# PAM and AD Integration: Immediate logoff upon logon



## mista_eng (May 15, 2011)

Hey guys,

Basically, I'm trying to log onto my FreeBSD box using Active Directory credentials via PAM directly on the console. As soon as I enter in my AD username and password, the system appears to accept them (no error messages on console) but promptly returns me to the login prompt. This behavior is also true for root. 







VMware ESXi VMs:
FreeBSD 8.2 - SAMBA 3.4
Windows Server 2008 R2 - domain controller, DNS

I don't have SSH properly set up at the moment (have to go into single-user mode and fiddle with /etc/pam.d/system|login|sshd files), but thought I'd ask first for any obvious advice while I get a few things sorted out. 

I can confirm that /var/logs/auth.log has login entries for both root and my AD user accounts. 






Any places I should check?


----------



## izotov (May 23, 2011)

Could you provide some more details about your setup please? Which PAM module do you use? How does your pam.d configuration look?


----------



## mista_eng (Jul 12, 2011)

Hey guys, I actually resolved this a while back http://arstechnica.com/civis/viewtopic.php?f=16&t=1144818, but forgot to post my work here. 

Here it is again, in case anyone can make use of it:

I was about to give up when I did a quick google and came across http://www.semicomplete.com/articles/ssh-security/, mentioning "set to /bin/false (or some derivative) on said machines, so the only thing you'll see after you authenticate is the login banner and your connection will close". Hmm, that sounds familiar.

I was fiddling around with /etc/pam.d/system|login|sshd files when I noticed the following being logged in /var/log/auth.log:

```
May 18 03:24:47 zfs1ny1usa sshd[45624]: Accepted keyboard-interactive/pam for te
stuser from 10.10.10.100 port 60619 ssh2
May 18 03:30:03 zfs1ny1usa sshd[45634]: reverse mapping checking getaddrinfo for
x61.home.local [10.10.10.100] failed - POSSIBLE BREAK-IN ATTEMPT!
May 18 03:30:03 zfs1ny1usa sshd[45634]: User monkeytest not allowed because shell /
bin/false does not exist
May 18 03:30:03 zfs1ny1usa sshd[45634]: in openpam_load_module(): no /usr/local/
lib/pam_mkhomedir.so found
May 18 03:30:03 zfs1ny1usa sshd[45634]: fatal: PAM: initialisation failed
```

Let's check details for the AD user, monkeytest:

```
# getent passwd monkeytest
monkeytest:*:10002:10011:monkey test:/home/HOME/monkeytest:/bin/false
```

Let's change the shell to /bin/sh:
#chsh monkeytest

SSH in (using putty)... yay it works! Here's the auth.log contents now:

```
May 19 03:12:57 zfs1ny1usa sshd[48634]: pam_winbind(sshd): user 'monkeytest' granted access
May 19 03:12:57 zfs1ny1usa sshd[48632]: Accepted keyboard-interactive/pam for monkeytest from 10.10.10.100 port 52055 ssh2
```

No auth.log errors upon exit either. I used to have that problem before when I really screwed around with PAM service files. 

But wait, I see this message upon logon:

```
Could not chdir to home directory /home/HOME/monkeytest: No such file or directory
```

Hmm, better check if the absolute path exists:

```
# ls -lG 
zfs1ny1usa# ls -lG /home/
total 2
drwxr-xr-x  2 testuser  testuser  512 May 18 03:24 testuser
```

Looks like we'll have to create it and set permissions:

```
zfs1ny1usa# mkdir /home/HOME
zfs1ny1usa# chmod o+w /home/HOME
zfs1ny1usa# ls -lG
total 4
drwxr-xrwx  2 root      wheel     512 May 19 03:36 HOME
drwxr-xr-x  2 testuser  testuser  512 May 18 03:24 testuser
```

And upon logging in again as 'monkeytest', no such warning, I see the directory, and am able to write to it! 

```
zfs1ny1usa# ls -lG /home/HOME
total 2
drwxr-xr-x  2 monkeytest  domain users  512 May 19 03:38 monkeytest
zfs1ny1usa# ls
.cshrc          .login_conf     .mailrc         .rhosts         myfirstfile
.login          .mail_aliases   .profile        .shrc
```

Here are the contents of my /etc/pam.d/sshd:

```
# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      /usr/local/lib/pam_winbind.so
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        /usr/local/lib/pam_mkhomedir.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass
```

I'm quite new to *nix so figuring this stuff out, as simple as it seems, means a great deal to me. (I'm learning, woot!)


----------

