Fwd: [Samba] Winbind 3.0.26a cannot authenticate with
ActiveDirectory
Douglas VanLeuven
roamdad at sonic.net
Thu Feb 28 19:08:55 GMT 2008
Walter Huf wrote:
> I changed those lines, and nothing seemed to change.
> However, I remembered more information that I could include.
> getent passwd does not list domain users, only local users.
>
> Sample lines from /var/log/samba/log.winbindd:
> [2008/02/22 14:13:21, 1] nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(613)
> Could not get unix ID
> [2008/02/22 14:13:21, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85)
> error getting user id for sid S-1-5-21-2143970516-726479814-926709054-1840
> [2008/02/22 14:13:21, 1] nsswitch/winbindd_user.c:winbindd_getpwent(728)
> could not lookup domain user otherusername
>
> Does this help at all?
> Has anybody gotten Winbind 3.0.26a to authenticate successfully with Active
> Directory?
I can't specifically say 3.0.26a. But I've been doing it since 3.0.6 or
something. Like you I use sfu and the backend is ad. Used to have to
merge the padl idmap_ad module patches to the source.
I used to run redhat, then fedora, now opensuse. Each has their own
technique to setting up pam. Here's opensuse version for login and su
and sshd. Each service includes a set of common configurations and
maybe some uniq to the individual service.
I've found using the distro supplied software for configuring system
auth to be the easiest way to get a baseline. In opensuse it's
pam-config. In fedora it was system-config-authentication.
Anytime I mess with the auth methods, I stop nscd from running during
the tests.
pam.d/login
#%PAM-1.0
auth requisite pam_nologin.so
auth [user_unknown=ignore success=ok ignore=ignore auth_err=die
default=bad] pam_securetty.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session required pam_lastlog.so nowtmp
session required pam_resmgr.so
session optional pam_mail.so standard
session optional pam_ck_connector.so
pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
password include common-password
session include common-session
session optional pam_xauth.so
pam.d/sshd
#%PAM-1.0
auth requisite pam_nologin.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
pam.d/common-auth
auth required pam_env.so
auth sufficient pam_unix2.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_winbind.so use_first_pass
pam.d/common-account
account requisite pam_unix2.so
account sufficient pam_localuser.so
account sufficient pam_ldap.so use_first_pass
account required pam_winbind.so use_first_pass
pam.d/common-password
password sufficient pam_winbind.so
password requisite pam_pwcheck.so nullok cracklib remember=
password sufficient pam_unix2.so use_authtok nullok
password required pam_ldap.so try_first_pass use_authtok
pam.d/common-session
session optional pam_mkhomedir.so
session required pam_limits.so
session required pam_unix2.so
session optional pam_ldap.so
session required pam_winbind.so
session optional pam_umask.so umask=002
gate:~ # ssh FOREST\\doug at gate
Password:
Last login: Tue Feb 19 23:14:46 2008 from console
Have a lot of fun...
doug at gate:~> logout
Regards, Doug
More information about the samba
mailing list