Bug 979206 - Cannot log in as AD domain user.
Cannot log in as AD domain user.
Product: Fedora
Classification: Fedora
Component: realmd (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Stef Walter
Fedora Extras Quality Assurance
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2013-06-27 19:25 EDT by David Woodhouse
Modified: 2013-07-10 11:53 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-07-10 11:53:02 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Woodhouse 2013-06-27 19:25:32 EDT
I used 'realm join --client-software=winbind' to join an Active Directory domain, apparently successfully. My user does appear to exist.

I set 'winbind use default domain=yes' in smb.conf

I cannot log in; my password is not accepted. winbindd says:

Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_TRUST_SAM_ACCOUNT, attempts: 3)
This is again a problem for this particular call, forcing the close of this connection
This is the third problem for this particular call, adding DC to the negative cache list
winbindd_dual_pam_auth_samlogon failed: NT_STATUS_NO_TRUST_SAM_ACCOUNT
Plain-text authentication for user GER\dwoodhou returned NT_STATUS_NO_TRUST_SAM_ACCOUNT (PAM: 4)
Comment 1 David Woodhouse 2013-06-27 19:46:02 EDT
I leave the domain and rejoin it, and now it works. However, I don't get a Kerberos TGT when I log in: 

[root@dwoodhou-mobl3 ~]# ssh dwoodhou@localhost
dwoodhou@localhost's password: 
Last login: Fri Jun 28 00:45:11 2013 from localhost
[dwoodhou@dwoodhou-mobl3 ~]$ klist
klist: No credentials cache found (ticket cache DIR::/run/user/10000/krb5cc/tkt)
[dwoodhou@dwoodhou-mobl3 ~]$
Comment 2 Andreas Schneider 2013-06-28 05:37:23 EDT
You need to correctly configure pam_winbind to get kerberos tickets!
Comment 3 Dmitri Pal 2013-06-28 10:46:22 EDT
This might be a realmd issue not a samba issue. 
I will reopen bug and re-assign to realmd to triage.
Comment 4 David Woodhouse 2013-06-28 14:12:46 EDT
It might be a realmd issue. It didn't add the krb5_auth option to the pam configuration. But even when I did that manually, and also krb5_ccache_type=FILE, it still didn't actually get me a TGT.
Comment 5 David Woodhouse 2013-06-28 14:13:56 EDT
Since this is now assigned to realmd: there *is* a realmd issue too. Running 'kinit dwoodhou' was sufficient to make 'realm join' work without a password when I was using SSSD. But with --client-software=winbind it didn't work; I was still asked for a password and had to provide the '-U dwoodhou' argument.
Comment 6 David Woodhouse 2013-06-29 05:30:28 EDT
The failure to obtain a TGT after I edited the PAM config manually may have been user error. Trying again, it does seem to work now.

However, there are still issues on the winbind side. Firstly, it seems to put the credentials cache in the old location of /tmp/krb5cc_%{uid}. I have to set default_ccache_name in /etc/krb5.conf to match that, or I don't see my credentials when I run 'su dwoodhou' (or, presumably, run things from cron).

Secondly, there is some strangeness with refreshing credentials when I re-authenticate. I logged in to GDM last night and left it, and when I came back in the morning I saw (before unlocking the screen) that it had successfully renewed the TGT. However, when I unlocked the screen, my credentials cache *disappeared*. And was not restored. Trying to reproduce that one now with winbindd at log level 10...
Comment 7 David Woodhouse 2013-07-10 11:53:02 EDT
The original issue went away on rejoining the domain, and I have not been able to reproduce it. Everything else mentioned here is also filed elsewhere, I think:

- winbind using /tmp/krb5cc_%{uid} wants a separate bug if the answer to
  https://bugzilla.redhat.com/show_bug.cgi?id=796429#c2 is 'no'.

- creds cache being deleted is bug 981033

- 'realm join' not working with Kerberos auth is being handled in bug 976593

- realmd's failure to configure pam_winbind properly is bug 983153

Note You need to log in before you can comment on or make changes to this bug.