Description of problem: My laptop is set up with winbind so I log on using my AD account. Under Fedora 16 I could log in offline, but after upgrading to Fedora 17 that doesn't work anymore. The command I used to set up authentication was authconfig --enablewinbind --enablewinbindauth --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --enablewinbindoffline --winbindjoin=myadministrator --smbsecurity=ads --smbrealm=mydomain.no --enablesssd --enablecache --enablemkhomedir --smbworkgroup=MYDOMAIN --update When I have a connection to my AD server it works fine. When I am out of office I can log on using a local user and start my VPN connection. I can then switch user and log on with the AD user. Version-Release number of selected component (if applicable): sssd-client-1.8.4-13.fc17.x86_64 sssd-1.8.4-13.fc17.x86_64 sssd-tools-1.8.4-13.fc17.x86_64 samba4-winbind-krb5-locator-4.0.0-47alpha18.fc17.x86_64 samba4-winbind-4.0.0-47alpha18.fc17.x86_64 samba4-winbind-clients-4.0.0-47alpha18.fc17.x86_64 How reproducible: I have tried rerunning the above command but it does not work. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
With that authconfig configuration, SSSD shouldn't be used (and you should remove the --enablesssd piece). This is most likely a winbind issue, but please include /var/log/secure to confirm.
i redid with --disablesssd, and the issue is still there. this is what i get in /var/log/secure when trying to log in offline: Aug 13 19:05:33 sch30623-lf gdm-welcome][1076]: pam_unix(gdm-welcome:session): session opened for user gdm by (uid=0) Aug 13 19:05:34 sch30623-lf polkitd(authority=local): Registered Authentication Agent for unix-session:1 (system bus name :1.31 [gnome-shell --gdm-mode], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Aug 13 19:05:47 sch30623-lf gdm-password][1253]: pam_unix(gdm-password:auth): authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= user=testuser Aug 13 19:05:47 sch30623-lf gdm-password][1253]: pam_winbind(gdm-password:auth): getting password (0x00000210) Aug 13 19:05:47 sch30623-lf gdm-password][1253]: pam_winbind(gdm-password:auth): pam_get_item returned a password Aug 13 19:05:47 sch30623-lf gdm-password][1253]: pam_winbind(gdm-password:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_OBJECT_NAME_NOT_FOUND, Error message was: NT_STATUS_OBJECT_NAME_NOT_FOUND Aug 13 19:05:47 sch30623-lf gdm-password][1253]: pam_winbind(gdm-password:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'testuser') Moving issue to samba4.
Let me clarify, you either use winbind or SSSD. Latest SSSD 1.9 has some major improvements for AD interoperability so you might consider using it before drilling down on the winbind side. SSSD 1.8 might be sufficient for you too.
I see sssd 1.9 is in rawhide, but tries to pull in way too many dependencies. I hope it will appear in f17 updates as well. It would be very nice to know how to correctly set it up for AD. Can authconfig be used? I have a test system I can upgrade to f18 beta so I can play with sssd 1.9.
(In reply to comment #4) > I see sssd 1.9 is in rawhide, but tries to pull in way too many > dependencies. I hope it will appear in f17 updates as well. > It will, after it bakes in F-18 and rawhide. > It would be very nice to know how to correctly set it up for AD. Can > authconfig be used? I have a test system I can upgrade to f18 beta so I can > play with sssd 1.9. There's a HOWTO available on the SSSD wiki for older SSSD releases (up to 1.8): https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server
F-18 should already contain changes to GNOME 3.6 that are described at http://stef.thewalter.net/2012/06/kerberos-and-active-directory-logins.html. In theory, installing F-18 + realmd and using GNOME contorl center's user accounts management should allow you to configure SSSD for AD usage automatically.
I will test this as soon as either f18 beta pops up in preupgrade (only a few days, right?) or 1.9 hits f17. I really want to look at the gnome integration in f18. Should this bug be left as open, since there seems to be a problem with winbind?
(In reply to comment #7) > I will test this as soon as either f18 beta pops up in preupgrade (only a > few days, right?) or 1.9 hits f17. I really want to look at the gnome > integration in f18. > According to http://fedoraproject.org/wiki/Releases/18/Schedule Alpha will be released on 2012-08-28, Beta is still far ahead, the schedule page says 2012-10-02 > Should this bug be left as open, since there seems to be a problem with > winbind? Judging by comment #2 I still think that this looks like a winbind bug.
(In reply to comment #6) > F-18 should already contain changes to GNOME 3.6 that are described at > http://stef.thewalter.net/2012/06/kerberos-and-active-directory-logins.html. > In theory, installing F-18 + realmd and using GNOME contorl center's user > accounts management should allow you to configure SSSD for AD usage > automatically. It is yet not fully baked but will be in upcoming months.
(In reply to comment #7) > > Should this bug be left as open, since there seems to be a problem with > winbind? To be able to investigate what winbind is doing here it would be helpful if you can attach your sanitized smb.conf and the winbind log file with debug level set to 10.
Created attachment 609875 [details] smb.conf
I created an issue without being able to find this one, I did search before I created a new ticket. So "linking" here so they both can be found: https://bugzilla.redhat.com/show_bug.cgi?id=868457 Basically it's failing on computing the MD5 of the cached salt + nt_hash.
This should be fixed with samba 4.0 in F18. Please reopen if not.