[Bug 1202141] New: YaST samba-client - AD joined VM - pam stack issues / winbind auth / console login / ssh login ...
http://bugzilla.opensuse.org/show_bug.cgi?id=1202141 Bug ID: 1202141 Summary: YaST samba-client - AD joined VM - pam stack issues / winbind auth / console login / ssh login ... Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 Assignee: yast2-maintainers@suse.de Reporter: rs.opensuse@spitzenpfeil.org QA Contact: jsrain@suse.com Found By: --- Blocker: --- Since 'samba-client' doesn't crash anymore on TW, I've managed to join our AD, enabled winbind auth, pam_mount ... (all of this works on Leap 15.2 / 15.4 with samba packages coming from "home:markusd:samba-fresh" 4.16.4-lp154.1.1). After the motions with YaST samba-client I could not log on text consoles anymore, ssh login did not work anymore ... sddm login still works. I then copied the whole contents of /etc/pam.d/ from a known good Leap 15.2 installation to my TW VM and everything works again. When I have some more time, I'll diff the auto-created files that YaST spits out and maybe find something. Related: https://bugzilla.opensuse.org/show_bug.cgi?id=1199734 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202141 http://bugzilla.opensuse.org/show_bug.cgi?id=1202141#c1 --- Comment #1 from robert spitzenpfeil <rs.opensuse@spitzenpfeil.org> --- Related: https://bugzilla.opensuse.org/show_bug.cgi?id=1200766 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202141 http://bugzilla.opensuse.org/show_bug.cgi?id=1202141#c4 --- Comment #4 from robert spitzenpfeil <rs.opensuse@spitzenpfeil.org> --- Created attachment 860613 --> http://bugzilla.opensuse.org/attachment.cgi?id=860613&action=edit y2log -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202141 http://bugzilla.opensuse.org/show_bug.cgi?id=1202141#c5 --- Comment #5 from robert spitzenpfeil <rs.opensuse@spitzenpfeil.org> --- Created attachment 860614 --> http://bugzilla.opensuse.org/attachment.cgi?id=860614&action=edit /etc/pam.d before running samba-client for AD join -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202141 http://bugzilla.opensuse.org/show_bug.cgi?id=1202141#c6 --- Comment #6 from robert spitzenpfeil <rs.opensuse@spitzenpfeil.org> --- Created attachment 860615 --> http://bugzilla.opensuse.org/attachment.cgi?id=860615&action=edit /etc/pam.d after running samba-client for AD join -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202141 http://bugzilla.opensuse.org/show_bug.cgi?id=1202141#c9 --- Comment #9 from robert spitzenpfeil <rs.opensuse@spitzenpfeil.org> --- /etc/pam.d/sshd did not exist before running yast samba-client. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202141 http://bugzilla.opensuse.org/show_bug.cgi?id=1202141#c10 --- Comment #10 from robert spitzenpfeil <rs.opensuse@spitzenpfeil.org> --- /usr/etc/pam.d/sshd exists and is identical to yours. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202141 http://bugzilla.opensuse.org/show_bug.cgi?id=1202141#c11 --- Comment #11 from robert spitzenpfeil <rs.opensuse@spitzenpfeil.org> --- It seems the files /etc/pam.d/login|xdm|sshd get created in a bad way. 2022-08-04 18:13:15 <3> FQDN.de(1293) [bash] ShellCommand.cc(shellcommand):78 Cannot stat '/etc/pam.d/login': No such file or directory 2022-08-04 18:13:15 <2> FQDN.de(1293) [Ruby] modules/Samba.rb(block in Write):923 pam-config failed for service login 2022-08-04 18:13:15 <3> FQDN.de(1293) [bash] ShellCommand.cc(shellcommand):78 Cannot stat '/etc/pam.d/xdm': No such file or directory 2022-08-04 18:13:15 <2> FQDN.de(1293) [Ruby] modules/Samba.rb(block in Write):923 pam-config failed for service xdm 2022-08-04 18:13:15 <3> FQDN.de(1293) [bash] ShellCommand.cc(shellcommand):78 Cannot stat '/etc/pam.d/sshd': No such file or directory 2022-08-04 18:13:15 <2> FQDN.de(1293) [Ruby] modules/Samba.rb(block in Write):923 pam-config failed for service sshd 2022-08-04 18:13:15 <1> FQDN.de(1293) [Ruby] clients/samba-client.rb(main):172 Samba-client module finished -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202141 http://bugzilla.opensuse.org/show_bug.cgi?id=1202141#c12 --- Comment #12 from robert spitzenpfeil <rs.opensuse@spitzenpfeil.org> --- I copied /usr/etc/pam.d/sshd | login | xdm to /etc/pam.d/ and ran yast samba-client again. This time the files in /etc/pam.d/ get ammended as needed. They are mostly identical to the ones created on 15.2 / 15.4 except some "systemd-user" stuff (one line). However, auth via winbind still does not work. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202141 http://bugzilla.opensuse.org/show_bug.cgi?id=1202141#c13 --- Comment #13 from robert spitzenpfeil <rs.opensuse@spitzenpfeil.org> --- Now testing with a fresh installation of Leap 15.4 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202141 http://bugzilla.opensuse.org/show_bug.cgi?id=1202141#c14 --- Comment #14 from robert spitzenpfeil <rs.opensuse@spitzenpfeil.org> --- The creation / modification of files in /etc/pam.d/ seems OK with Leap 15.4 (server template). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202141 http://bugzilla.opensuse.org/show_bug.cgi?id=1202141#c15 --- Comment #15 from robert spitzenpfeil <rs.opensuse@spitzenpfeil.org> --- Leap 15.4 / 15.2 (and TW) work _after_ making a modification to the auto-generated /etc/samba/smb.conf file (as previously documented on here somewhere). I don't remember where I got these edits from anymore. These edits are _the same_ for Leap 15.2 / 15.4 and TW I have to replace the section: [global] workgroup = ADS passdb backend = tdbsam printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = No
idmap config * : backend = tdb idmap config * : range = 10000-20000 idmap config ads : backend = rid idmap config ads : range = 20001-99999
kerberos method = secrets and keytab realm = ADS.XXX.XXX security = ADS template homedir = /home/%D/%U template shell = /bin/bash winbind refresh tickets = yes with [global] workgroup = ADS passdb backend = tdbsam printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = No
idmap gid = 10000-20000 idmap uid = 10000-20000
kerberos method = secrets and keytab realm = ADS.XXX.XXX security = ADS template homedir = /home/%D/%U template shell = /bin/bash winbind refresh tickets = yes This may be related to our AD setup, but I can't make any comments on why. getent passwd / group only shows local stuff. "id" shows correct group membership for AD users (after the mod). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202141 http://bugzilla.opensuse.org/show_bug.cgi?id=1202141#c16 --- Comment #16 from robert spitzenpfeil <rs.opensuse@spitzenpfeil.org> --- I guess my comment 12 indicates that yast samba-client doesn't like /usr/etc/pam.d/ vs. /etc/pam.d/ -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202141 http://bugzilla.opensuse.org/show_bug.cgi?id=1202141#c19 --- Comment #19 from robert spitzenpfeil <rs.opensuse@spitzenpfeil.org> --- Good to know that there is an explanation for this. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202141 http://bugzilla.opensuse.org/show_bug.cgi?id=1202141#c22 --- Comment #22 from robert spitzenpfeil <rs.opensuse@spitzenpfeil.org> --- Much better now. /etc/pam.d/sddm doesn't get the pam_mount.so entries, but they are copied form xdm easily enough. /etc/pam.d/sshd gets the pam_mount.so entries as well, but mounting fails (cifs_mount failed w/return code = -13). I'll have to look into that some more. For pam_winbind to correclty work with our domain setup, I still need a customized smb.conf -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202141 http://bugzilla.opensuse.org/show_bug.cgi?id=1202141#c23 --- Comment #23 from robert spitzenpfeil <rs.opensuse@spitzenpfeil.org> --- I forgot about this... In my case sshd must be configures as such: --- ChallengeResponseAuthentication no UsePAM yes --- Then pam_mount works with ssh logins. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com