Bug 235213 - pam_winbind failure
pam_winbind failure
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: samba (Show other bugs)
6
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Guenther Deschner
David Lawrence
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-04 11:37 EDT by Vadym Chepkov
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version: 3.0.24-4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-11 11:23:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vadym Chepkov 2007-04-04 11:37:12 EDT
Description of problem:

Package samba-common-3.0.24-3.fc6
pam_winbind fails unexpectedly when user doesn't exist in ADS domain

pam_winbind.so is called with unknown_ok argument (which is not listed at manual
page, but argument silent which is in the man page in fact doesn't acceptable)


Actual results:

Apr  4 11:13:13 pegasus pam_winbind[5144]: request failed: No such user, PAM
error was User not known to the underlying authentication module (10), NT error
was NT_STATUS_NO_SUCH_USER
Apr  4 11:13:13 pegasus pam_winbind[5144]: request failed, but PAM error 0!
Apr  4 11:13:13 pegasus pam_winbind[5144]: internal module error (retval = 3,
user = `root')


Expected results:

Should return PAM_IGNORE
Comment 1 Guenther Deschner 2007-04-05 10:59:01 EDT
Simo, this we have fixed with 3.0.24-5.fc7 already.
Comment 2 Simo Sorce 2007-04-06 18:10:21 EDT
Thank you for the report, I have pushed to FC5 and FC6 the fixes we had in
rawhide, please reopen the bug is the new package still gives you problems.
Comment 3 Vadym Chepkov 2007-04-11 07:39:56 EDT
I just got 
samba-client-3.0.24-4.fc6
samba-common-3.0.24-4.fc6

# grep winbind /etc/pam.d/system-auth
auth        sufficient    pam_winbind.so unknown_ok
account     sufficient    pam_winbind.so unknown_ok
session     sufficient    pam_winbind.so unknown_ok

As I said earlier, I found argument unknown_ok in the source code, it is not
listed at the pam_winbind man page and listed argument silent in fact doesn't exist.


The problem still exist, but it now looks different:

Apr 11 07:34:45 pegasus pam_winbind[10673]: request failed: No such user, PAM
error was User not known to the underlying authentication module (10), NT error
was NT_STATUS_NO_SUCH_USER
Apr 11 07:34:45 pegasus pam_winbind[10673]: request failed
Comment 4 Guenther Deschner 2007-04-11 11:25:48 EDT
Right, the "silent" option can currently only be enabled when using a
/etc/security/pam_winbind.conf config file (which we do not package yet).

Let me rephrase this bug:
you're trying to login with a local user (and you have pam_winbind) in the PAM
stack, correct?
And that local login fails, as pam_winbind does not return the correct error
code (PAM_IGNORE), right?
Comment 5 Vadym Chepkov 2007-04-11 11:28:01 EDT
Yes, this is correct
Comment 6 Guenther Deschner 2007-05-11 11:23:08 EDT
Ok, your PAM configration seems to be selfwritten (not generated by authconfig).

Just make sure you have 
account     sufficient    pam_localuser.so
before the 
account     sufficient    pam_winbind.so unknown_ok

then your pam configuration should work.

authconfig will have this fixed and work by default on Fedora 7.

Closing this bug now.

Note You need to log in before you can comment on or make changes to this bug.