[Samba] Samba as domain member server cannot authenticate users
Breno Moiana
bm.lists at gmail.com
Tue Apr 26 12:50:54 GMT 2005
This problem was already described on a very similar way in Oct 2004
on the following message:
[http://lists.samba.org/archive/samba/2004-October/094683.html]
As no solution was found so far, I am re-posting it on the hope that
somebody can help.
=================================================
Situation:
- A windows2000 domain with active directory up and running.
- A Samba server with fileshares and printers. Debian Sarge, Samba 3.0.10
- Windows clients
Objective:
- To have windows users being able to transparently map fileshares on
the linux server, and to print to these linux printers without having
to enter a separate password for the linux shares/printers. The linux
server should accept the windows logged-in user.
What I have accomplished:
Installed samba, it worked fine with local authentication.
Changed the samba configuration and installed winbind, and changed the
/etc/nsswitch.conf, /etc/pam.d/login, so I could log in to the linux
machine using the windows AD authentication.
With those changes, I can successfully log in to the linux server with
a windows user.
What is missing:
With this setup, I can't access the fileshares when I try to map them
from a windows client. The linux server requests the password, and I
try to enter "username", "domain\username", "username at domain",
"\\domain\username", "DOMAIN\username", and nothing works.
Diagnostics:
When I try to access a share from a windows machine, the
/var/log/samba/log.machinename reports this:
---log---
[2005/04/25 18:51:13, 0] auth/pampass.c:smb_pam_accountcheck(781)
smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting
User MYDOMAIN\username!
---/log---
However, if I log on locally, the user MYDOMAIN\username is a valid one!
I have stripped out the comments, and post my my smb.conf
below(mydomain being my domain, and username# being valid usernames):
---smb.conf---
[global]
workgroup = mydomain
server string = %h server (Samba %v)
include = /etc/samba/dhcp.conf
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = domain
password server = *
encrypt passwords = true
passdb backend = tdbsam guest
obey pam restrictions = yes
guest account = nobody
invalid users = root
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY
domain master = no
local master = no
preferred master = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
[testshare]
comment = Testing share
writable = yes
path = /fileshare/testshare
write list = username1,username2
force create mode = 0775
force directory mode = 6775
---/smb.conf---
Something is wrong, I just couldnt figure out what. I believe it to be
something to make samba "talk" to winbindd, identifying the users.
If I find out the answer, will post it here.
Thanks very much for the attention!
Best Regards!
Breno Moiana.
More information about the samba
mailing list