1 user can't login to linux server using domain password. Other users have no problem.
1 user can't login to linux box using domain password. Other users have no problem.
I have a Zentyal server where all my users are defined (17 users).
This server is used to validate the user passwords from our Zimbra server, our intranet application (custom developed PHP application doing authentication using ldap calls), and we have 2 linux application servers who also validate the passwords using samba against our Zentyal server.
This works perfectly for 16 users.
For the 17th users (lets call him Norbert), everything works perfectly (zimbra login, intranet login, login on 1 of our application servers) EXCEPT logging in on our second application server.
Note: this is not the last user created on Zentyal, he has been working for this company for over 8 years, several other colleagues created after him have no problem connecting to this server.
On server2:
If I do an "id -u anyusername" for any of the 16 other users, I get an id back
If I do an id -u norbert i get : "id: norbert: no such user"
If I do the same on server1: no problem, not with norbert, not with anyone.
The samba config file for application server 1 and 2 are identical.
And, again, everything works FINE for ALL OTHER users.
If I try (from another machine) ssh -l norbert server2
I get the question norbert@server2 password:
upon entering THE CORRECT password, I get "permission denied, please try again"
If i do ssh -l norbert server1 and enter the same password, I have no problem.
If I do ssh -l <anyotheruser> server2: no problems.
Additional info 1: I have set SELinux to permissive (with setenforce 0 and then getenforce to check), but this didn't help.
Additional Info 2: I have create a new user norbert2 on my Zentyal server, with the same password as norbert (just to rule out problems with that), and I could login over ssh to server2 without any problems.
I seems that norbert got 'blacklisted' on server2 somewhere, but I have no clue where or how...
Does anyone have any idea how to start fixing this?
I have a Zentyal server where all my users are defined (17 users).
This server is used to validate the user passwords from our Zimbra server, our intranet application (custom developed PHP application doing authentication using ldap calls), and we have 2 linux application servers who also validate the passwords using samba against our Zentyal server.
This works perfectly for 16 users.
For the 17th users (lets call him Norbert), everything works perfectly (zimbra login, intranet login, login on 1 of our application servers) EXCEPT logging in on our second application server.
Note: this is not the last user created on Zentyal, he has been working for this company for over 8 years, several other colleagues created after him have no problem connecting to this server.
On server2:
If I do an "id -u anyusername" for any of the 16 other users, I get an id back
If I do an id -u norbert i get : "id: norbert: no such user"
If I do the same on server1: no problem, not with norbert, not with anyone.
The samba config file for application server 1 and 2 are identical.
And, again, everything works FINE for ALL OTHER users.
If I try (from another machine) ssh -l norbert server2
I get the question norbert@server2 password:
upon entering THE CORRECT password, I get "permission denied, please try again"
If i do ssh -l norbert server1 and enter the same password, I have no problem.
If I do ssh -l <anyotheruser> server2: no problems.
Additional info 1: I have set SELinux to permissive (with setenforce 0 and then getenforce to check), but this didn't help.
Additional Info 2: I have create a new user norbert2 on my Zentyal server, with the same password as norbert (just to rule out problems with that), and I could login over ssh to server2 without any problems.
I seems that norbert got 'blacklisted' on server2 somewhere, but I have no clue where or how...
Does anyone have any idea how to start fixing this?
If 1 of 16 does not work, compare ad membership of Norbert versus others
Look at /etc/passwd to make sure if Norbert is here and the others are not.
The distinction of using ad password suggests there is an option for a non-ad password.
Try distinguishing Norbert local from ad by using addomain\norbert as the username and see if that makes a difference.
Smb.conf to see whether the realm, ad domain is presumed .......
In such a case the ad will be tested as a fall through authentication.
Note, Norbert auth usin pam_unix, while Patrick checks with pam_winbind first.
Look at /etc/passwd to make sure if Norbert is here and the others are not.
The distinction of using ad password suggests there is an option for a non-ad password.
Try distinguishing Norbert local from ad by using addomain\norbert as the username and see if that makes a difference.
Smb.conf to see whether the realm, ad domain is presumed .......
In such a case the ad will be tested as a fall through authentication.
Note, Norbert auth usin pam_unix, while Patrick checks with pam_winbind first.
Also check /etc/shadow for reference to Norbert.
ASKER
Hi Arnold,
thanks for your replies.
I have checked both /etc/passwd and /etc/shadow: neither has any reference to norbert in it (nor any other of our users).
ssh -l [domainname]\norbert [servername] didn't make a difference, still the same "Permission denied, please try again." error message.
"Note, Norbert auth usin pam_unix, while Patrick checks with pam_winbind first. " -> I have no idea how to change this....
Norbert is defined in the same way as our other users and has the same group memberships (and logging in with user Norbert is no problem whatsoever on our other servers, so it has to be something specific to server2)
thanks for your replies.
I have checked both /etc/passwd and /etc/shadow: neither has any reference to norbert in it (nor any other of our users).
ssh -l [domainname]\norbert [servername] didn't make a difference, still the same "Permission denied, please try again." error message.
"Note, Norbert auth usin pam_unix, while Patrick checks with pam_winbind first. " -> I have no idea how to change this....
Norbert is defined in the same way as our other users and has the same group memberships (and logging in with user Norbert is no problem whatsoever on our other servers, so it has to be something specific to server2)
Do you have a single LDAP server, or there are two for redundancy?
Check smb.conf to which...
Check wbinfo -u |egrep -i 'norbert'
Run the above on both systems ....
See if you can different responses
If one has the user while the other does not and you have two, resetting the caching nscd might be needed ......
Check smb.conf to which...
Check wbinfo -u |egrep -i 'norbert'
Run the above on both systems ....
See if you can different responses
If one has the user while the other does not and you have two, resetting the caching nscd might be needed ......
ASKER
Hi Arnold,
you might be on the right track:
I did a wbinfo -u |egrep -i 'norbert' on server 1 and got back [domainname]\norbert
I did the same command on server 2 and got back norbert (without the domainname and the backslash).
I then did a wbinfo -u (without the grep) and received a list of all our users, but
on server 2 there was no preceding domainname (on server1 it did show [domainname]\ before each username)
AND on server 2 I got back more usernames : it also returned the names of a couple of interns who were here for 3 months earlier this year. These names were not shown on server 1.
So somewhere there is stuff in some cache that needs te be cleared.
I can do a full system reboot on monday morning before anyone arrives at work, maybe this will flush the caches?
If you have any more info or suggestions I'd greatly appreciate it.
you might be on the right track:
I did a wbinfo -u |egrep -i 'norbert' on server 1 and got back [domainname]\norbert
I did the same command on server 2 and got back norbert (without the domainname and the backslash).
I then did a wbinfo -u (without the grep) and received a list of all our users, but
on server 2 there was no preceding domainname (on server1 it did show [domainname]\ before each username)
AND on server 2 I got back more usernames : it also returned the names of a couple of interns who were here for 3 months earlier this year. These names were not shown on server 1.
So somewhere there is stuff in some cache that needs te be cleared.
I can do a full system reboot on monday morning before anyone arrives at work, maybe this will flush the caches?
If you have any more info or suggestions I'd greatly appreciate it.
ASKER
I forgot to mention: we have 1 LDAP server.
Your smb.conf is configured differently.
On server 2 the realm, yourdomain is presumed, while on server 1 it is not.
The iissue though, it still should behave similarly.
Do you set userid, groupid in the LDAP server?
Are all users in the same grouping?
On server 2 the realm, yourdomain is presumed, while on server 1 it is not.
The iissue though, it still should behave similarly.
Do you set userid, groupid in the LDAP server?
Are all users in the same grouping?
Nscd is one that caches, double check what you are running on server....
Nlscd or something similar.
All you need is service,systemctl stop nscd
And see if wbinfo changes the number of users it returns....
Nlscd or something similar.
All you need is service,systemctl stop nscd
And see if wbinfo changes the number of users it returns....
ASKER
There is no nscd on that server (RHEL 7.4), I did try something else :
I did a 'sudo service winbind restart', and now the wbinfo -u command on both systems returns exactly the same list (including domain name and backslash).
It seems to work now. Thank you very much for your help.
I did a 'sudo service winbind restart', and now the wbinfo -u command on both systems returns exactly the same list (including domain name and backslash).
It seems to work now. Thank you very much for your help.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
ASKER
server2 = Redhat Enterprise Linux
/var/log/secure entry for ssh connection with user norbert:
Sep 21 12:31:24 server2 sshd[4725]: Invalid user norbert from 10.31.13.101 port 37620
Sep 21 12:31:24 server2 sshd[4725]: input_userauth_request: invalid user norbert [preauth]
Sep 21 12:31:53 server2 sshd[4725]: pam_unix(sshd:auth): check pass; user unknown
Sep 21 12:31:53 server2 sshd[4725]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.31.13.101
Sep 21 12:31:55 server2 sshd[4725]: Failed password for invalid user norbert from 10.31.13.101 port 37620 ssh2
Sep 21 12:32:22 server2 sshd[4725]: Failed password for invalid user norbert from 10.31.13.101 port 37620 ssh2
Sep 21 12:32:22 server2 sshd[4725]: Failed password for invalid user norbert from 10.31.13.101 port 37620 ssh2
Sep 21 12:32:22 server2 sshd[4725]: Connection closed by 10.31.13.101 port 37620 [preauth]
/var/log/secure entry for successfull ssh session of user patrick
Sep 21 12:50:13 server2 sshd[6155]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.31.13.101 user=patrick
Sep 21 12:50:13 server2 sshd[6155]: pam_winbind(sshd:auth): getting password (0x00000210)
Sep 21 12:50:13 server2 sshd[6155]: pam_winbind(sshd:auth): pam_get_item returned a password
Sep 21 12:50:13 server2 sshd[6155]: pam_winbind(sshd:auth): user 'patrick' granted access
Sep 21 12:50:13 server2 sshd[6155]: pam_winbind(sshd:account):
Sep 21 12:50:13 server2 sshd[6155]: Accepted password for patrick from 10.31.13.101 port 37922 ssh2
Sep 21 12:50:13 server2 sshd[6155]: pam_unix(sshd:session): session opened for user patrick by (uid=0)