Zentyal Forum, Linux Small Business Server
Zentyal Server => Directory and Authentication => Topic started by: JLLEWELYN on January 21, 2019, 06:23:50 am
-
Hello to the zentyal team and its users.
I have several months trying to find the solution to this problem, when installing the graphical interface of zenbuntu-desktop or the same one of ubuntu-desktop. When the screen is locked in a login cycle when I try to enter my desktop. When I log in, the screen turns black and soon after the login screen reappears.
I took the job of doing several tests until I found the problem, modified the following files.
After installing the module: Active Directory Domain Controller.
He modifies the files:
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-password
/etc/pam.d/common-session
/etc/pam.d/common-session-noninteractive
administrator@servidor:~$ diff /etc/pam.d/common-account.backup /etc/pam.d/common-account
16,19c16,20
< # here are the per-package modules (the "Primary" block)
< account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
< # here's the fallback if no module succeeds
< account requisite pam_deny.so
---
> # pre_auth-client-config # # here are the per-package modules (the "Primary" block)
> # pre_auth-client-config # account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
> # pre_auth-client-config # account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
> # pre_auth-client-config # # here's the fallback if no module succeeds
> # pre_auth-client-config # account requisite pam_deny.so
23,25c24,30
< account required pam_permit.so
< # and here are more per-package modules (the "Additional" block)
< # end of pam-auth-update config
---
> # pre_auth-client-config # account required pam_permit.so
> # pre_auth-client-config # # and here are more per-package modules (the "Additional" block)
> # pre_auth-client-config # # end of pam-auth-update config
> account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
> account requisite pam_deny.so
> account required pam_permit.so
> account sufficient pam_localuser.so
administrator@servidor:~$ diff /etc/pam.d/common-auth.backup /etc/pam.d/common-auth
16,19c16,20
< # here are the per-package modules (the "Primary" block)
< auth [success=1 default=ignore] pam_unix.so nullok_secure
< # here's the fallback if no module succeeds
< auth requisite pam_deny.so
---
> # pre_auth-client-config # # here are the per-package modules (the "Primary" block)
> # pre_auth-client-config # auth [success=2 default=ignore] pam_unix.so nullok_secure
> # pre_auth-client-config # auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
> # pre_auth-client-config # # here's the fallback if no module succeeds
> # pre_auth-client-config # auth requisite pam_deny.so
23,26c24,31
< auth required pam_permit.so
< # and here are more per-package modules (the "Additional" block)
< auth optional pam_cap.so
< # end of pam-auth-update config
---
> # pre_auth-client-config # auth required pam_permit.so
> # pre_auth-client-config # # and here are more per-package modules (the "Additional" block)
> # pre_auth-client-config # auth optional pam_cap.so
> # pre_auth-client-config # # end of pam-auth-update config
> auth [success=1 default=ignore] pam_unix.so nullok_secure
> auth requisite pam_deny.so
> auth required pam_permit.so
> auth optional pam_cap.so
administrator@servidor:~$ diff /etc/pam.d/common-password.backup /etc/pam.d/common-password
24,27c24,29
< # here are the per-package modules (the "Primary" block)
< password [success=1 default=ignore] pam_unix.so obscure sha512
< # here's the fallback if no module succeeds
< password requisite pam_deny.so
---
> # pre_auth-client-config # # here are the per-package modules (the "Primary" block)
> # pre_auth-client-config # password requisite pam_pwquality.so retry=3
> # pre_auth-client-config # password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
> # pre_auth-client-config # password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
> # pre_auth-client-config # # here's the fallback if no module succeeds
> # pre_auth-client-config # password requisite pam_deny.so
31,34c33,40
< password required pam_permit.so
< # and here are more per-package modules (the "Additional" block)
< password optional pam_gnome_keyring.so
< # end of pam-auth-update config
---
> # pre_auth-client-config # password required pam_permit.so
> # pre_auth-client-config # # and here are more per-package modules (the "Additional" block)
> # pre_auth-client-config # password optional pam_gnome_keyring.so
> # pre_auth-client-config # # end of pam-auth-update config
> password requisite pam_pwquality.so retry=3
> password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
> password requisite pam_deny.so
> password required pam_permit.so
administrator@servidor:~$ diff /etc/pam.d/common-session.backup /etc/pam.d/common-session
15,18c15,18
< # here are the per-package modules (the "Primary" block)
< session [default=1] pam_permit.so
< # here's the fallback if no module succeeds
< session requisite pam_deny.so
---
> # pre_auth-client-config # # here are the per-package modules (the "Primary" block)
> # pre_auth-client-config # session [default=1] pam_permit.so
> # pre_auth-client-config # # here's the fallback if no module succeeds
> # pre_auth-client-config # session requisite pam_deny.so
22c22
< session required pam_permit.so
---
> # pre_auth-client-config # session required pam_permit.so
27,31c27,38
< session optional pam_umask.so
< # and here are more per-package modules (the "Additional" block)
< session required pam_unix.so
< session optional pam_systemd.so
< # end of pam-auth-update config
---
> # pre_auth-client-config # session optional pam_umask.so
> # pre_auth-client-config # # and here are more per-package modules (the "Additional" block)
> # pre_auth-client-config # session required pam_unix.so
> # pre_auth-client-config # session optional pam_winbind.so
> # pre_auth-client-config # session optional pam_systemd.so
> # pre_auth-client-config # # end of pam-auth-update config
> session [default=1] pam_permit.so
> session requisite pam_deny.so
> session required pam_permit.so
> session optional pam_umask.so
> session required pam_unix.so
> session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
administrator@servidor:~$ diff /etc/pam.d/common-session-noninteractive.backup /etc/pam.d/common-session-noninteractive
29a30
> session optional pam_winbind.so
-
Apparently nobody understands me, when I install gnome-desktop on ubuntu server, previously installed the zentyal package without the zentyal-samba module.
you can start session without problems in graphic environment.
After installing the zentyal-samba module, it is no longer possible to log in to the graphical environment.
all because the zentyal-samba module modifies the PAM Authentication files.
/etc/pam.d/common-account
When ubuntu-desktop is installed:
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
After installing zentyal-samba:
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account sufficient pam_localuser.so
Installing zentyal server from the ISO with graphic interface (zenbuntu-desktop):
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account sufficient pam_localuser.so
/etc/pam.d/common-auth
When ubuntu-desktop is installed:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
After installing zentyal-samba:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
Installing zentyal server from the ISO with graphic interface (zenbuntu-desktop):
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
/etc/pam.d/common-password
When ubuntu-desktop is installed:
password [success=1 default=ignore] pam_unix.so obscure sha512
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so
After installing zentyal-samba:
password requisite pam_pwquality.so retry=3
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password requisite pam_deny.so
password required pam_permit.so
Installing zentyal server from the ISO with graphic interface (zenbuntu-desktop):
password requisite pam_pwquality.so retry=3
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password requisite pam_deny.so
password required pam_permit.so
/etc/pam.d/common-session
When ubuntu-desktop is installed:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_systemd.so
After installing zentyal-samba:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
Installing zentyal server from the ISO with graphic interface (zenbuntu-desktop):
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
/etc/pam.d/common-session-noninteractive
When ubuntu-desktop is installed:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
After installing zentyal-samba:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_winbind.so
Installing zentyal server from the ISO with graphic interface (zenbuntu-desktop):
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_winbind.so
the part that I do not understand because when I install zentyal server by packages, the graphic environment "zenbuntu-desktop" or "ubuntu-desktop" on ubuntu server does not allow login either.
But installing zentyal server from the iso with graphical interface, has no problems.
I want to try to manually correct this problem, modifying the template that is this file:
/usr/share/zentyal/stubs/samba/acc-zentyal.mas
but I have no idea how to do it.