#StackBounty: #14.04 #networking #password #active-directory #likewise Problem with PBISOpen and Ubuntu 14.04LTS

Bounty: 100

I’m testing openpbis 8.3 version and I have authentication problem when I’m trying to open new session on Ubuntu 14.04 LTS, not in local network but only in distant network.

Adding the computer on active directory is very simple and I didn’t have any problem, on my local and distant network.

But when I want opening session with my active directory account, I have the message “wrong password”

So I reinitialized, under active directory, the password, and trying again to open the session

I enter the default password, no problem, the system ask me to enter new password, no message and everything seems to be OK, after this, I entered my login and password and I have the message wrong password.

If I use the same login and password on a windows 7 PC, no problem for opening session.

I’m trying to debug openpbis:

Make Sure You Are Joined to the Domain
/opt/pbis/bin/domainjoin-cli query
Name = chou-l64
Domain = mydomain.LAN
Distinguished Name = CN=CHOU-L64,CN=Computers,DC=mydomain,DC=lan


Check Whether You Are Using a Valid Logon Form


Clear the Cache
/opt/pbis/bin/ad-cache --delete-all


Check the Status of the PBIS Authentication Service
/opt/pbis/bin/lwsm status lsass
running (container: 1436)


Check Communication between the PBIS Service and AD
/opt/pbis/bin/get-dc-name mydomain.lan

Printing LWNET_DC_INFO fields:
dwDomainControllerAddressType = 24
dwFlags = 312
dwVersion = 5
wLMToken = 65535
wNTToken = 65535
pszDomainControllerName = robinson.mydomain.lan
pszDomainControllerAddress =
pucDomainGUID(hex) = 21 40 5F 7F EB EA 19 4E 8E 42 0E 13 96 19 AF EB 
pszNetBIOSDomainName = MYDOMAIN
pszFullyQualifiedDomainName = mydomain.lan
pszDnsForestName = mydomain.lan
pszDCSiteName = Lyon
pszClientSiteName = Paris
pszUserName = <EMPTY>


Verify that PBIS Can Find a User in AD
/opt/pbis/bin/find-user-by-name MYDOMAIN.lan\dupond
User info (Level-0):
Name:              dupond
SID:               S-1-5-21-545202174-1067577326-598125351-6851
Uid:               1657281219
Gid:               1657274881
Gecos:             dupond dupond
Shell:             /bin/bash
Home dir:          /home/dupond
Logon restriction: NO

/opt/pbis/bin/find-user-by-name mydomain.lan\admindupont
User info (Level-0):
Name:              admindupont
SID:               S-1-5-21-545202174-1067577326-598125351-6830
Uid:               1657281198
Gid:               1657274881
Gecos:             Administrateur dupont
Shell:             /bin/bash
Home dir:          /home/admindupont
Logon restriction: NO


Make Sure the AD Authentication Provider Is Running

LSA Server Status:

Compiled daemon version:
Packaged product version: 8.3.3287.68880
Uptime:        0 days 1 hours 47 minutes 43 seconds

[Authentication provider: lsa-activedirectory-provider]

    Status:        Online
    Mode:          Un-provisioned
    Domain:        MYDOMAIN.LAN
    Domain SID:    S-1-5-21-545202174-1067577326-598125351
    Forest:        mydomain.lan
    Site:          Lyon
    Online check interval:  300 seconds
    [Trusted Domains: 1]

    [Domain: MYDOMAIN]

            DNS Domain:       mydomain.lan
            Netbios name:     MYDOMAIN
            Forest name:      mydomain.lan
            Trustee DNS name: 
            Client site name: Paris
            Domain SID:       S-1-5-21-545202174-1067577326-598125351
            Domain GUID:      00000000-0000-0000-0000-000000000000
            Trust Flags:      [0x001d]
                              [0x0001 - In forest]
                              [0x0004 - Tree root]
                              [0x0008 - Primary]
                              [0x0010 - Native]
            Trust type:       Up Level
            Trust Attributes: [0x0000]
            Trust Direction:  Primary Domain
            Trust Mode:       In my forest Trust (MFT)
            Domain flags:     [0x0003]
                              [0x0001 - Primary]
                              [0x0002 - Offline]

            [Domain Controller (DC) Information]

                    DC Name:              robinson.mydomain.lan
                    DC Address: 
                    DC Site:              Lyon
                    DC Flags:             [0x00000138]
                    DC Is PDC:            no
                    DC is time server:    no
                    DC has writeable DS:  yes
                    DC is Global Catalog: no
                    DC is running KDC:    yes


Run the id Command to Check the User
id mydomain.lan\dupond
uid=1657281219(dupond) gid=1657274881(utilisa.^du^domaine groupes=1657274881(utilisa.^du^domaine)


passwd:         compat lsass
group:          compat lsass
shadow:         compat
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis


/etc/pam.d/less common-session

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session optional        pam_umask.so
session required        pam_unix.so 
session [success=ok default=ignore]     pam_lsass.so 
session optional        pam_mount.so 
session optional        pam_systemd.so 
session optional                        pam_ck_connector.so nox11

When I’m trying to open session in this PC i have these messages in /var/log/auth.log:

Jul 23 15:22:26 chou-l64 login[1728]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:dupond][error code:40355]
Jul 23 15:22:29 chou-l64 login[1728]: FAILED LOGIN (1) on '/dev/tty1' FOR 'dupond', Authentication failure
Jul 23 15:24:25 chou-l64 sshd[11898]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:dupond][error code:40355]
Jul 23 15:24:26 chou-l64 sshd[11896]: error: PAM: Authentication failure for dupond from localhost
Jul 23 15:24:34 chou-l64 sshd[11919]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:dupond][error code:40355]
Jul 23 15:24:39 chou-l64 sshd[11922]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:dupond][error code:40022]
Jul 23 15:24:41 chou-l64 sshd[11896]: message repeated 2 times: [ error: PAM: Authentication failure for dupond from localhost]
Jul 23 15:24:50 chou-l64 sshd[11896]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:dupond][error code:40022]
Jul 23 15:24:52 chou-l64 sshd[11896]: Failed password for dupond from port 39657 ssh2
Jul 23 15:24:58 chou-l64 sshd[11896]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:dupond][error code:40355]
Jul 23 15:25:01 chou-l64 sshd[11896]: Failed password for dupond from port 39657 ssh2

How can I resolve this problem?

Get this bounty!!!