenticate users that connect to my linux box against MS AD.
    >>>
    >>> Works like a charm. If a user exists both in AD and locally, login
    >>> should assume local users. Again, it works pretty well (It seems at
    >>> least with my current config).
    >>>
    >>> If my AD server goes down for any reason, local users should be able
    >>> to login. For example, root has to login always no matter if my AD
    >>> server exploded.
    >>>
    >>> That's where is the problem. When I shutdown my AD server and I try
    >>> to login with a local user (root as well), my guess is that it seems
    >>> that pam_winbind waits for a very very long time trying to find my AD
    >>>

    >
    >
    >>> server to authenticate that even the local login times out. I don't
    >>> really know if that is the reason for this behaviour, but if it is,
    >>> I'm wondering if there is a hidden or maybe a new "timeout" option
    >>> for pam_winbind module as I didn't found anything related in the man
    >>> pages and the mailing lists archive. Or maybe if login finds the user
    >>>

    >
    >
    >>> in the local database, bypass winbind authentication, don't know if
    >>> that is possible.
    >>>
    >>> The reason why I came up with this idea is that when the AD server is
    >>>

    >
    >
    >>> down and I try to login with root for eg. over and over many times,
    >>> after a while it goes (looks like pam config order is right), but a
    >>> few minutes later it won't again, which made me thought that perhaps
    >>> winbind or pam_winbind are trying to estabilish a connection with AD
    >>> and somehow because of that the whole process slows down so much that
    >>>

    >
    >
    >>> even local login times out.
    >>>
    >>> Samba is configured to catch UID's, GID's from AD using SFU and ad
    >>> idmap backend. Only users that are members of a specified AD group
    >>> are able to login. The purpose of the machine is to be an application
    >>>

    >
    >
    >>> server and share folders based on AD users and group permissions.
    >>>
    >>> My system is RHEL AS3 with update 7 and samba-3.0.24
    >>>
    >>> Below are my pam lines in the system-auth file:
    >>>
    >>> #%PAM-1.0
    >>> # This file is auto-generated.
    >>> # User changes will be destroyed the next time authconfig is run.
    >>> auth required /lib/security/$ISA/pam_env.so
    >>> auth sufficient /lib/security/$ISA/pam_unix.so likeauth
    >>>

    > nullok
    >
    >>> auth sufficient /lib/security/$ISA/pam_winbind.so
    >>> try_first_pass require_membership_of=DOMAIN+group
    >>> auth required /lib/security/$ISA/pam_deny.so
    >>>
    >>> account required /lib/security/$ISA/pam_unix.so
    >>>

    > nullok_secure
    >
    >>> account sufficient /lib/security/$ISA/pam_winbind.so
    >>>
    >>> password required /lib/security/$ISA/pam_cracklib.so retry=3
    >>> password sufficient /lib/security/$ISA/pam_unix.so nullok
    >>> use_authtok md5 shadow
    >>> password required /lib/security/$ISA/pam_deny.so
    >>>
    >>> session required /lib/security/$ISA/pam_limits.so
    >>> session required /lib/security/$ISA/pam_unix.so
    >>> session required /lib/security/$ISA/pam_mkhomedir.so
    >>>

    > umask=0022
    >
    >>> skel=/etc/skel
    >>>
    >>> Considering that if a user exists both in the local user database and
    >>>

    >
    >
    >>> AD, login has to assume local user (seems to be working fine), could
    >>> someone give me a hint if I'm in the right path, and maybe an idea
    >>> why or what I could do when my AD servers goes down to my local users
    >>>

    >
    >
    >>> (including root) log in normally??
    >>>
    >>> Any help will be greatly appreciated,
    >>>
    >>> Andre
    >>>
    >>>
    >>>
    >>>

    >
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread