ms mapper - error during login " User not known to the underlying authentication module"

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

ms mapper - error during login " User not known to the underlying authentication module"

Jan Friedl
Hi all,

I try login with smartcard to Active Directory, pklogin_finder find the user. Login via username and password is correct.
When I try smartcard login, I get " User not known to the underlying authentication module" .

I don't know, if is that mistake in MS MAPPER, because it find and verify user, but return only the login USERNAME. I think that the mapper sould return DOMAIN@LOGIN, because I'm not able (I don't know how) define the DOMAIN in other pam module (configuration).

Please, can somebody help me?

Here is my configuration:
--------------pam_pkcs11---------------------------
 mapper ms {
        debug = true;
        module = internal;
        # module = ${exec_prefix}/lib/pam_pkcs11/ms_mapper.so;
        ignorecase = false;
        ignoredomain = false;
        domainname = "DOMAIN.COM";

---------------smb.conf--------------------------
[global]
        workgroup = DOMAIN
        password server = 192.168.1.1
        realm = DOMAIN.COM
        security = ADS
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        template homedir = /home/%D/%U
        template shell = /bin/bash
        usershare allow guests = No
        winbind refresh tickets = yes
        winbind enum users = yes
        winbind enum groups = yes

-----------------krb5.conf------------------------
[libdefaults]
        default_realm = DOMAIN.COM
        clockskew = 300
[realms]
 DOMAIN.COM = {
        kdc = SERVER.DOMAIN.COM
        default_domain = domain.com
        admin_server = server.domain.com
}
[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
[domain_realm]
        .domain.com =  DOMAIN.COM
        domain.com =  DOMAIN.COM
[appdefaults]
pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        minimum_uid = 1
        clockskew = 300
        external = sshd
        use_shmem = sshd

--------------pam common-auth---------------------------
auth    required        pam_env.so
auth    sufficient      pam_pkcs11.so   debug
auth    optional        pam_gnome_keyring.so
auth    sufficient      pam_unix2.so    debug
auth    required        pam_winbind.so  debug use_first_pass

--------------pam common-auth---------------------------
account requisite       pam_unix2.so    debug
account requisite       pam_krb5.so     debug use_first_pass ignore_unknown_principals
account sufficient      pam_localuser.so debug
account required        pam_winbind.so  debug use_first_pass

--------------/var/log/messages---------------------------
Aug  4 13:59:38  pcscd: last message repeated 4 times
Aug  4 13:59:38 pc311 login[16981]: pam_unix2(login:account): pam_sm_acct_mgmt() called
Aug  4 13:59:38 pc311 login[16981]: pam_unix2(login:account): username=[friedl]
Aug  4 13:59:38 pc311 login[16981]: pam_unix2(login:account): Cannot find passwd entry for friedl
Aug  4 13:59:38 pc311 login[16981]: User not known to the underlying authentication module


in the log can you see, that the username is only "friedl". When I login via username and password, the username is "[hidden email]".

Do you see there some my mistake?

Thanks for replay.
Jan Friedl
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: ms mapper - error during login " User not known to the underlying authentication module"

Jan Friedl
Hi all,

i find the main problem!!

I forgot in /etc/samba/smb.conf parameter "winbind use default domain = yes".

The problem were in the user list,  when i enter "getent passwd" the AD users were in format DOMAIN/USER.

The listed parameter change the format to required "USER".

 Hoznik
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user