[Samba] winbind, ads, win2k3, trusted domains, user mapping [UPDATED]

Jason Gerfen jason.gerfen at scl.utah.edu
Thu May 22 18:25:51 GMT 2008 

Forget my pam stack data

auth       required     pam_env.so
auth       sufficient   pam_winbind.so
auth       sufficient   pam_unix.so try_first_pass likeauth nullok
auth       sufficient   pam_krb5.so use_first_pass
auth       required     pam_deny.so

account    required     pam_unix.so
account    sufficient   pam_krb5.so ignore_root
account    sufficient   pam_winbind.so

password   optional     pam_krb5.so
password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 
ocredit=2 try_first_pass retry=3
password   sufficient   pam_unix.so try_first_pass use_authtok nullok 
md5 shadow
password   required     pam_deny.so

session    required     pam_mkhomedir.so umask=0000 skel=/etc/skel/ silent
session    required     pam_limits.so
session    required     pam_unix.so
session    optional     pam_krb5.so


Linux Addict wrote:
> On Thu, May 22, 2008 at 2:03 PM, Jason Gerfen <jason.gerfen at scl.utah.edu> wrote:
>> UPDATE
>> Jason Gerfen wrote:
>>> I have been ready everything I can regarding this setup but am having a
>>> problem that I am unsure of.
>>>
>>> I am unable to authenticate any user despite the following commands
>>> working:
>>> %> getent passwd <username>
>>> %> wbinfo -u
>>> %> wbinfo -g
>>>
>>> With the getent passwd I am able to see all of my UID/GID being mapped via
>>> winbdind to the rid of the domain user account.
>>>
>>> This command fails:
>>> %> wbinfo -i <username>
>> This command works
>> %> wbinfo --krb5auth=smb%password
>>
>> From a windows machine this fails
>> %> net use x: \\server.domain.com\share /user:smb
>>
>>> And in the log files when attempting to authenticate against this machine
>>> by mapping a share the following is seen in the log files:
>>> check_ntlm_password:  Checking password for unmapped user
>>> [server.domain.edu]\[username]@[DC] with the new password interface
>>>
>>> This is inacurate as with a krb5 tgt the correct line should look like:
>>> check_ntlm_password:  Checking password for unmapped user
>>> [server.domain.edu]\[username]@[REALM.EDU] with the new password interface
>>>
>>> Unless I am missing something I believe my configuration shown below is
>>> accurate and as of yet I have not received any real answer to this problem.
>>>
>>> Any help is appreciated.
>>>
>>> Here is my smb.conf
>>> [global]
>>>        workgroup = scl
>>>        realm = SCL.DOMAIN.EDU
>>>        server string = valhalla.scl.domain.edu
>>>        netbios name = valhalla
>>>
>>>        password server = *
>>>        encrypt passwords = true
>>>        security = ads
>>>
>>>        os level = 20
>>>
>>>        allow trusted domains = no
>>>
>>>        ldap ssl = no
>>>
>>>        idmap uid = 5000-2000000
>>>        idmap gid = 5000-2000000
>>>        idmap domains = SCL
>>>
>>>        interfaces = eth0, lo
>>>        bind interfaces only = yes
>>>
>>>        log level = 20
>>>        log file = /var/log/samba3/log.%m
>>>        max log size = 50
>>>
>>>        client signing = yes
>>>        client schannel = no
>>>        client use spnego = yes
>>>
>>>        preferred master = no
>>>        local master = no
>>>        domain master = no
>>>        wins proxy = no
>>>        dns proxy = No
>>>
>>>        template shell = /bin/bash
>>>        nt acl support = yes
>>>        create mask = 0775
>>>        template homedir = /home/%U
>>>
>>>        winbind uid = 500-2000000
>>>        winbind gid = 500-2000000
>>>        winbind separator = +
>>>        winbind enum users = yes
>>>        winbind enum groups = yes
>>>        winbind nested groups = yes
>>>        winbind use default domain = yes
>>>        winbind offline logon = true
>>>
>>>        printcap name = cups
>>>        printing = cups
>>>        load printers = yes
>>>        cups options = raw
>>>        print command =
>>>        lpq command = %p
>>>        lprm command =
>>>
>>> [test]
>>>        comment = testing
>>>        browsable = yes
>>>        read only = yes
>>>        create mode = 0644
>>>        path = /home/jason
>>>
>>> Here is my krb5.conf
>>> [libdefaults]
>>>        default_realm = UTAH.EDU
>>>
>>> [realms]
>>>        UTAH.EDU = {
>>>                kdc = 155.99.1.95
>>>        }
>>>
>>> [domain_realm]
>>>        .utah.edu = DOMAIN.EDU
>>>        DOMAIN.EDU = DOMAIN.EDU
>>>        scl.DOMAIN.EDU = DOMAIN.EDU
>>>
>>> [loggin]
>>>        default = FILE:/var/log/krb5.log
>>>
>>> [appdefaults]
>>>        pam = {
>>>                ticket_lifetime = 365d
>>>                renew_lifetime = 365d
>>>                forwardable = true
>>>                proxiable = false
>>>                retain_after_close = true
>>>                minimum_uid = 0
>>>        }
>>>
>>> The nsswitch.com file:
>>> passwd:      compat winbind
>>> shadow:      compat
>>> group:       compat winbind
>>>
>>> # passwd:    db files nis
>>> # shadow:    db files nis
>>> # group:     db files nis
>>>
>>> hosts:       files dns wins
>>> networks:    files
>>>
>>> services:    db files
>>> protocols:   db files
>>> rpc:         db files
>>> ethers:      db files
>>> netmasks:    files
>>> netgroup:    files
>>> bootparams:  files
>>>
>>> automount:   files
>>> aliases:     files
>>>
>>>
>>
>> --
>> Jas
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
> 
> Have you checked your PAM configuration? What do you see on /var/log/secure?


-- 
Jas

More information about the samba mailing list