Desperate -- I'll even pay -- winbind/samba -- challenge/resp
onse password authentication failed
Noel Kelly
nkelly at tarsus.co.uk
Mon Dec 24 16:34:02 GMT 2001
I think this is acceptable - I get the same output for this command in a
Samba session on a Win2000 domain and it works fine.
$ wbinfo -a DOM+W2kusername%password
plaintext password authentication succeeded
challenge/response password authentication failed
Could not authenticate user DOM+W2kusername%password with
challenge/response
I think you are 99% setup. I followed this posting initially to get things
going. It has lost some of the formatting but is a nice step by step guide:
Here is my procedure to get winbind running with (a fairly recent) CVS of
SAMBA_2_2 A. Shutdown samba smbd, nmbd and winbindd daemons
1. kill all smbd's
2. kill all nmbd's
3. kill all winbindd's B. Make a clean version of samba to test with
as root, in the samba/source directory
1. # rm -rf /usr/local/samba (get's rid of any old samba you may
have)
(*** save ../lib/smb.conf if you want to reuse it)
2. # make clean 3. # rm config.cache 4. # ./configure
--with-pam --with-winbind (--with-acl-support)
(I use XFS acls, you don't need to to use winbind)
5. # make 6. # make install
(puts the stuff in /usr/local/samba by default)
7. # cp nsswitch/libnss_winbind.so /lib
8. # ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
9. # cp nsswitch/pam_winbind.so /lib/security/pam_winbind.so
10. edit nsswitch.conf passwd: files nisplus winbind
shadow: files nisplus winbind
group: files nisplus winbind
(note: group needs winbind entry too!)
11. # /sbin/ldconfig -v | grep winbind
(makes libnss_winbind available and checks)
12. copy proper smb.conf into /usr/local/samba/lib
13. # /usr/local/samba/bin/smbpasswd -j DOMAIN
(where DOMAIN is the domain of your PDC)
12. # /usr/local/samba/bin/winbindd
(starts up the winbindd daemon)
13. # ps -ae | grep winbindd
(make sure winbindd started ok) 1
4. # /usr/local/samba/bin/wbinfo -u
(should give a list containing local AND domain users)
15. # /usr/local/samba/bin/wbinfo -g
(should give a list containing local AND domain groups)
16. # getent passwd
(should give a list containing local AND domain users)
17. # getent group
(should give a list containing local AND domain users)
C. Now need to fix the pam.d files!
1. to enable authentication and accounts from local and DOMAIN users
change /etc/pam.d/samba to: auth required
/lib/security/pam_winbind.so
account required /lib/security/pam_winbind.so
2. Other pam.d files: I'm working on them ;-> D. restart smbd and nmbd
1. # /etc/rc.d/init.d/smb restart
(note: I have 'fixed' /etc/rc.d/init.d/smb to run smbd and nmbd from
/usr/local/samba/bin) I can now connect to my share as a user who
exists ONLY in the domain (i.e.,
not a local user at all) and create and modify files. For instance, I have
a
user CEO/burdell (domain CEO, user burdell) who doesn't exist in my local
/etc/passwd or my /usr/local/samba/private/smbpasswd files. I can log in
from
a windows box as 'burdell' and files are created in the share with owner
CEO/burdell: [jt at jtsdevel jt]$ ls -l /mnt/xfs_part/bu* -rwxrwxr-- 1
CEO\burd root 37 Sep 20 14:32 /mnt/xfs_part/burdell's.txt (Using XFS
ACLs)
[jt at jtsdevel jt]$ getfacl /mnt/xfs_part/bu* getfacl: Removing leading '/'
from absolute path names
# file: mnt/xfs_part/burdell's.txt
# owner: CEO\burdell
# group: root
user::rwx
other::r--
group::rw-
mask::rwx My smb.conf file: [global]
workgroup = CEO
netbios name = JTSDEVEL
server string = JTs devel machine XFS Samba Server
printing = bsd
printcap name = /etc/printcap
load printers = yes
guest account = guest
encrypt passwords = Yes
update encrypted = Yes
os level = 0
preferred master = False
local master = No
domain master = False
security = domain
password server = ZEPHYR
smb passwd file = /usr/local/samba/private/smbpasswd
debug level = 1
wins server = 192.168.10.15
name resolve order = wins host bcast
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes [Public]
path = /mnt/xfs_part
public = yes
read only = No
inherit permissions = yes
create mask = 777
force create mode = 0
directory security mask = 777
force directory security mode = 0 --
John M. Trostel
Senior Software Engineer
Quantum / SnapAppliances
jtrostel at snapserver.com
More information about the samba
mailing list