[Samba] Domain users cannot log on locally to DC

Rowland Penny rpenny at samba.org
Thu Nov 2 09:21:22 UTC 2017 

On Thu, 2 Nov 2017 08:59:13 -0000
Roy Eastwood via samba <samba at lists.samba.org> wrote:

> Hi,
> I have a samba 4.7.0 DC installed on a Debian Stretch machine.   I
> provisioned the domain with rfc2307 enabled and have set the Unix
> attributes using Windows 7 RSAT/ADUC.   I think I followed the WiKi
> pages correctly to enable the pam_winbind module in PAM, and have
> allocated a gID to Domain Users.   After falling foul of the
> https://bugzilla.samba.org/show_bug.cgi?id=13054 bug, entering net
> cache flush gave the correct output for getent group and getent
> passwd test1.
> 
> Yet I still cannot log on locally to the DC, either on the console or
> via ssh.   Relevant config and log files are as follows:
> 
> /etc/smb.conf:
> # Global parameters
> [global]
>                 netbios name = DC1
>                 realm = MICROLYNX.CO.UK
>                 workgroup = MICROLYNX
>                 dns forwarder = 192.168.2.1
>                 server role = active directory domain controller
>                 idmap_ldb:use rfc2307 = yes
>                 allow dns updates = nonsecure
>                 wins support = no
>                 local master = yes
>                 domain master = yes
>                 preferred master = yes
>                 rpc_server:spoolss = external
>                 rpc_daemon:spoolssd = fork
>                 printing = cups
>                 printcap name = cups
>                 load printers = yes
>                 winbind nss info = rfc2307
>                 winbind enum users = yes
>                 winbind enum groups = yes
>                 # Use settings from AD for login shell and home
> directory - doesn't work so use the next two lines
>                 template shell = /bin/bash
>                 template homedir = /srv/users/%U
>                 log file = /var/log/samba/log.%m
>                 log level = 1
> 
> [netlogon]
>                 path = /srv/samba/sysvol/microlynx.co.uk/scripts
>                 read only = No
> 
> [sysvol]
>                 path = /srv/samba/sysvol
>                 read only = No
> 
> [users]
> 	path = /srv/users
> 	read only = No
> 
> /etc/pam.d/common-account - following lines added:
> # add pam_winbind to allow domain users to log in locally
> account [default=bad success=ok user_unknown=ignore]
> pam_winbind.so
> 
> /etc/pam.d/common-auth  - following lines added:
> # add pam_winbind to allow domain users to log in locally
> auth sufficient	pam_winbind.so use_first_pass
> 
> /etc/pam.d/common-password - following lines added:
> # add pam_winbind to allow domain users to log in locally
> password	sufficient	pam_winbind.so use_authtok
> 
> excerpt from /var/log/auth.log: (with debug added to line: auth
> sufficient pam_winbind.so use_first_pass in /etc/pam.d/common-auth)
> Nov  1 22:53:58 dc1 sshd[5788]: pam_winbind(sshd:auth): [pamh:
> 0x81d72698] ENTER: pam_sm_authenticate (flags: 0x0001)
> Nov  1 22:53:58 dc1 sshd[5788]: pam_winbind(sshd:auth): getting
> password (0x00000011)
> Nov  1 22:53:58 dc1 sshd[5788]: pam_winbind(sshd:auth): Could not
> retrieve user's password
> Nov  1 22:53:58 dc1 sshd[5788]: pam_winbind(sshd:auth): [pamh:
> 0x81d72698] LEAVE: pam_sm_authenticate returning 20 (PAM_AUTHTOK_ERR)
> Nov  1 22:53:58 dc1 sshd[5788]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.240
> user=test1 Nov  1 22:54:00 dc1 sshd[5788]: Failed password for test1
> from 192.168.2.240 port 50348 ssh2
> Nov  1 22:54:04 dc1 sshd[5788]: Connection closed by 192.168.2.240
> port 50348 [preauth]
> 
> Output of getent passwd test1
> root at dc1:~# getent passwd test1
> MICROLYNX\test1:*:10000:10000:Test One User:/srv/users/test1:/bin/bash
> 
> Output of getent group “Domain Users”
> root at dc1:~# getent group "Domain Users"
> MICROLYNX\domain users:x:10000:
> 
> Output of: # ls -l /lib/i386-linux-gnu/security/pam_winbind.so
> lrwxrwxrwx 1 root root 44 Nov  1 18:04
> /lib/i386-linux-gnu/security/pam_winbind.so ->
> /usr/local/samba/lib/security/pam_winbind.so
> 
> What am I missing?    Any help appreciated,
> 
> Thanks,
> 
> Roy
> 
> 
> 

Have you compiled Samba yourself ?
If so you are probably missing this file:

/usr/share/pam-configs/winbind

Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
	[success=end default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
Auth-Initial:
	[success=end default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login
Account-Type: Primary
Account:
	[success=end new_authtok_reqd=done default=ignore]	pam_winbind.so
Password-Type: Primary
Password:
	[success=end default=ignore]	pam_winbind.so use_authtok try_first_pass
Password-Initial:
	[success=end default=ignore]	pam_winbind.so
Session-Type: Additional
Session:
	optional			pam_winbind.so

Remove the lines you added to PAM, then run 'pam-auth-update'

If you are using packages from somewhere, install:

winbind libpam-winbind libpam-krb5 libnss-winbind

Rowland

More information about the samba mailing list