3

I'm using Winbind to authenticate users to Active Directory. Everything is working perfectly when the usernames match. The problem is that many of the users have different usernames for Windows and Linux (grandfathered accounts and engineers are stubborn about change). For the most part I can get around this by giving openLDAP 2 unique UIDs to the same DN.

For example:

[bob.smith@myhost ~]$ ldapsearch -xLLL uid=bob
dn: uid=bob.smith,dc=example,dc=com
uid: bob.smith
uid: bob
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
uidNumber: 4563
cn: Bob Smith
homeDirectory: /home/bob
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
shadowInactive: 0
shadowExpire: 24837
sn: Smith
mail: [email protected]
gidNumber: 555
shadowLastChange: 17044

Now log in with openLDAP password and run whoami

[bob.smith@myhost bob]$ su - bob
Password: 
Last login: Wed Sep 21 10:09:22 PDT 2016 on pts/3
[bob.smith@myhost ~]$ whoami
bob.smith

Check the user id

[bob.smith@myhost ~]$ id bob
uid=4563(bob.smith) gid=555(AGROUP) groups=555(AGROUP),988(x2gouser),19775215(domain users)

Everything looks great right? That is until I try to log in as bob and not the Windows name of bob.smith and use the AD password (bob.smith can log in fine):

[bob.smith@myhost ~]$ su - bob
Password: 
su: Authentication failure

As far as I can tell PAM is configured correctly and as I've shown before the system acknowledges that user as bob.smith even when I log in as bob. But authentication doesn't see bob as a valid user.

[bob.smith@myhost ~]$ cat password-auth 
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        sufficient    pam_winbind.so krb5_auth krb5_ccache_type=KEYRING use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_ldap.so use_authtok
password    sufficient    pam_winbind.so krb5_auth krb5_ccache_type=KEYRING use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
session     optional      pam_ldap.so
session     optional      pam_winbind.so krb5_auth krb5_ccache_type=KEYRING

Here is my smb.conf file if it makes a difference:

[bob.smith@myhost ~]$ testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
        workgroup = EXAMPLE-USA
        realm = EXAMPLE.COM
        server string = Samba Server Version %v
        security = ADS
        kerberos method = secrets and keytab
        log file = /var/log/samba/log.%m
        max log size = 50
        winbind use default domain = Yes
        idmap config * : range = 16777216-33554431
        idmap config * : backend = tdb
        cups options = raw


[homes]
        comment = Home Directories
        read only = No
        browseable = No


[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        print ok = Yes
        browseable = No

If there is a fix on the Linux end that would be preferable as I'm not a Windows Domain Admin. But if someone has a solution from the Windows side I'm willing to explore that option. If there are no valid solutions then I'll look into syncing the openLDAP password with the AD password. It would essentially be the same as an end result.

Jeight
  • 2,555
  • 3
  • 19
  • 28
  • I'm having a similar problem. The short version is that the UID, which controls the actual permissions and true identify of users, differs between the users. This means that a user with 2 UIDs will have 2 different permission sets depending on which UID is in use. The bad news is I have been searching several hours a day for a week now and have yet to find a solution. I have tried adding the uidNumber to the AD in attribute editor, and played with the ldap_mapping = False, but this doesn't seem to work, either. – SomeGuy Nov 07 '17 at 20:06

0 Answers0