I am attempting to join a new Fedora 17 x86_64 machine to a windows server 2008 r2 active directory. I used the system-config-authentication module to set up winbind and that seemed to work correctly. I ran 'net ads join' and that worked as well. wbinfo -u gets the users and wbinfo -g get the groups. wbinfo -a user%pass returns correctly as well. However, gentent passwd and getent groups do not return any of the ad users or groups. If I try to login using the user/pass that worked with wbinfo, it fails. Looking at /usr/log/secure, it seems pam is only looking at the local unix users and completly ignoring winbind. Below is an excert from nsswitch.conf, smb.conf, and the complete password-auth and system-auth files, and an excerpt from /var/log/secure when trying to login. I don't know pam very well, so I'm expecting the problem is in that config. It's just what the authentication module set up. I tried tweaking it to no avail and set it back to what it was originally.
nsswitch.conf
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files winbind
shadow: files winbind
group: files winbind
#initgroups: files
#hosts: db files nisplus nis dns
hosts: files dns
smb.conf
[global]
workgroup = [DOMAIN]
password server = [SERVERS]
realm = [REALM]
security = ads
idmap config [DOMAIN]:backend = rid
idmap config [DOMAIN]:base_rid = 1000
idmap config [DOMAIN]:range = 1000 - 1000000
#idmap uid = 16777216-33554431
#idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
#account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
#account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account sufficient pam_winbind.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
/var/log/secure
Jun 29 08:21:48 AC212-13-Fedora login: pam_unix(login:auth): check pass; user unknown
Jun 29 08:21:48 AC212-13-Fedora login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=
Jun 29 08:21:50 AC212-13-Fedora login: FAILED LOGIN 1 FROM tty2 FOR (unknown), User not known to the underlying authentication module
Jun 29 08:33:24 AC212-13-Fedora login: pam_unix(login:auth): check pass; user unknown
Jun 29 08:33:24 AC212-13-Fedora login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=
Jun 29 08:33:27 AC212-13-Fedora login: FAILED LOGIN 1 FROM tty2 FOR (unknown), User not known to the underlying authentication module
Linear Mode
