[Samba] Problems to authenticate Ubuntu 14 on Samba4

Rowland penny rpenny at samba.org
Tue Dec 29 09:20:40 UTC 2015 

See inline comments:

On 28/12/15 22:54, Marcio Demetrio Bacci wrote:
> I'm using Ubuntu 14.04-64 bits
>
> I had installed with apt-get the follows packages
>
>
> krb5-user krb5-config winbind samba samba-common smbclient cifs-utils 
> libpam-krb5 libpam-winbind libnss-winbind
>
> The samba version is 4.1.16-Ubuntu
>
> Below are my files of configuration
>
> */etc/samba/smb.conf*
> [global]
>   netbios name = cliente-ad192
>   workgroup = EMPRESA
>   security = ads
>   realm = EMPRESA.COM <http://EMPRESA.COM>
>   password server = 192.196.40.1
>   encrypt passwords = yes
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
>   preferred master = no
>   idmap config *:backend = tdb
>   idmap config *:range = 1000-3000
>   idmap config EMPRESA:backend = ad
>   idmap config EMPRESA:schema_mode = rfc2307
>   idmap config EMPRESA:range = 10000-9999999
>
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users = yes
>   winbind enum groups = yes
>   winbind refresh tickets = yes
>   template homedir = /home/%D/%U
>   template shell = /bin/bash
>   vfs objects = acl_xattr
>   map acl inherit = Yes
>   store dos attributes = Yes
>   username map = /etc/samba/user.map
>
>

Your smb.conf looks ok, apart from:

   idmap config *:range = 1000-3000

Do you really have no local Unix users ?

   password server = 192.196.40.1

You should remove this line and let Samba find the DC via dns

   encrypt passwords = yes

You should remove this line because it is the default and is not required.

   template homedir = /home/%D/%U
   template shell = /bin/bash

You are using the winbind 'ad' backend along with 'winbind nss info = 
rfc2307' , this means that Samba expects to find the unixHomeDirectory & 
loginShell attributes in AD. Have you given your users a unique 
uidNumber attribute and Domain Users (at least) a gidNumber attribute ?


>
> */etc/krb5.conf*
> [libdefaults]
> default_realm = EMPRESA.COM <http://EMPRESA.COM>
>
> # The following krb5.conf variables are only for MIT Kerberos.
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
>
> [realms]
> EMPRESA.COM <http://EMPRESA.COM> = {
> kdc = DC1.EMPRESA.COM <http://DC1.EMPRESA.COM>
> admin_server = DC1.EMPRESA.COM <http://DC1.EMPRESA.COM>
> }
>
> [domain_realm]
> .empresa.com <http://empresa.com> = EMPRESA.COM <http://EMPRESA.COM>
> empresa.com <http://empresa.com> = EMPRESA.COM <http://EMPRESA.COM>
>
> [login]
> krb4_convert = true
> krb4_get_tickets = false
>
>
>
> */etc/resolv.conf*
> nameserver 192.168.40.1
> search empresa.com <http://empresa.com>
>
> */etc/hosts
> *127.0.0.1    localhost
> 127.0.1.1 cliente-ad192.empresa.com <http://cliente-ad192.empresa.com> 
> cliente-ad192
> 192.168.40.2 cliente-ad192.empresa.com 
> <http://cliente-ad192.empresa.com> cliente-ad192
> 192.168.40.1    dc1.empresa.comdc1
>
>

I would recommend that you stop Network manager from using dnsmasq, then 
remove the lines in /etc/resolv.conf that start with '127.0.1.1' & 
'192.168.40.2', the first because this is the dnsmasq line and the 
second because you should find your DCs via dns.

> */etc/nsswitch.conf*
> passwd:compat
> group:compat
> shadow:compat
> hosts:files mdns4_minimal [NOTFOUND=return] dns
> networks:files
> protocols:      db files
> services:db files
> ethers:db files
> rpc:db files
> netgroup:nis
>

OK, here is a major problem, the passwd & group lines in 
/etc/nsswitch.conf need 'winbind' adding to them i.e.

passwd:         compat winbind
group:          compat winbind

>
> */etc/pam.d/common-session*
> session [default=1]pam_permit.so
> session requisitepam_deny.so
> session requiredpam_permit.so
> session optionalpam_umask.so
> session optionalpam_krb5.so minimum_uid=1000
> session requiredpam_unix.so
> session optionalpam_winbind.so
> session optionalpam_systemd.so
>
>
> */usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf *
> [SeatDefaults]
> user-session=ubuntu
> greeter-show-manual-login=true
>
>
>
> */usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf *
> [SeatDefaults]
> allow-guest=false
> greeter-show-remote-login=false
> greeter-show-manual-login=true
> greeter-session=unity-greeter
>
>
> Thanks
>

I would also add this to the end of /etc/pam.d/common-account

session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022

This will create your users home directories as they login, if they do 
not already exist.

Rowland

More information about the samba mailing list