235213 – pam_winbind failure

Bug 235213 - pam_winbind failure

Summary: pam_winbind failure

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	samba
Sub Component:
Version:	6
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Guenther Deschner
QA Contact:	David Lawrence
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-04-04 15:37 UTC by Vadym Chepkov
Modified:	2007-11-30 22:12 UTC (History)
CC List:	2 users (show)
Fixed In Version:	3.0.24-4
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-05-11 15:23:08 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Vadym Chepkov 2007-04-04 15:37:12 UTC

Description of problem:

Package samba-common-3.0.24-3.fc6
pam_winbind fails unexpectedly when user doesn't exist in ADS domain

pam_winbind.so is called with unknown_ok argument (which is not listed at manual
page, but argument silent which is in the man page in fact doesn't acceptable)


Actual results:

Apr  4 11:13:13 pegasus pam_winbind[5144]: request failed: No such user, PAM
error was User not known to the underlying authentication module (10), NT error
was NT_STATUS_NO_SUCH_USER
Apr  4 11:13:13 pegasus pam_winbind[5144]: request failed, but PAM error 0!
Apr  4 11:13:13 pegasus pam_winbind[5144]: internal module error (retval = 3,
user = `root')


Expected results:

Should return PAM_IGNORE

Comment 1 Guenther Deschner 2007-04-05 14:59:01 UTC

Simo, this we have fixed with 3.0.24-5.fc7 already.

Comment 2 Simo Sorce 2007-04-06 22:10:21 UTC

Thank you for the report, I have pushed to FC5 and FC6 the fixes we had in
rawhide, please reopen the bug is the new package still gives you problems.

Comment 3 Vadym Chepkov 2007-04-11 11:39:56 UTC

I just got 
samba-client-3.0.24-4.fc6
samba-common-3.0.24-4.fc6

# grep winbind /etc/pam.d/system-auth
auth        sufficient    pam_winbind.so unknown_ok
account     sufficient    pam_winbind.so unknown_ok
session     sufficient    pam_winbind.so unknown_ok

As I said earlier, I found argument unknown_ok in the source code, it is not
listed at the pam_winbind man page and listed argument silent in fact doesn't exist.


The problem still exist, but it now looks different:

Apr 11 07:34:45 pegasus pam_winbind[10673]: request failed: No such user, PAM
error was User not known to the underlying authentication module (10), NT error
was NT_STATUS_NO_SUCH_USER
Apr 11 07:34:45 pegasus pam_winbind[10673]: request failed

Comment 4 Guenther Deschner 2007-04-11 15:25:48 UTC

Right, the "silent" option can currently only be enabled when using a
/etc/security/pam_winbind.conf config file (which we do not package yet).

Let me rephrase this bug:
you're trying to login with a local user (and you have pam_winbind) in the PAM
stack, correct?
And that local login fails, as pam_winbind does not return the correct error
code (PAM_IGNORE), right?

Comment 5 Vadym Chepkov 2007-04-11 15:28:01 UTC

Yes, this is correct

Comment 6 Guenther Deschner 2007-05-11 15:23:08 UTC

Ok, your PAM configration seems to be selfwritten (not generated by authconfig).

Just make sure you have 
account     sufficient    pam_localuser.so
before the 
account     sufficient    pam_winbind.so unknown_ok

then your pam configuration should work.

authconfig will have this fixed and work by default on Fedora 7.

Closing this bug now.

Note You need to log in before you can comment on or make changes to this bug.