# Authenticating domain users via PAM [SOLVED]

## szaszka

Dear Gentoo Users,

I have a Gentoo server running Samba 4 on it as active directory domain controller.

And I have a Gentoo workstation running Samba 4 on it as active directory domain member. I joined the domain following the instructions in this howto: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Unfortunatelly, the last step in the above howto (Verify domain user login) doesn't work. Taking a look in the journal the following can be read:

 *Quote:*   

> szept 07 19:03:44 porta.irodaihalozat.kkik.hu login[895]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty3 ruser= rhost=  user=IRODAIHALOZAT\porta
> 
> szept 07 19:03:44 porta.irodaihalozat.kkik.hu login[895]: pam_winbind(login:auth): getting password (0x00000010)
> 
> szept 07 19:03:44 porta.irodaihalozat.kkik.hu login[895]: pam_winbind(login:auth): pam_get_item returned a password
> ...

 

Anyone has any idea what I should try in order to get working the login on the local console (or remotely, via sshd) with a domain user account?

Thank You in advance!

Sincerely,

Endre István SzászLast edited by szaszka on Fri Sep 09, 2016 5:59 am; edited 1 time in total

----------

## szaszka

The original content of the /etc/pam.d/system-auth was:

 *Quote:*   

> auth required        pam_env.so 
> 
> auth            required        pam_unix.so try_first_pass likeauth nullok 
> 
> auth            optional        pam_permit.so
> ...

 

Based on the above mentioned howto, I modified it in the following way:

 *Quote:*   

> auth            required        pam_env.so 
> 
> auth            sufficient      pam_unix.so try_first_pass likeauth nullok 
> 
> auth            sufficient      pam_winbind.so use_first_pass
> ...

 

----------

## szaszka

I had to add the following settings to the workstations smb.conf:

 *Quote:*   

> winbind nss info = rfc2307
> 
> winbind enum users = Yes
> 
> winbind enum groups = Yes
> ...

 

After that, it started to work, but still not in the way, as should, because it doesn't create's the domain users home directory automatically (even if I created manually a directory in the /home with the name of the workgroup), and it permits for the user to log in, even if provided a wrong password:

 *Quote:*   

> 
> 
> endre@tarolo ~ $ ssh -p 2206 -l "IRODAIHALOZAT\porta" 192.168.100.200
> 
> Password: 
> ...

 

Most probably the problem is, that I misconfigured the /etc/pam.d/system-auth. Can someone help me doing the right modifications on the files in /etc/pam.d, please?

The log of the current behavior is the following:

 *Quote:*   

> szept 07 21:50:10 porta.irodaihalozat.kkik.hu login[1513]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty3 ruser= rhost=  user=IRODAIHALOZAT\porta
> 
> szept 07 21:50:10 porta.irodaihalozat.kkik.hu login[1513]: pam_winbind(login:auth): getting password (0x00000010)
> 
> szept 07 21:50:10 porta.irodaihalozat.kkik.hu login[1513]: pam_winbind(login:auth): pam_get_item returned a password
> ...

 

The current /etc/pam.d/system-auth is:

 *Quote:*   

> 
> 
> auth            required        pam_env.so 
> 
> auth            sufficient      pam_unix.so try_first_pass likeauth nullok 
> ...

 

----------

## szaszka

In the /etc/pam.d/system-auth, after the "session         required        pam_unix.so" line I added:

 *Quote:*   

> session         sufficient      pam_winbind.so mkhomedir

 

After that, during the next login, the home directory was created.

The problem, that doesn't deny the login, if I type incorrect password in, still have to be resolved. Please help me, if someone knows, what's wrong with my config.

----------

## Syl20

I think the problem is there isn't a final "deny" directive in the PAM auth configuration. pam_unix and pam_winbind are "sufficient", not "required|requisite" and the optional pam_permit directive confirms the opening. You should replace the pam_permit directive by this one :

```
auth   required   pam_deny.so
```

Keep at least one root session open when doing such change. If PAM is misconfigured, it could deny every connexion attempt, even if it should be legit. And root doesn't necessarily have more privileges than another account for PAM.

----------

## szaszka

Many thanks for the suggestion, after replacing the line "auth            optional        pam_permit.so" with "auth            required        pam_deny.so" everything works, as should.

Thank You again!

----------

