Fwd: [Samba] Winbind 3.0.26a cannot authenticate with ActiveDirectory

Douglas VanLeuven roamdad at sonic.net
Thu Feb 28 19:08:55 GMT 2008 

Walter Huf wrote:
> I changed those lines, and nothing seemed to change.
> However, I remembered more information that I could include.
> getent passwd does not list domain users, only local users.
> 
> Sample lines from /var/log/samba/log.winbindd:
> [2008/02/22 14:13:21, 1] nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(613)
>   Could not get unix ID
> [2008/02/22 14:13:21, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85)
>   error getting user id for sid S-1-5-21-2143970516-726479814-926709054-1840
> [2008/02/22 14:13:21, 1] nsswitch/winbindd_user.c:winbindd_getpwent(728)
>   could not lookup domain user otherusername
> 
> Does this help at all?
> Has anybody gotten Winbind 3.0.26a to authenticate successfully with Active
> Directory?

I can't specifically say 3.0.26a.  But I've been doing it since 3.0.6 or
something.  Like you I use sfu and the backend is ad.  Used to have to
merge the padl idmap_ad module patches to the source.

I used to run redhat, then fedora, now opensuse.  Each has their own
technique to setting up pam.  Here's opensuse version for login and su
and sshd.  Each service includes a set of common configurations and
maybe some uniq to the individual service.

I've found using the distro supplied software for configuring system
auth to be the easiest way to get a baseline.  In opensuse it's
pam-config.  In fedora it was system-config-authentication.

Anytime I mess with the auth methods, I stop nscd from running during
the tests.

pam.d/login
#%PAM-1.0
auth	 requisite	pam_nologin.so
auth	 [user_unknown=ignore success=ok ignore=ignore auth_err=die
default=bad]	pam_securetty.so
auth	 include	common-auth
account  include 	common-account
password include	common-password
session  required	pam_loginuid.so	
session	 include	common-session
session  required	pam_lastlog.so	nowtmp
session  required	pam_resmgr.so
session  optional       pam_mail.so standard
session	 optional	pam_ck_connector.so

pam.d/su
#%PAM-1.0
auth     sufficient     pam_rootok.so
auth     include        common-auth
account  include        common-account
password include        common-password
session  include        common-session
session  optional       pam_xauth.so

pam.d/sshd
#%PAM-1.0
auth	 requisite	pam_nologin.so
auth     include        common-auth
account  include        common-account
password include        common-password
session	 required	pam_loginuid.so
session  include        common-session

pam.d/common-auth
auth	required	pam_env.so	
auth	sufficient	pam_unix2.so	
auth	sufficient	pam_ldap.so	use_first_pass
auth	required	pam_winbind.so	use_first_pass	

pam.d/common-account
account	requisite	pam_unix2.so	
account	sufficient	pam_localuser.so
account	sufficient	pam_ldap.so	use_first_pass
account	required	pam_winbind.so	use_first_pass	

pam.d/common-password
password	sufficient	pam_winbind.so	
password	requisite	pam_pwcheck.so	nullok cracklib remember=
password	sufficient	pam_unix2.so	use_authtok nullok
password	required	pam_ldap.so	try_first_pass use_authtok

pam.d/common-session
session	optional	pam_mkhomedir.so	
session	required	pam_limits.so	
session	required	pam_unix2.so	
session	optional	pam_ldap.so	
session	required	pam_winbind.so	
session	optional	pam_umask.so	umask=002

gate:~ # ssh FOREST\\doug at gate
Password:
Last login: Tue Feb 19 23:14:46 2008 from console
Have a lot of fun...
doug at gate:~> logout

Regards, Doug

More information about the samba mailing list