Bug 235213 - pam_winbind failure
Summary: pam_winbind failure
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: samba   
(Show other bugs)
Version: 6
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords: Reopened
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-04-04 15:37 UTC by Vadym Chepkov
Modified: 2007-11-30 22:12 UTC (History)
2 users (show)

Fixed In Version: 3.0.24-4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-11 15:23:08 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Vadym Chepkov 2007-04-04 15:37:12 UTC
Description of problem:

Package samba-common-3.0.24-3.fc6
pam_winbind fails unexpectedly when user doesn't exist in ADS domain

pam_winbind.so is called with unknown_ok argument (which is not listed at manual
page, but argument silent which is in the man page in fact doesn't acceptable)


Actual results:

Apr  4 11:13:13 pegasus pam_winbind[5144]: request failed: No such user, PAM
error was User not known to the underlying authentication module (10), NT error
was NT_STATUS_NO_SUCH_USER
Apr  4 11:13:13 pegasus pam_winbind[5144]: request failed, but PAM error 0!
Apr  4 11:13:13 pegasus pam_winbind[5144]: internal module error (retval = 3,
user = `root')


Expected results:

Should return PAM_IGNORE

Comment 1 Guenther Deschner 2007-04-05 14:59:01 UTC
Simo, this we have fixed with 3.0.24-5.fc7 already.

Comment 2 Simo Sorce 2007-04-06 22:10:21 UTC
Thank you for the report, I have pushed to FC5 and FC6 the fixes we had in
rawhide, please reopen the bug is the new package still gives you problems.

Comment 3 Vadym Chepkov 2007-04-11 11:39:56 UTC
I just got 
samba-client-3.0.24-4.fc6
samba-common-3.0.24-4.fc6

# grep winbind /etc/pam.d/system-auth
auth        sufficient    pam_winbind.so unknown_ok
account     sufficient    pam_winbind.so unknown_ok
session     sufficient    pam_winbind.so unknown_ok

As I said earlier, I found argument unknown_ok in the source code, it is not
listed at the pam_winbind man page and listed argument silent in fact doesn't exist.


The problem still exist, but it now looks different:

Apr 11 07:34:45 pegasus pam_winbind[10673]: request failed: No such user, PAM
error was User not known to the underlying authentication module (10), NT error
was NT_STATUS_NO_SUCH_USER
Apr 11 07:34:45 pegasus pam_winbind[10673]: request failed


Comment 4 Guenther Deschner 2007-04-11 15:25:48 UTC
Right, the "silent" option can currently only be enabled when using a
/etc/security/pam_winbind.conf config file (which we do not package yet).

Let me rephrase this bug:
you're trying to login with a local user (and you have pam_winbind) in the PAM
stack, correct?
And that local login fails, as pam_winbind does not return the correct error
code (PAM_IGNORE), right?

Comment 5 Vadym Chepkov 2007-04-11 15:28:01 UTC
Yes, this is correct


Comment 6 Guenther Deschner 2007-05-11 15:23:08 UTC
Ok, your PAM configration seems to be selfwritten (not generated by authconfig).

Just make sure you have 
account     sufficient    pam_localuser.so
before the 
account     sufficient    pam_winbind.so unknown_ok

then your pam configuration should work.

authconfig will have this fixed and work by default on Fedora 7.

Closing this bug now.


Note You need to log in before you can comment on or make changes to this bug.