[Samba] problem authenticating users to Active Directory after Ubuntu 12.04 -> 14.04 upgrade

Rowland Penny rowlandpenny at googlemail.com
Fri Apr 25 12:11:22 MDT 2014 

On 25/04/14 18:55, Geoff Rowland wrote:
>
> On 04/25/2014 01:40 PM, Rowland Penny wrote:
>> On 25/04/14 18:26, Geoff Rowland wrote:
>>>
>>> On 04/25/2014 01:21 PM, Rowland Penny wrote:
>>>> On 25/04/14 18:12, Geoff Rowland wrote:
>>>>> I had forgotten I changed my pam files to default...now I changed 
>>>>> them
>>>>> back to what I had before so that winbind shows up before pam_unix -
>>>>> and here is the output from auth.log:
>>>>>
>>>>> Apr 25 13:08:09 mycomputer lightdm: pam_winbind(lightdm:auth): 
>>>>> getting
>>>>> password (0x00000000)
>>>>> Apr 25 13:08:15 mycomputer lightdm: pam_winbind(lightdm:auth): user
>>>>> 'growland' granted access
>>>>> Apr 25 13:08:15 mycomputer lightdm: pam_unix(lightdm:account): could
>>>>> not identify user (from getpwnam(growland))
>>>>> Apr 25 13:08:15 mycomputer lightdm: PAM unable to
>>>>> dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open
>>>>> shared object file: No such file or directory
>>>>>
>>>>> Returns with invalid password (but I know the password is correct)
>>>>>
>>>>>
>>>>> On 04/25/2014 11:41 AM, steve wrote:
>>>>>> On Fri, 2014-04-25 at 11:27 -0400, Geoff Rowland wrote:
>>>>>>
>>>>>>
>>>>>>> not sure what else to try?
>>>>>> Look at the log at the time of the login.
>>>>>>
>>>>>> Unless 14.04 has changed radically, I'd:
>>>>>> tail -f /var/log/syslog
>>>>>>
>>>>>> Anything?
>>>>>> HTH
>>>>>> Steve
>>>>>>
>>>>>>
>>>> sigh, I will try again, does 'getent passwd' show your domain users 
>>>> ???
>>>>
>>>> Rowland
>>>>
>>> getent passwd does not show my domain users...but it also does not
>>> show my domain users on my 12.04 box, which is working fine.
>>>
>>> wbinfo -u does show domain users.
>>>
>>> net ads testjoin says Join is OK
>>>
>>> klist shows ticket expires tomorrow
>>> (I do seem to have to kinit to get a new ticket every time i reboot
>>> the computer though?)
>> OK, last thing first, put this in smb.conf:
>>
>> winbind refresh tickets = Yes
>>
>> Reload your config: smbcontrol all reload-config
>>
>> Getent needs to show your domain users, do you have winbind in
>> /etc/nssswitch.conf :
>>
>> ......
>> passwd:         compat winbind
>> group:          compat winbind
>>
>> Do you have libpam-winbind & libpam-krb5 installed ?
>>
>> Rowland
>>
> yes, I have libpam-winbind + libpam-krb5 installed, as well as winbind 
> in /etc/nsswitch.conf.
> I added the entry to smb.conf and performed the command (restarted the 
> services as well, just to be sure), however I still have the same issue.
>
OK, my fileserver is running 14.04 and users can connect to shares and 
via ssh, these are my main PAM files:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# here are the per-package modules (the "Primary" block)
auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=2 default=ignore]      pam_unix.so nullok_secure 
try_first_pass
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth 
krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_cap.so
# end of pam-auth-update config

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
# here's the fallback if no module succeeds
account requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
account required                        pam_krb5.so minimum_uid=1000
# end of pam-auth-update config

#
# /etc/pam.d/common-password - password-related modules common to all 
services
#
# here are the per-package modules (the "Primary" block)
password        [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
password        [success=2 default=ignore]      pam_unix.so obscure 
use_authtok try_first_pass sha512
password        [success=1 default=ignore]      pam_winbind.so 
use_authtok try_first_pass
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password        required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
password        optional        pam_gnome_keyring.so
# end of pam-auth-update config

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote 
sessions etc.
# See "man pam_umask".
session optional                        pam_umask.so
# and here are more per-package modules (the "Additional" block)
session optional                        pam_krb5.so minimum_uid=1000
session required        pam_unix.so
session optional                        pam_winbind.so
session optional        pam_systemd.so
session optional                        pam_ck_connector.so nox11
# end of pam-auth-update config
session required                        pam_mkhomedir.so skel=/etc/skel 
umask=0022

Do yours match the above ?? also do your AD users have uidNumber's & 
gidNumber's

Rowland

More information about the samba mailing list