× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

Linux login problems...

Showing results for 
Search instead for 
Do you mean 
Reply
Participant III
Posts: 7
Registered: ‎04-05-2017
#1 of 7 1,237

Linux login problems...

Hello,

 

Running Linux Mint 17.3 on a test system here. I'm trying out Centrify because of problems getting Likewise/PBIS Open to work, but I seem to be having similar problems. Basically when I am in the login screen now, all the AD users are visible, but if I try to login as one of them, it fails.

 

I've installed from the centrify-suite-2017-deb7-x86_64.tgz file, since that seemed to most closely match the 64 bit Mint I'm running.

 

adinfo responds with:

 

Local host name: xxxxx
Joined to domain: xxxxx
Joined as: xxxxx
Pre-win2K name: xxxxx
Current DC: xxxxx
Preferred site: Default-First-Site-Name
Zone: Auto Zone
Last password set: 2017-04-05 16:41:59 BST
CentrifyDC mode: connected
Licensed Features: Disabled

 

using adinfo -A --user <user ID> results in the message that the password is correct, so it is obviously able to successfully communicate with the DC.

 

What I have noticed on auth.log is that the following message turns up when I try to login as an AD user:

 

Apr 6 02:40:34 xxxx login[7183]: pam_unix(login:auth): authentication failure; logname=paul uid=0 euid=0 tty=/dev/pts/0 ruser= rhost= user=paul.d

 

So, "paul" is the user I am logged in as, before doing a "sudo login" and "paul.d" is the active directory user I am attempting to log in as.

 

Hopefully someone has some ideas as to where I am going wrong!

 

Thanks,

 

Paul.

Centrify Guru I
Posts: 1,790
Registered: ‎07-26-2012
#2 of 7 1,233

Re: Linux login problems...

[ Edited ]

@PaulD16796,

 

Welcome to the Centrify forums.

 

Sanity checks:

- Check if paul exists in /etc/passwd (grep paul /etc/passwd)  - ideally should not exist, but does not matter because of the next test.

- Check the order of /etc/nsswitch.conf  for passwd directive centrifydc should be first than files or compat

- Check to make sure that no traces of PBIS exist, should not matter either, but ideally we would not be competing.

 

Testing

- Check the user status  (sudo adquery user -A paul |  grep account), ideally the output is:

 

accountExpires: Never
accountLocked: false
accountDisabled: false

- Use switch user to isolate issues with SSH  (su - paul)

 

You should be challenged for Paul's password and if all is well,  you are able to switch.  This proves nothing wrong with the NSS stack (su is NSS-enabled), now let's move on to SSH connectivity.

- Attempt to log in via SSH  (e.g. ssh paul@system.name)

If all is well, you should be able to log in, if not, then the issue is with SSH and you must debug (See below)

- Attempt to log in via GUI

In GUI mode, attempt to log in with Paul.  Monitor the results.  If everything works with su and SSH and the GUI fails, look for the PAM configuration for the GUI (perhaps a reboot hasn't been done since the installation?).

 

 

Appendix:

How to debug Centrify and OpenSSH at the same time, just in case you have to submit for inspection.

  1. Turn ON centrify debug by running "/usr/share/centrifydc/bin/addebug on".
  2. Next run "<path_to_sshd>/sshd -ddde -p 2222" to start the SSHD server in the foreground with verbosity turned on.
  3. From the ssh client, connect to the SSH server on port 2222, "ssh -p 2222 -vvv <hostname>" and try to authenticate.
  4. Please paste the output from the SSH server foreground session for analysis.
  5. Now turn OFF Centrify debug "/usr/share/centrifydc/bin/addebug off"
  6. The information collected will be in /var/log/centrifydc.log
  7. Collect the system diagnostics information by   running sudo adinfo --support
  8. The file with the debug information will be in /var/centrify/tmp/adinfo_support.tar
Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant III
Posts: 7
Registered: ‎04-05-2017
#3 of 7 1,229

Re: Linux login problems...

Hello!

 

Thanks very much for your very quick reply.

 

Yes, paul, the local user, exists in /etc/passwd, but paul.d, the AD user does not. I think you have the two users muddled up :-)

 

The adquery on paul.d results in:

 

   accountExpires:Never
   accountLocked:false
   accountDisabled:false

 

So, that all looks good.

 

The su - paul.d resulted in:

 

   No directory, logging in with HOME=/

 

This is VERY encouraging :-)

 

ssh -l paul.d localhost results in repeated requests for the password.

 

A reboot has definately been done since the installation. Now you mention pam configuration, and also state that it is specific to the GUI, so does that mean that there are two problems - one stopping the ssh from working and the other preventing logins from the GUI?

 

Thanks again for your help - really pleasing to see su - working.

 

Paul.

Centrify Guru I
Posts: 1,790
Registered: ‎07-26-2012
#4 of 7 1,222

Re: Linux login problems...

There's definitely an issue with your PAM configuration.  

The results of the su - paul.d should have been that the home directory is created.

 

This tells me that for some reason, the session PAM module could not create the folder.

 

If you do a debug (SSH and Centrify) you'll definitely be able to pinpoint the issue.   It would be nice to know if another system acts the same way.

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant III
Posts: 7
Registered: ‎04-05-2017
#5 of 7 1,219

Re: Linux login problems...

Hi,

 

So I have been looking at the PAM configuration files for sshd and mdm (which I think is the Display Manager that Mint Mate uses). Can't see anything obvious. Do you have a working PAM config file that you ccould share, and the important parts of it?

 

Thanks!

 

Paul.

Participant III
Posts: 7
Registered: ‎04-05-2017
#6 of 7 1,217

Re: Linux login problems...

Morning again!

 

I found this post:

 

   http://community.centrify.com/t5/Suggestions-or-Ideas-Centrify/Use-pam-auth-update-to-install-PAM-mo...

 

And made a file called "centrify" in /etc/pam.d and then did the "pam-auth-update --package"

command as suggested, and said "no" to override local files, which I think is the correct answer.

 

I then rebooted and attempted to login as an AD user, which once again failed. When trying to login from the GUI (MDM), it specifically says "incorrect password". Which makes me wonder if the MDM is properly making the connection with centrify, since the adinfo -A --user thing proves that the password I am using is correct on the AD.

 

The centrify debug logging seems to spew out a LOT of lines, would you like some posted here?

 

Thanks!

 

Paul.

Highlighted
Centrify Guru I
Posts: 1,790
Registered: ‎07-26-2012
#7 of 7 1,215

Re: Linux login problems...

I'm not sure about that suggestion you read. 

Your system should just work.

I am in transit, perhaps anohter community volunteer reading this can help.

 

Note that if you're a commercial organization looking at the full centrify proudct, you get SLA-based support.

 

 

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: