Desperate -- I'll even pay -- winbind/samba -- challenge/response password authentication failed
vda
vda at port.imtp.ilyichevsk.odessa.ua
Tue Dec 25 01:08:11 GMT 2001
On Monday 24 December 2001 18:30, Hammond, James T.S. wrote:
> My ultimate goal is to login to my Redhat box with Windows usernames
> (like DOM+W2kusername) and passwords that are authenticated from my
> Windows 2000 domain controllers. Hence my use of Winbind, which seems
> written exactly for this purpose...
Well I have this working for me, the problem is:
* winbindd running:
- I can login as domain.user and get nice shell prompt
- I can't connect to my samba server from Win boxes or via smbclient
* winbindd killed:
- I can't login as domain.user and get nice shell prompt
- I can connect to my samba server from Win boxes or via smbclient
My /etc/pam.d/login:
--------------------
# login via Samba winbind
# winbindd must be running for this to work
# Supplied password must match either /etc/passwd or NT domain password
# You don't have to have UNIX user/group to login!
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_unix_auth.so use_first_pass nullok
account required /lib/security/pam_winbind.so
password required /lib/security/pam_unix_passwd.so
session required /lib/security/pam_unix_session.so
My smb.conf is after the sig. It has commented sections which were _verified_
_to _work_ too but are unused now.
Samba 2.2.2 compiled from sources.
Are you seriuos about "I'll even pay"? :-)
--
vda
#======================= Global Settings =====================================
[global]
# Logging
#0..3 - ERR,WARN,NOTICE,INFO
log file = /var/log/samba.%m
max log size = 256
debug level = 1
syslog = 1
syslog only = No
# makes ping <netbios name> work
# Note:
# /etc/nsswitch: "hosts: files dns wins"
# /lib: libnss_wins.so, libnss_wins.so[.1|2 (glibc 1/2)]
#name resolve order = lmhosts host wins bcast
name resolve order = wins
wins server = 172.16.42.102
# winbindd allows you to have user UID/GID be derived from NT PDC
# and domain users can log in your linux box (shell login, not just SMB
connect!)
# without twiddling with /etc/passwd|shadow|group!
# PAM usage:
# auth sufficient pam_winbind.so
# account required pam_winbind.so
# Note: have to join domain, have to be in domain security mode
# user syntax: DOMAIN.user
winbind separator = .
# Allocate uid/gid range for NT users
winbind uid = 10000-20000
winbind gid = 10000-20000
# Recheck user/group id every N secs
winbind cache time = 300
# Home dir: %D:domain %U:user
template homedir = /home/%D.%U
template shell = /bin/bash
# Browser elections
local master = yes
preferred master = yes
;domain master = depands on security model, see below
# Username/passwd handling
# If username is invalid, treat him as guest
map to guest = Bad user
# Allow users with null passwords to connect
null passwords = yes
# Allow logins from Win311/95/98 (weaker security)
lanman auth = yes
encrypt passwords = yes
;# Authenticate users using given WinNT box
;# - VDA: ok
; workgroup = PORT
; encrypt passwords = yes
; security = server
; password server = PORT_PDC
; domain master = no
# Authenticate users using given WinNT domain
# - VDA: ok, but you'll need to create UNIX users for each connecting Win one
# (same username as found on PDC)
# Update: [2001/12/07] can't make it accept domain users
# when winbindd is running even if local user exists in /etc/passwd
#
workgroup = PORT
encrypt passwords = yes
security = domain
password server = *
domain master = no
;# Authenticate users using local Samba
;# (we are part of a workgroup)
;# - VDA: ok.
;# Set passwords for users via smbpasswd!
; workgroup = LINUX
; os level = 33
; security = share
; domain logons = no
;# We are PDC for our domain (domain name set by 'workgroup')
;# Have to have [netlogon]
;# TODO: check:maybe we need [profiles] too?
; workgroup = LINUX
; os level = 34
; security = user
; domain logons = yes
; domain master = yes # affects browser elections
; ;# To be executed each time user logs in. Stored in [netlogon]
; ;logon script = %u.bat
; # Home dir and drive to map it to
; # (%L: our server netbios name, %u: final user name)
; logon home = \\%L\%u\home\%u
; logon drive = w:
; # Profiles dir for roaming profiles
; logon path = \\%L\%u\home\%u\profiles
# Guess what is this?
client code page = 866
code page directory = /usr/lib/samba/lib/codepages
# ???
socket options = TCP_NODELAY
; TODO: try is this useful
;[global]
; default service = pub
;
;[pub]
; path = /%S
;
;!!!
; preexec = ...
; postexec = ...
#============================ Default share parameters =======================
# Map guests to which UNIX user?
guest account = guest
# Share is visible by default?
browseable = yes
guest ok = yes
# ???
#browse list = yes
read only = yes
follow symlinks = yes
create mode = 0644
force create mode = 0600
directory mode = 0755
force directory mode = 0111
# ???
deadtime = 10
#============================ Share Definitions ==============================
[-pub]
path = /pub
read only = yes
guest ok = yes
guest only = yes
[-in]
path = /pub/in
read only = no
guest ok = yes
guest only = yes
# Special share - replaced by username
# Check that this path is actually accessible by users!!!
[homes]
;path = /home/%S
path = /.share
only user = yes
user = %S
;vda: hoped to allow \\serv\user for win9x. does not work: force user = %S
guest ok = no
read only = no
# This stops [homes] to be visible itself
# User shares inherit global setting and hence are visible
browseable = no
;# Special share - replaced by printer name(s)
;[printers]
; comment = All Printers
; path = /var/spool/samba
; browseable = no
;# Set public = yes to allow user 'guest account' to print
; guest ok = no
; writable = no
; printable = yes
# Special share: used for logons if we are PDC
# It stores logon scripts, ??? what else ???
[netlogon]
path = /var/app/samba-2.2.2/netlogon
public = no
writable = no
browsable = no
# ???
[profiles]
path = /var/app/samba-2.2.2/profiles
browseable = no
guest ok = yes
More information about the samba
mailing list