PDA

View Full Version : XRDP & LDAP on SLES 11 SP3



sysengPS
04-Mar-2015, 19:30
Howdy
I'm able to login to my server using local credentials

[20150304-13:02:03] [INFO ] listening...
[20150304-13:25:06] [INFO ] granted TS access to user manderson
[20150304-13:25:06] [INFO ] starting X11rdp session...
[20150304-13:25:06] [CORE ] X server running - user manderson - pid 4822
[20150304-13:25:06] [INFO ] starting xrdp-sessvc - xpid=4822 - wmpid=4836
[20150304-13:25:06] [CORE ] using keyboard layout: 0x409 (us)
[20150304-13:25:06] [DEBUG] execve parameter list: 3
[20150304-13:25:06] [DEBUG] argv[0] = setxkbmap
[20150304-13:25:06] [DEBUG] argv[1] = us
[20150304-13:25:06] [DEBUG] argv[2] = (null)
[20150304-13:25:15] [INFO ] session 4821 - user manderson - terminated
But when I try and login w/ my domain creds, the log doesn't update.
I've adjusted /etc/pam.d/xrdp-sesman from:

#%PAM-1.0
auth include common-auth
account include common-account
to

auth include system-auth
account include system-auth
and the xrdp-sesman.log doesn't update when I try and login w/ my domain creds.
I've also tried copying the settings for the gdm and ssh pam.d files, no help.
Anyone made this work?
Edit: whoops, forgot the /var/log/messages entry

Mar 4 13:26:58 pesjmp1 xrdp-sesman: pam_winbind(xrdp-sesman:auth): getting password (0x00000390)
Mar 4 13:26:58 pesjmp1 xrdp-sesman: pam_winbind(xrdp-sesman:auth): pam_get_item returned a password
Mar 4 13:26:58 pesjmp1 xrdp-sesman: pam_winbind(xrdp-sesman:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTA
TUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
and this user account works when logging in via the console (it's a vm).
Thanks

Edit2: Shoot
So I can login w/ my original user, manderson, via xrdp. I cannot login via the local account I just created. I get the same error.
Error message for all accounts in the xrdp session that are unable to login:


connecting to sesman ip 127.0.0.1 port 3350
sesman connect ok
sending login info to sesman
login failed

jmozdzen
05-Mar-2015, 13:27
Hi sysengPS,
> auth include system-auth
> account include system-auth

is it intentional that you used "system-auth" in both cases, rather than "system-account" in the second include statement?

And what statements are in the file "system-auth"?

Regards,
Jens

sysengPS
05-Mar-2015, 16:21
I see that it should be system-account on the second line. I've made the correction.
And silly me, system-auth and system-account don't exist in that directory. Only common-account, common-auth, common-password & common-session. This is what happens when I read tutorials online, sometimes, not all of the instructions make it through.
Do you know how I can create these system-auth and system-account files, or if they're actually needed for xrdp to authenticate w/ AD?

Thanks for your help.

jmozdzen
05-Mar-2015, 16:36
Hi sysengPS,

I see that it should be system-account on the second line. I've made the correction.
And silly me, system-auth and system-account don't exist in that directory. Only common-account, common-auth, common-password & common-session. This is what happens when I read tutorials online, sometimes, not all of the instructions make it through.
Do you know how I can create these system-auth and system-account files, or if they're actually needed for xrdp to authenticate w/ AD?

you can create them with your favorite text editor, i.e. "vi" :)

Those files are only there to provide common definitions that you can include in various PAM files, so that you do not have to repeat common settings over and over again. So whether you actually need these files, depends on whether the settings in common-* are sufficient... and even if not, you might want to simply put differing definitions into the few files where you actually need them.

In other words: If your common definitions are already set to suit you needs (and those of xrdp-sesman), then stick with including those files. No need for extra turns.

I cannot be too helpful on the PAM authentication via AD issue, but have seen tutorials on which modules to include when, on the SAMBA pages. Search key is "pam_winbind"... and may I assume the mentioned tutorial is https://technet.microsoft.com/en-us/magazine/2008.12.linux.aspx ? Then have a look at figure 16, where a (combined) PAM file is shown that includes pam_winbind.

I strongly suggest to read up on PAM and it's modules, to get an idea what you're doing there. It looks like the above article does include a short introduction, but I have not read enough to judge it's quality.

Regards,
Jens

sysengPS
05-Mar-2015, 16:48
Hi sysengPS,


you can create them with your favorite text editor, i.e. "vi" :)

Those files are only there to provide common definitions that you can include in various PAM files, so that you do not have to repeat common settings over and over again. So whether you actually need these files, depends on whether the settings in common-* are sufficient... and even if not, you might want to simply put differing definitions into the few files where you actually need them.

In other words: If your common definitions are already set to suit you needs (and those of xrdp-sesman), then stick with including those files. No need for extra turns.

I cannot be too helpful on the PAM authentication via AD issue, but have seen tutorials on which modules to include when, on the SAMBA pages. Search key is "pam_winbind"... and may I assume the mentioned tutorial is https://technet.microsoft.com/en-us/magazine/2008.12.linux.aspx ? Then have a look at figure 16, where a (combined) PAM file is shown that includes pam_winbind.

I strongly suggest to read up on PAM and it's modules, to get an idea what you're doing there. It looks like the above article does include a short introduction, but I have not read enough to judge it's quality.

Regards,
Jens

Thanks very much for the link, it's pretty informative.
However, I keep going back to the fact that I'm able to login to the vm via gdm, using my AD credentials. However, when I put the gdm file contents into xrdp-sesman, it doesn't allow me to authenticate using AD credentials.

And I take it back, that's not true. Apparently, the first time I copied the contents of the gdm file, I didn't copy all of the contents. I just made a backup of xrdp-sesman, and copied gdm to xrdp-sesman, and was able to login to xrdp using ad credentials.

Jens, thank you so much for your assistance. It's been invaluable!

sysengPS
05-Mar-2015, 19:48
So of course I spoke too soon. I have it working on the first machine, and doesn't work on the second machine.
First machines' /etc/pam.d/xrdp-sesman

#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
and it's identical to the second machine's xrdp-sesman


#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
Second machine's common-auth

#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Authentication-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_winbind.so use_first_pass
Second machine's common-account


#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Account-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the accountorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired.
#
account requisite pam_unix2.so
account sufficient pam_localuser.so
account required pam_winbind.so use_first_pass
Second machine's common-password


#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.
#
password sufficient pam_winbind.so
password requisite pam_pwcheck.so nullok cracklib
password required pam_unix2.so use_authtok nullok

and second machine's common-session


#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive
#
session optional pam_mkhomedir.so
session required pam_limits.so
session required pam_unix2.so
session required pam_winbind.so
session optional pam_umask.so

All the pam_*.so files are in /lib/security, so now I'm at a loss again.
See anything weird here Jens?

Sorry, forgot to mention that the error is the same as I was getting on the first machine. ... sending login info to sesame, login failed. I've also check the FW, and I don't see any traffic leaving the machine heading to the DC.

Thanks again.

maybe last edit: same log entries in xrdp-sesman.log and in /var/.log/messages:


Mar 5 13:43:19 pesuajmp1 xrdp-sesman: pam_winbind(xrdp-sesman:auth): getting password (0x00000390)
Mar 5 13:43:19 pesuajmp1 xrdp-sesman: pam_winbind(xrdp-sesman:auth): pam_get_item returned a password
Mar 5 13:43:19 pesuajmp1 xrdp-sesman: pam_winbind(xrdp-sesman:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user

And I'm able to login via GDM.
Don't think there was anything else :)

sysengPS
05-Mar-2015, 20:25
I'm going to throw things.
I've been trying to login w/ domain\username. I just changed that to username@domain.com, and it let me in. I'm able to login to the first box using domain\username.
Dunno, but I'm in. Thanks! :)