Agreed. For now, I have worked around the problem by creating a generic webmin user that does not have access to anything. Then, in the User Configuration, added All Users as <genericwebminuser>. This allows anybody to authenticate. I then have follow-on entries for specific Domain Groups to match up to certain Webmin groups for various authorization models. Not sure if it was intended to work this way or not but, this "pass-thru" model sure has saved me from coming up with a more complicated workaround.

It seems that if I have webmin configured to only allow for a specific domain group, webmin determines if the account exists by checking membership of the identified group and in this case returns Non-existent as validated by the getent command. The workaround allows me to authenticate the user without going against any groups and then get certain authorization based on a domain group.

Ultimately, I am not sure where the root issue lies, but, will also continue to work with Likewise on the group enumeration at the system level. I believe that maybe Authen::PAM may also still play a role considering other PAM based authentication mechanisms work. The other mechanisms seem to trigger a "refresh" of the group from the domain for group memberships.
Ok, I am pretty sure that the issue is the group not showing up until you run "id" on the user .. this is almost certainly confusing Webmin as well, as it checks for group membership as part of the authentication process.

I suspect that if you fix this so that getent works from the command line, Webmin will start working as well..
On 04/Oct/2011 05:44 Derrick Krieger <***@ucmo.edu> wrote ..

With the debuglog entry in I only get the following entries (tail -f /var/webmin/webmin.debug) in the log on a failed attempt:
START "script=session_login.cgi"
READ "/etc/webmin/miniserv.conf"
READ "/usr/libexec/webmin/blue-theme/config"
READ "/etc/webmin/custom-lang"
READ "/etc/sysconfig/network"
READ "/usr/libexec/webmin//defaultacl"
READ "/etc/webmin/.acl"
CMD "cmd=hostname"
CMD "cmd=hostname -f"
READ "/usr/libexec/webmin//module.info"
STOP "runtime=0"

Is there something else I need enabled?
Also, I agree to an extent about the data being visible to Linux. I have my Webmin Unix authentication to leverage a group. When I do just an account it is fine. If I do a getent group <groupname> it exists but, no members. If I run an ID <username> with the account I want to use and then do the getent group <groupname>, the group has the member and all works.
I have the same issue open with the vendor (Likewise) but, I am caught because the PAM authentication is currently only not working with Webmin. If I use the user and group in other configurations such as SSH or Apache with basic auth, they will work. After authentication is successful in those services, I can run getent group <groupname> and it is populated with the ID I just used.
That "Non-existent login" message means that Webmin couldn't find the Unix user that you are trying to login as..

I assume you have NSS-LDAP setup to make active directory users visible to Linux? I wonder if perhaps your Linux system isn't getting groups from active directory as well.

One option to enable more debugging is to edit /etc/webmin/miniserv.conf and add the line debuglog=/var/webmin/miniserv.debug , then restart Webmin. Then you can check what gets logged to miniserv.debug after a failed login..

On 03/Oct/2011 14:17 Derrick Krieger <***@ucmo.edu> wrote ..

No OTP devices.
In /var/log/secure it records the ID that I attempted with and the right host IP.
<hostname> webmin[12553]: Non-existent login as <userid> from <valid ip>
If, at a shell prompt, I run the ID command with the user id I am testing with, it returns the id and the group memberships. It will then work in webmin. But, it is only temporary.
On the same system I tested, SSH and also Apache with mod_auth_pam and a custom .htaccess file to limit to the same group I have configured in webmin. Without, "pre-caching" the ID, SSH and Apache work but, Webmin does not. Once I run a command such as ID <userid>, then Webmin also works.
On 03/Oct/2011 09:20 Derrick Krieger <***@ucmo.edu> wrote ..


Hello all,
I am currently working on integrating Likewise Enterprise into our environment to authenticate all non-Windows systems to Active Directory. I am having trouble getting webmin authentication to work though. My issue is that webmin records "non-existent" user and fails logon. If I first logon with the same account through SSH, and then try webmin, then webmin login works fine. Both pam modules for ssh and webmin are configured the same and point to system-auth.
The problem only seems to be an issue when I try to use "Members of a group.." and the group is an Active Directory domain group. A domain user works fine, a local system user or group also works fine. I can't seem to figure out how to turn on enough debugging to diagnose.
Any thoughts? Thanks.
Do you perhaps have any non-standard PAM authentication steps setup, such as requirements that the user use an OTP device?

Also, what gets logged to /var/log/authlog or /var/log/secure when the Webmin login fails?

- Jamie