Ubuntu – Ubuntu 12.04 // Likewise Open // Unable to ever authenticate AD users

12.04likewisenetworking

So Ubuntu 12.04, Likewise latest from the beyondtrust website.

Joins domain fine.
Gets proper information from lw-get-status.
Can use lw-find-user-by-name to retrieve/locate users.
Can use lw-enum-users to get all users.

Attempting to login with an AD user via SSH generates the following errors in the auth.log file:

Nov 28 19:15:45 hostname sshd[2745]: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory
Nov 28 19:15:45 hostname sshd[2745]: PAM adding faulty module: pam_winbind.so
Nov 28 19:15:51 hostname sshd[2745]: error: PAM: Authentication service cannot retrieve authentication info for DOMAIN\\user.name from remote.hostname
Nov 28 19:16:06 hostname sshd[2745]: Connection closed by 10.1.1.84 [preauth]

Attempting to login via the LightDM itself generates similar errors in the auth.log file.

Nov 28 19:19:29 hostname lightdm: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory
Nov 28 19:19:29 hostname lightdm: PAM adding faulty module: pam_winbind.so
Nov 28 19:19:47 hostname lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "DOMAIN\user.name"
Nov 28 19:19:52 hostname lightdm: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:DOMAIN\user.name][error code:40022]
Nov 28 19:19:54 hostname lightdm: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory
Nov 28 19:19:54 hostname lightdm: PAM adding faulty module: pam_winbind.so

Attempting to login via a console on the system itself generates slightly different errors:

Nov 28 19:31:09 hostname login[997]: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory
Nov 28 19:31:09 hostname login[997]: PAM adding faulty module: pam_winbind.so
Nov 28 19:31:11 hostname login[997]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:DOMAIN\user.name][error code:40022]
Nov 28 19:31:14 hostname login[997]: FAILED LOGIN (1) on '/dev/tty2' FOR 'DOMAIN\user.name', Authentication service cannot retrieve authentication info
Nov 28 19:31:31 hostname login[997]: FAILED LOGIN (2) on '/dev/tty2' FOR 'DOMAIN\user.name', Authentication service cannot retrieve authentication info

I am baffled. The errors obviously are correct, the file /lib/security/pam_winbind.so does not exist. If its a dependancy/required, surely it should be part of the package? I've installed/reinstalled, I've used the downloaded package from the beyondtrust website, i've used the repository, nothing seems to work, every method of installing this application generates the same errors for me.

UPDATE :
Hrmm, I thought likewise didn't use native winbind but its own modules.

Installing winbind from apt-get uninstalls pbis-open (likewise) and generates failures when installing if pbis-open is installed first.

Uninstalled winbind, reinstalled pbis-open, same issue as above. The file pam_winbind.so does not exist in that location.

Setting up pbis-open-legacy (7.0.1.918) ...
Installing Packages was successful

This computer is joined to DOMAIN.LOCAL

New libraries and configurations have been installed for PAM and NSS.

Clearly it thinks it has installed it, but it hasn't. It may be a legacy issue with the previous attempt to configure domain integration manually with winbind.

Does anyone have a working likewise-open installation and does the /etc/nsswitch.conf include references to winbind?

Or do the /etc/pam.d/common-account or /etc/pam.d/common-password reference pam_winbind.so? I'm unsure if those entries are just legacy or setup by likewise.

UPDATE 2 :

Complete reinstall of OS fixed it and it worked seamlessly, like it was meant to and those 2 PAM files did NOT include entries for pam_winbind.so, so that was the underlying problem.

Thanks for the assist.

Best Answer

I see the post is old, but maybe it's worth to answer for others..

Likewise doesn't work with winbind (they refresh their krb5 ticket), you have to choose only one of them :/

after installing pbis you have to run

domainjoin-cli to join the AD
pam-auth-update to update PAM config

Related Solutions

Ubuntu – PowerBroker (Likewise-Open) + Ubuntu 13.04 -> 13.10 Upgrade

I found this bug: https://bugs.launchpad.net/ubuntu/+source/likewise-open/+bug/1162836

I had the same problem where after I finally logged in, my $PATH variable was a ways off from what the local user. Per that bug, I updated /etc/pam.d/common-session and made the following change the line:

session sufficient pam_lsass.so

to:

session [success=ok default=ignore] pam_lsass.so

I did not need to create the symlinks to init as a workaround either after making this change. I am now able to successfully log in as my Active Directory user with PBIS 7.5.2

Ubuntu – likewise-open | 14.04 | other easy way to connect AD

Using Powerbroker instead of likewise

do as steps below

1- download powerbroker frome here http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True

2- run it ,

sudo chmod a+x

run by typing it and hitting enter key

 sudo ./pibsfilename.sh

3- join by one of the below commands

 sudo domainjoin-cli join domainname.com administrator@domainname.com

 sudo domainjoin-cli join --disable ssh domainname.com administrator@domainname.com

4- Also, note that you might need to make one minor change to a config file as noted here. Namely, in the file /etc/pam.d/common-session, change the line that reads:

   session sufficient pam_lsass.so

   session [success=ok default=ignore] pam_lsass.so

5- run this command to config, like lwconfig in likewise (run from home folder), use caret ^ for spaces in group names

   /opt/pbis/bin/config Requiremembershipof "domainname\\ASecurityGroupFromYourDomain" "domainname\\plus^other^group"
   /opt/pbis/bin/config AssumeDefaultDomain true
   /opt/pbis/bin/config UserDomainPrefix domainname

6- if you want a username to be sudoer do as follows

 sudo nano /etc/sudoers

after root line add the line below

 username ALL=(ALL:ALL) ALL

for group use %:

 %DOMAINNAME\\Power^Users ALL=(ALL:ALL) ALL

7- and finally edit lightdm configuration file

   sudo nano /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf

   allow-guest=false
   greeter-show-remote-login=false
   greeter-show-manual-login=true

(60-lightdm-gtk-greeter.conf in Lubuntu 14.04)

8- Reboot

Resources used:

Best Answer

Related Solutions

Ubuntu – PowerBroker (Likewise-Open) + Ubuntu 13.04 -> 13.10 Upgrade

Ubuntu – likewise-open | 14.04 | other easy way to connect AD

Related Question