Bug 160025
Summary: | Telnet will not authenticate via winbind. krb5-telnet will. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stuart <swestbury> |
Component: | util-linux | Assignee: | Karel Zak <kzak> |
Status: | CLOSED NOTABUG | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-09-08 10:46:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Stuart
2005-06-10 03:56:10 UTC
/etc/pam.d/system-auth-winbind #%PAM-1.0 auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pass auth required /lib/security/pam_deny.so account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so /etc/pam.d/login #%PAM-1.0 auth required pam_securetty.so auth required pam_stack.so service=system-auth-winbind auth required pam_nologin.so account required pam_stack.so service=system-auth-winbind password required pam_stack.so service=system-auth-winbind session required pam_stack.so service=system-auth-winbind session required pam_mkhomedir.so umask=0022 session optional pam_console.so /etc/samba/smb.conf (real domain and IP info replaced) [global] workgroup = AU server string = Pulse Server log file = /var/log/samba/%m.log max log size = 50 security = ads winbind enum users = yes winbind gid = 10000-20000 winbind enum groups = yes winbind uid = 10000-20000 winbind cache time = 300 winbind use default domain = yes winbind separator = + realm = AU.COMPANY.INT template shell = /bin/bash password server = * encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 wins server = 10.60.100.2 dns proxy = no It seems now that krb5-telnet will authenticate without winbind support at all. I presume this is the krb5 services working in the background. Forgive my ignorance here. The problem still exists though. I installed the dovecot pop3 service and changed it's pam.d config to the following: /etc/pam.d/dovecot #%PAM-1.0 auth required pam_nologin.so auth required pam_stack.so service=system-auth-winbind account required pam_stack.so service=system-auth-winbind session required pam_stack.so service=system-auth-winbind This will grant a domain user access via winbind. +OK dovecot ready. user test +OK pass password +OK Logged in. Then the following message appears in /var/log/messages Jun 10 16:01:46 pmsproxy pam_winbind[1935]: user 'test' granted access It might be worth noting that a server we maintain that is running "Red Hat Enterprise Linux AS release 3" does not have this problem and is configured in the same way. This server uses: samba-3.0.9-1.3E.2 telnet-server-0.17-26 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160025 The telnet server does no authentication at all. It just calls /bin/login. All you see from a telnet login is from the client and /bin/login. So I reassign this bug to util-linux. I have no attempted a local login at the terminal and this works! This suggests to me that login is working, but the way telnetd calls it or something is not right. I have updated to the latest util-linux package (util-linux-2.12a-24.2), but this has not changed anything. I am now applying all updates on a test system here and will comment again if anything changes. Is this still the right spot if login works at the terminal? Thanks, Stuart The telnetd calls "/bin/login -h" and it means "remote" login. The login with "-h" option uses /etc/pam.d/remote instead /etc/pam.d/login. |