Bug 205577

Summary: Suddenly unable to login via SSH using Windows Domain logid that worked earlier
Product: [openSUSE] SUSE Linux 10.1 Reporter: Jack Hamilton <jack.hamilton>
Component: YaST2Assignee: Lars Müller <lmuelle>
Status: RESOLVED NORESPONSE QA Contact: Jiri Srain <jsrain>
Severity: Minor    
Priority: P5 - None CC: jack.hamilton, jsuchome
Version: Final   
Target Milestone: ---   
Hardware: i686   
OS: SuSE Linux 10.1   
Whiteboard:
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: yast2 log
hwinfo output
yast2 log for 20060914

Description Jack Hamilton 2006-09-13 21:50:47 UTC 
PROBLEM: YaST2 > Network Services > Windows Domain Membership; affecting Windows domain logins if ABORTING/CANCELING instead of clicking FINISH even when no changes made to working configuration.

SYMPTOM: Suddenly unable to login via SSH using Windows Domain logid (i.e., mydomain\jdoe) that worked earlier. /var/log/messages shows the following errors when a domain user tries to login:

Sep 13 13:55:48 pcp060308pcs sshd[24767]: error: PAM: User not known to the underlying authentication module for illegal user ipss\\ub49006 from xpn-l3a7281-udp01019032uds.uboc.com
Sep 13 13:55:48 pcp060308pcs sshd[24767]: Failed keyboard-interactive/pam for invalid user ipss\\ub49006 from 10.20.32.36 port 4265 ssh2

ROOT CAUSE: Apparently occurs if a priviliged user (root) goes into YaST Control Center > Network Services > Windows Domain Membership and then ABORTS or cancels. Regardless if any changes were made or if the changes were left as-is, this has the effect of breaking domain authentication. To resolve, simply click FINISH next time and confirm by trying to log into an SSH session with a domain logid. 

WORK-AROUND TO RESOLVE WHEN AUTHENTICATION IS BROKEN: 
1. As root (or privileged account), open the YaST Control Center > Network Services > Windows Domain Membership. 

2. Confirm the following are filled out and checked:

Domain: Your FQDN
x Also use SMB Information for Linux Authentication
x Create Home Directory on Login
x Offline Authentication
Sharing by Users is optional.

3. Click Finished.
NOTE: Even if the above are already set, clicking FINISHED seems to re-write the configuration and/or restart the services that re-read the configuration, which in turn seems to resolve the problem, until the above steps are repeated again causing the problem to re-manifest.

NOTE: If the login failed and the above steps are followed, you will need to close out the original session and start a new SSH session; otherwise, the original session will always fail at the login prompt regardless of following the above steps and will make it appear that the above fix is not working.

BUILD: Linux 2.6.16.13-4-default #1 Wed May 3 04:53:23 UTC 2006 i686 i686 i386 GNU/Linux

HW: 
vendor_id       : GenuineIntel
cpu family      : 15
model           : 2
model name      : Intel(R) Celeron(R) CPU 2.00GHz
Comment 1 Jack Hamilton 2006-09-13 21:58:44 UTC 
Created attachment 98643 [details]
yast2 log
Comment 2 Jack Hamilton 2006-09-13 21:59:01 UTC 
Created attachment 98644 [details]
hwinfo output
Comment 3 Jack Hamilton 2006-09-15 00:38:00 UTC 
Discovered today that the domain logids are unable to login (and existing logins sometimes, but not always, displays a message about not being able to locate the UID/GID if doing a 'id' or 'whoami' command) after I did some online and system updates (YaST > Software > Online Update and System Update) despite never going to "Windows Domain Memberships"; however, I was able to quickly resolve the matter using the usual 'go to Windows Domain Membership and click FINISH' work-around. I can attach this latest yast2log if desired.
Comment 4 Jack Hamilton 2006-09-15 00:43:21 UTC 
Created attachment 98769 [details]
yast2 log for 20060914

This will (hopefully) show what occured in Yast today (doing Online Updates and System Updates via "Software" in Yast GUI) when the problem re-manifested despite never going to Windows Domain Membership earlier. (Later I did to fix the problem.)
Comment 5 Thomas Fehr 2006-09-21 07:37:52 UTC 
Reassign to maintainer to maintainer of samba-client
Comment 6 Jiří Suchomel 2006-09-21 07:51:14 UTC 
If I undestand this right, you are saying that samba configuration was deactivated without an interaction of yast2-samba-client module. The second case indicates that it could be caused by updated samba packages - maybe the patch rpm's didn't restarted the services correctly?
Comment 7 Jiří Suchomel 2006-09-21 07:51:55 UTC 
(sorry, wrong login)
Comment 8 Christoph Thiel 2008-04-25 10:01:55 UTC 
Closing NOREPSONSE, due to missing information. Please retest on openSUSE   
11.0 and create a new bug report if the problem still persists.