Desperate -- I'll even pay -- winbind/samba -- challenge/response password authentication failed

vda vda at port.imtp.ilyichevsk.odessa.ua
Tue Dec 25 01:08:11 GMT 2001


On Monday 24 December 2001 18:30, Hammond, James T.S. wrote:
> My ultimate goal is to login to my Redhat box with Windows usernames
> (like DOM+W2kusername) and passwords that are authenticated from my
> Windows 2000 domain controllers.  Hence my use of Winbind, which seems
> written exactly for this purpose...

Well I have this working for me, the problem is:

* winbindd running:
  - I can login as domain.user and get nice shell prompt
  - I can't connect to my samba server from Win boxes or via smbclient
* winbindd killed:
  - I can't login as domain.user and get nice shell prompt
  - I can connect to my samba server from Win boxes or via smbclient

My /etc/pam.d/login:
--------------------
# login via Samba winbind
# winbindd must be running for this to work
# Supplied password must match either /etc/passwd or NT domain password
# You don't have to have UNIX user/group to login!

auth		sufficient	/lib/security/pam_winbind.so
auth		required	/lib/security/pam_unix_auth.so use_first_pass nullok
account		required	/lib/security/pam_winbind.so
password	required	/lib/security/pam_unix_passwd.so
session		required	/lib/security/pam_unix_session.so

My smb.conf is after the sig. It has commented sections which were _verified_ 
_to _work_ too but are unused now.

Samba 2.2.2 compiled from sources.

Are you seriuos about "I'll even pay"? :-)
--
vda

#======================= Global Settings =====================================
[global]

# Logging
#0..3 - ERR,WARN,NOTICE,INFO
  log file = /var/log/samba.%m
  max log size = 256
  debug level = 1
  syslog = 1
  syslog only = No

# makes ping <netbios name> work
# Note: 
# /etc/nsswitch: "hosts: files dns wins"
# /lib: libnss_wins.so, libnss_wins.so[.1|2 (glibc 1/2)]
  #name resolve order = lmhosts host wins bcast
  name resolve order = wins
  wins server = 172.16.42.102

# winbindd allows you to have user UID/GID be derived from NT PDC
# and domain users can log in your linux box (shell login, not just SMB 
connect!)
# without twiddling with /etc/passwd|shadow|group!
# PAM usage:
#   auth sufficient pam_winbind.so
#   account required pam_winbind.so
# Note: have to join domain, have to be in domain security mode
  # user syntax: DOMAIN.user
  winbind separator = .
  # Allocate uid/gid range for NT users
  winbind uid = 10000-20000
  winbind gid = 10000-20000
  # Recheck user/group id every N secs
  winbind cache time = 300
  # Home dir: %D:domain %U:user
  template homedir = /home/%D.%U
  template shell = /bin/bash

# Browser elections
  local master = yes
  preferred master = yes
  ;domain master = depands on security model, see below

# Username/passwd handling
  # If username is invalid, treat him as guest
  map to guest = Bad user
  # Allow users with null passwords to connect
  null passwords = yes
  # Allow logins from Win311/95/98 (weaker security)
  lanman auth = yes
  encrypt passwords = yes

;# Authenticate users using given WinNT box
;# - VDA: ok
;  workgroup = PORT
;  encrypt passwords = yes
;  security = server
;  password server = PORT_PDC
;  domain master = no

# Authenticate users using given WinNT domain
# - VDA: ok, but you'll need to create UNIX users for each connecting Win one
# (same username as found on PDC)
# Update: [2001/12/07] can't make it accept domain users
#         when winbindd is running even if local user exists in /etc/passwd
#
  workgroup = PORT
  encrypt passwords = yes
  security = domain
  password server = *
  domain master = no

;# Authenticate users using local Samba
;# (we are part of a workgroup)
;# - VDA: ok.
;# Set passwords for users via smbpasswd!
;  workgroup = LINUX
;  os level = 33
;  security = share
;  domain logons = no

;# We are PDC for our domain (domain name set by 'workgroup')
;# Have to have [netlogon]
;# TODO: check:maybe we need [profiles] too?
;  workgroup = LINUX
;  os level = 34
;  security = user
;  domain logons = yes
;  domain master = yes # affects browser elections
;  ;# To be executed each time user logs in. Stored in [netlogon]
;  ;logon script = %u.bat
;  # Home dir and drive to map it to
;  # (%L: our server netbios name, %u: final user name)
;  logon home = \\%L\%u\home\%u
;  logon drive = w:
;  # Profiles dir for roaming profiles
;  logon path = \\%L\%u\home\%u\profiles

# Guess what is this?
  client code page = 866
  code page directory = /usr/lib/samba/lib/codepages

# ???
  socket options = TCP_NODELAY 

; TODO: try is this useful
;[global]
;  default service = pub
;
;[pub]
;  path = /%S
;
;!!!
;  preexec = ...
;  postexec = ...

#============================ Default share parameters =======================
  # Map guests to which UNIX user?
  guest account = guest
  # Share is visible by default?
  browseable = yes
  guest ok = yes
  # ???
  #browse list = yes
  read only = yes
  follow symlinks = yes
  create mode = 0644
  force create mode = 0600
  directory mode = 0755
  force directory mode = 0111
  # ???
  deadtime = 10

#============================ Share Definitions ==============================
[-pub]
  path = /pub
  read only = yes
  guest ok = yes
  guest only = yes

[-in]
  path = /pub/in
  read only = no
  guest ok = yes
  guest only = yes

# Special share - replaced by username
# Check that this path is actually accessible by users!!!
[homes]
  ;path = /home/%S
  path = /.share
  only user = yes
  user = %S
  ;vda: hoped to allow \\serv\user for win9x. does not work: force user = %S
  guest ok = no
  read only = no
  # This stops [homes] to be visible itself
  # User shares inherit global setting and hence are visible
  browseable = no

;# Special share - replaced by printer name(s)
;[printers]
;  comment = All Printers
;  path = /var/spool/samba
;  browseable = no
;# Set public = yes to allow user 'guest account' to print
;  guest ok = no
;  writable = no
;  printable = yes

# Special share: used for logons if we are PDC
# It stores logon scripts, ??? what else ???
[netlogon]
  path = /var/app/samba-2.2.2/netlogon
  public = no
  writable = no
  browsable = no

# ???
[profiles]
  path = /var/app/samba-2.2.2/profiles
  browseable = no
  guest ok = yes




More information about the samba mailing list