[Samba] Authenticating against a Windows 2000 DC?

Chris Palmer chris.palmer at geneed.com
Sun Jan 5 03:30:00 GMT 2003

> From: Daniel Wittenberg [mailto:daniel-wittenberg at uiowa.edu]

> I don't have a url handy at the moment, but you want to look at using
> winbind, it'll do what you're looking for.

Thanks for the clue. :)

I found documentation for it at http://myserver:901/swat/help/winbindd.8.html. I followed the directions there to the letter, although I only changed /etc/pam.d/samba, none of the others. (Should I change any of the others?)

However, "getent passwd" and "getent group" show only the contents of my /etc/passwd and /etc/group, and not the stuff from my Windows domain. Also, I cannot log into SWAT anymore (!) -- although I can mount Samba shares on my Windows workstation using my Linux username and password (but not my Windows username/password).

So clearly I'm missing some critical step.

winbindd, smbd and nmbd are all running. My /etc/nsswitch.conf is as follows:

passwd:     files winbind
shadow:     files nisplus
group:      files winbind
hosts:      files nisplus dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files nisplus
rpc:        files
services:   files nisplus
netgroup:   files nisplus
publickey:  nisplus
automount:  files nisplus
aliases:    files nisplus

(I am not using nisplus, btw.)

Here is /etc/pam.d/samba:

account required /lib/security/pam_winbind.so
session    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_winbind.so
auth       required     /lib/security/pam_pwdb.so use_first_pass shadow nullok

And the [global] section of /etc/samba/smb.conf:

        security = domain
        winbind separator = +
        winbind cache time = 10
        template shell = /bin/bash
        template homedir = /home/%D/%U
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        password server = *
        workgroup = GENEEDINC
        netbios name = DEV
        server string = Dev Samba Server
        encrypt passwords = Yes
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*al
        unix password sync = Yes
        log file = /var/log/samba/%m.log
        max log size = 0
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        dns proxy = No
        guest account =
        printing = lprng

Does anyone have any idea what I'm missing? Thanks in advance, again.

Chris Palmer    Systems Programmer    GeneEd

More information about the samba mailing list