Linux in Active Directory

janoschz · 2025-06-10 14:45:38

I followed the description in https://wiki.archlinux.org/title/Active … ntegration in order to setup a client to authenticate against the Active Directory (micro$). We would like to have a notebook where everybody (in the AD) is allowed to login.

I did everything exactly as printed in the Wiki - but I cannot get any authentication to work. I can list the users with

wb-info -u

but I cannot authenticate. I am sure I have an error in the configuration, I just cannot figure out what that might be. I went through the article multiple times, I ended up copy-pasting everything into the configuration files. I double checked (quadruple-checked) I have everything exactly as shown in the Wiki.

I cannot get authentication against an Active Directory to work.

My log (journalctl) shows the following output when I try to login with a user from the AD:

Jun 10 16:37:39 tinky sddm-greeter-qt6[660]: Reading from "/usr/share/wayland-sessions/plasmawayland.desktop"
Jun 10 16:37:39 tinky sddm[631]: Message received from greeter: Login
Jun 10 16:37:39 tinky sddm[631]: Reading from "/usr/share/wayland-sessions/plasmawayland.desktop"
Jun 10 16:37:39 tinky sddm[631]: Session "/usr/share/wayland-sessions/plasmawayland.desktop" selected, command: "/usr/lib/plasma-dbus-run-session-if-needed /usr/bin/startplasma-wayland" for VT 1
Jun 10 16:37:39 tinky sddm-helper[931]: [PAM] Starting...
Jun 10 16:37:39 tinky sddm-helper[931]: [PAM] Authenticating...
Jun 10 16:37:39 tinky sddm-helper[931]: pam_faillock(sddm:auth): User unknown
Jun 10 16:37:39 tinky sddm-helper[931]: pam_winbind(sddm:auth): getting password (0x00004388)
Jun 10 16:37:39 tinky sddm-helper[931]: [PAM] Preparing to converse...
Jun 10 16:37:39 tinky sddm-helper[931]: [PAM] Conversation with 1 messages
Jun 10 16:37:39 tinky sddm-helper[931]: pam_unix(sddm:auth): check pass; user unknown
Jun 10 16:37:39 tinky sddm-helper[931]: pam_unix(sddm:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 10 16:37:39 tinky sddm-helper[931]: pam_faillock(sddm:auth): User unknown
Jun 10 16:37:41 tinky sddm-helper[931]: [PAM] authenticate: Benutzer bei zu Grunde liegendem Authentifizierungsmodul nicht bekannt
Jun 10 16:37:41 tinky sddm-helper[931]: [PAM] returning.
Jun 10 16:37:41 tinky sddm[631]: Authentication error: SDDM::Auth::ERROR_AUTHENTICATION "Benutzer bei zu Grunde liegendem Authentifizierungsmodul nicht bekannt"
Jun 10 16:37:41 tinky sddm-helper[931]: [PAM] Asked to close the session but it wasn't previously open
Jun 10 16:37:41 tinky sddm[631]: Authentication for user  ""  failed
Jun 10 16:37:41 tinky sddm-greeter-qt6[660]: Information Message received from daemon:  "Benutzer bei zu Grunde liegendem Authentifizierungsmodul nicht bekannt"
Jun 10 16:37:41 tinky sddm-greeter-qt6[660]: Message received from daemon: LoginFailed
Jun 10 16:37:41 tinky sddm-helper[931]: [PAM] Ended.
Jun 10 16:37:41 tinky sddm[631]: Auth: sddm-helper exited with 1
Jun 10 16:37:41 tinky sddm-greeter-qt6[660]: Message received from daemon: LoginFailed

So basically it says the user is unknown. I cannot see anything else from pam_winbind than it is "getting password".

Is there a known error that this mechanism does currently not work?

Is there anyone who could get authentication against an AD working? Does it work now?

Thanks for any hints!

-thc · 2025-06-10 15:41:52

Does an AD login work on a (text) console (Ctrl-Alt-F2 ... F6)?

janoschz · 2025-06-11 07:03:14

Good question. I think I didn't even test that. I'll check that tomorrow when I am back at the device.

janoschz · 2025-06-12 07:28:46

Unfortunately it doesn't work either. There is a difference though when I delete

/etc/security/pam_winbind.conf

The file wasn't there after installing the necessary packages so I created it accordingly. Now, when I remove that file completely I can see the following journal entries when trying to log in from the console:

Jun 12 09:19:21 tinky systemd[1]: Started Getty on tty3.
Jun 12 09:19:25 tinky login[859]: pam_faillock(login:auth): User unknown
Jun 12 09:19:25 tinky login[859]: pam_winbind(login:auth): getting password (0x00000000)
Jun 12 09:19:28 tinky login[859]: pam_winbind(login:auth): user 'mrproper' granted access
Jun 12 09:19:28 tinky login[859]: pam_faillock(login:auth): User unknown
Jun 12 09:19:31 tinky login[859]: FAILED LOGIN 1 FROM tty3 FOR (unknown), User not known to the underlying authentication module
Jun 12 09:20:25 tinky systemd[1]: [email protected]: Deactivated successfully.
Jun 12 09:20:25 tinky systemd[1]: [email protected]: Scheduled restart job, restart counter is at 1.
Jun 12 09:20:25 tinky systemd[1]: Started Getty on tty3.

That's now totally weird - it says

 user 'mrproper' granted access

that doesn't appear when I place my pam_winbind.conf file within /etc/security. So it seems that it does indeed work to authenticate but my system nevertheless refuses the user. I guess my pam configuration must be wrong.

This is my

/etc/pam.d/system-auth

file:

#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=3 default=ignore]  pam_systemd_home.so
auth       [success=2 default=ignore]  pam_winbind.so
auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=2 default=ignore]  pam_systemd_home.so
account    [success=1 default=ignore]  pam_winbind.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=2 default=ignore]  pam_systemd_home.so
password   [success=1 default=ignore]  pam_winbind.so
password   required                    pam_unix.so          try_first_pass nullok shadow sha512
password   optional                    pam_permit.so

-session   optional                    pam_systemd_home.so
session    required                    pam_mkhomedir.so skel=/etc/skel/ umask=0022
session    required                    pam_limits.so
session    required                    pam_winbind.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

Can you spot the problem?

janoschz · 2025-06-12 12:17:58

Since it seemed that the reason was that pam_faillock could not identify the user, I simply deactivated all pam_faillock calls. Now on the terminal it shows:

Jun 12 14:07:09 tinky systemd[1]: Started Getty on tty3.
Jun 12 14:07:11 tinky login[2677]: pam_winbind(login:auth): getting password (0x00000008)
Jun 12 14:07:13 tinky login[2677]: pam_winbind(login:auth): user 'mrproper' granted access
Jun 12 14:07:13 tinky login[2677]: FAILED LOGIN 1 FROM tty3 FOR (unknown), User not known to the underlying authentication module

So for some reason the system still thinks the user is unknown even if pam_winbind says "granted access". I feel absolutely stupid now and I wish I would never ever have to deal with windoze or anything related to it for the rest of my life. Unfortunately that will never happen as literally everyone here basically uses windoze - this machine would be the first one being different and a game-changer for me. But I need to integrate it into the active directory in order to make it useful in that way.

Please, has anybody ever had success with integrating pam / winbind / samba / active directory? What on earth could be the problem in my setup? I cannot see any difference to the supplied information on the wiki.

janoschz · 2025-06-12 12:44:35

There are even more discrepancies in this system - when I try to login via ssh I get a completely different journal output. When I use the correct password I get

Jun 12 14:40:48 tinky sshd-session[1419]: Invalid user mrproper from 172.16.2.2 port 39818
Jun 12 14:40:51 tinky sshd-session[1419]: pam_faillock(sshd:auth): User unknown
Jun 12 14:40:51 tinky sshd-session[1419]: pam_winbind(sshd:auth): getting password (0x00000000)
Jun 12 14:40:51 tinky sshd-session[1419]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: When trying to update a password, this return status indicates that the value provided as the current password is not correct.
Jun 12 14:40:51 tinky sshd-session[1419]: pam_winbind(sshd:auth): user 'mrproper' denied access (incorrect password or invalid membership)
Jun 12 14:40:51 tinky sshd-session[1419]: pam_unix(sshd:auth): check pass; user unknown
Jun 12 14:40:51 tinky sshd-session[1419]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.2.2
Jun 12 14:40:51 tinky sshd-session[1419]: pam_faillock(sshd:auth): User unknown
Jun 12 14:40:53 tinky sshd-session[1419]: Failed password for invalid user mrproper from 172.16.2.2 port 39818 ssh2

But it is the correct password. So many problems. Honestly I don't believe this is working anywhere.

-thc · 2025-06-12 13:04:12

I got two instances of a Linux server joined to a Windows AD serving files via samba to Windows AD users up and running for years without problems.

I never tried to enable direct login to a Linux machine via AD account.

Some things I kept in mind: The timezone and time must be equal on both the AD server and the Linux machine. The domain users correct username is "Domain\User" (Some kinds of software may not like this backslash). Make sure Kerberos tickets flow correctly.

seth · 2025-06-12 14:11:28

Is there a

id mrproper

on the local host? What if you

useradd mrproper

?

janoschz · 2025-06-12 14:43:40

Thanks! The user does not exist locally, id mrproper tells me there is no such user. But I can issue:

$ wbinfo -u | grep mrproper
mrproper
$

Well, if I add the user I assume I can log in. I already created a local only user and I can log in with this user but this does not authenticate against the AD.

Should id also work with non-local users?

seth · 2025-06-12 14:53:59

Should id also work with non-local users?

I doubt so.
https://wiki.archlinux.org/title/Active … figure_NSS ?

janoschz · 2025-06-12 16:08:59

Ok, I thought so. I totally forgot to mention that joining the Active Directory with net ad join did work. My nsswitch.conf should be fine I guess (I included winbind and mymachines), wb-info does list the users and the groups. So it seems that my pam stack does not take this into account. The successful authentication of winbind seems to not make any difference for pam, it still thinks the user is unknown. Should I reorder the pam modules?

seth · 2025-06-12 20:57:50

Hold on

Jun 10 16:37:39 tinky sddm-helper[931]: [PAM] Starting...
Jun 10 16:37:39 tinky sddm-helper[931]: [PAM] Authenticating...
Jun 10 16:37:39 tinky sddm-helper[931]: pam_faillock(sddm:auth): User unknown
Jun 10 16:37:39 tinky sddm-helper[931]: pam_winbind(sddm:auth): getting password (0x00004388)
Jun 10 16:37:39 tinky sddm-helper[931]: [PAM] Preparing to converse...
Jun 10 16:37:39 tinky sddm-helper[931]: [PAM] Conversation with 1 messages
Jun 10 16:37:39 tinky sddm-helper[931]: pam_unix(sddm:auth): check pass; user unknown
Jun 10 16:37:39 tinky sddm-helper[931]: pam_unix(sddm:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 10 16:37:39 tinky sddm-helper[931]: pam_faillock(sddm:auth): User unknown
Jun 10 16:37:41 tinky sddm-helper[931]: [PAM] authenticate: Benutzer bei zu Grunde liegendem Authentifizierungsmodul nicht bekannt
Jun 10 16:37:41 tinky sddm-helper[931]: [PAM] returning.

is this an SDDM specific problem? What does /etc/pam.d/sddm look like?

janoschz · 2025-06-19 07:42:40

It does not seem to be an issue related to sddm - when I try to login from the console (not on the graphical login screen) I get:

Jun 19 09:35:57 tinky systemd[1]: Started Getty on tty3.
Jun 19 09:36:02 tinky login[1330]: pam_faillock(login:auth): User unknown
Jun 19 09:36:02 tinky login[1330]: pam_winbind(login:auth): getting password (0x00000000)
Jun 19 09:36:05 tinky login[1330]: pam_winbind(login:auth): user 'dada' granted access
Jun 19 09:36:05 tinky login[1330]: pam_faillock(login:auth): User unknown
Jun 19 09:36:07 tinky login[1330]: FAILED LOGIN 1 FROM tty3 FOR (unknown), User not known to the underlying authentication module

There is something severely wrong with this system / pam / configuration / winbind - samba - ...

It literally says "user 'dada' granted access" - nevertheless all fails with "pam_faillock(login:auth): User unknown" and "FAILED LOGIN 1 FROM tty3 FOR (unknown), User not known to the underlying authentication module"

It's the complete contradiction: "granted access" and "user unknown". Doesn't make sense at all. And seems to not have anything to do with sddm but with pam_faillock.

seth · 2025-06-19 16:11:35

It's the complete contradiction: "granted access" and "user unknown". Doesn't make sense at all.

One operates on a local user, the other one queries the AD.

There is something severely wrong with this system / pam / configuration / winbind - samba - ...

I very much suspect that the AD user needs to be mapped to an actual local user - otherwise at least pam_unix and pam_faillock would have to go.
Whether the system then properly works when you're essentially logged in as anonymous user is a different matter.

janoschz · 2025-06-20 10:16:33

Ok, thanks for that hint. I assumed pam_winbind et. al. would do that, with the help of mkhomedir even create the users home directory upon login. I also meant I configured that offline logins should work too, so that when a user was previously logged in she should be able to do so even when being offline.
I also thought the try_firstpass would exactly be here for this but I see I don't understand. I wanted a setup where I don't need to setup every user on the laptop but have it so that any valid domain user can use it. This shouldn't be that hard imho, linux machines have used such scenarios long ago with ldap afaik.
For this use case, do I need to setup something aside from what is mentioned on https://wiki.archlinux.org/title/Active … ntegration ?

-thc · 2025-06-20 13:07:14

Now that you mention LDAP I once did set up a Debian based OpenVPN server that used the Windows AD domain accounts as a second factor - by directly querying the Windows AD LDAP database (via LDAPS). Maybe that's a possible way?

Whoracle · 2025-06-20 13:14:23

I had success a few years ago via SSSD: https://sssd.io/docs/ad/ad-introduction.html

Forgot the specifics, but it was relatively straight forward. Don't like to recommend "just use something else", but here we are.

seth · 2025-06-20 15:34:42

If you want a purely remotely managed user, you cannot have any pam modules that return fatal if the local user doesn't exist.

1. faillock is supposed to return PAM_IGNORE if the user isn't in the local passwd - it should™ not be a problem but you might want to comment it nevertheless
2. get pam_systemd_home out of the list just to be sure
3. the big problems are in your session block
In the auth, account and password blocks, a successful pam_winbind will skip the following pam_unix, but in the session block you're unconditionally moving through pam_systemd_home (though that's gonna be inert anyway), mkhomedir, limits, winbind, unix and then permit.
I've doubts reg. mkhomedir working properly but you certainly want to skip unix if winbind succeeds and winbind should probably be uncritical and I guess you wanted to use the mkhomdir flag for pam_winbind and the mkhomedir line was a bogus attempt at creating a $HOME for AD users?
pam_mkhomedir will return PAM_USER_UNKNOWN for users that are not in /etc/passwd, you could ignore that but that would then defeat the point entirely

…
-session   optional                    pam_systemd_home.so
session    required                    pam_limits.so
session    [success=1 default=ignore]  pam_winbind.so mkhomedir
session    required                    pam_unix.so
session    optional                    pam_permit.so

Arch Linux

#1 2025-06-10 14:45:38

Linux in Active Directory

#2 2025-06-10 15:41:52

Re: Linux in Active Directory

#3 2025-06-11 07:03:14

Re: Linux in Active Directory

#4 2025-06-12 07:28:46

Re: Linux in Active Directory

#5 2025-06-12 12:17:58

Re: Linux in Active Directory

#6 2025-06-12 12:44:35

Re: Linux in Active Directory

#7 2025-06-12 13:04:12

Re: Linux in Active Directory

#8 2025-06-12 14:11:28

Re: Linux in Active Directory

#9 2025-06-12 14:43:40

Re: Linux in Active Directory

#10 2025-06-12 14:53:59

Re: Linux in Active Directory

#11 2025-06-12 16:08:59

Re: Linux in Active Directory

#12 2025-06-12 20:57:50

Re: Linux in Active Directory

#13 2025-06-19 07:42:40

Re: Linux in Active Directory

#14 2025-06-19 16:11:35

Re: Linux in Active Directory

#15 2025-06-20 10:16:33

Re: Linux in Active Directory

#16 2025-06-20 13:07:14

Re: Linux in Active Directory

#17 2025-06-20 13:14:23

Re: Linux in Active Directory

#18 2025-06-20 15:34:42

Re: Linux in Active Directory

Board footer