[Samba] Samba 2.2.8a/winbindd - 2K Domain users password challenged

Stewart, Eric eric at lib.usf.edu
Wed Jul 16 19:21:25 GMT 2003


	I have a RedHat Linux 9 server that I would like to allow users in my Windows 2000 domain to be able to map shares from without actually having an account on the system.  Compiled samba, configured with "./configure --with-pam".  Got the server into the domain, and regular "security = domain" seems to be working appropriately - providing there's a local account with the same username as the 2K Domain user.
	winbind appears to be providing the accounts appropriately - both wbinfo and getent return what you'd expect them to; a wbinfo -a with a user on the domain (the one trying to connect, in fact) gets:

plaintext password authentication succeeded

	It simply appears as if, when a user attempts to connect to the share, it fails to try to match the W2K account (IE, DOM\user) to the winbind account (DOM+user) and near as I can tell, fails since there isn't an account on the system under "user".
	Here are the relevant smb.conf lines:

[global]
   netbios name = newweb
   load printers = no
   guest account = nobody
   workgroup = LIB
   security = domain
   password server = *
   encrypt passwords = yes
   local master = no
   os level = 1
   wins server = 131.247.112.6
   server string = LIB309 -Sys-Library Web Server
   preserve case = yes
   invalid users = root mail daemon
   log level = 3
   debug uid = yes
   debug pid = yes
   log file = /usr/local/samba/logs/log.%m
   lock directory = /usr/local/samba/var/locks
   share modes = yes
   winbind separator = +
   winbind uid = 12500-19999
   winbind gid = 12500-19999
   winbind enum users = yes
   winbind enum groups = yes
   template homedir = /dev/null

[webdocs]
   comment = Webdocs Share
   browseable = yes
   force create mode = 0664
   force directory mode = 0775
   path = /data1/webdocs
   valid users = @web, at wheel, at LIB+Technology
   read only = yes
   locking = no

	Not sure that this is set up right, or that I might be missing something else:

/etc/pam.d/samba
auth            sufficient      /lib/security/pam_winbind.so
auth            required        /lib/security/pam_pwdb.so use_first_pass
    shadow nullok
account         required        /lib/security/pam_winbind.so
session         required        /lib/security/pam_pwdb.so
password        required        /lib/security/pam_pwdb.so # shadow md5
    nullok audit

	When a user that doesn't have a matching Linux account tries to access the share, they get challenged.
	Please let me know what I'm missing - either in my Samba configuration or in the information I've attempted to provide to you.`
	Thanks muchly in advance for your assistance.

Eric Stewart - Network Admin - USF Tampa Library - eric at lib.usf.edu
SCUBA Diver: 220 Dives  Most Recent: 05/10/03 Chankanaab Park, Cozumel
GeoCacher:    58 Found  Most Recent: 07/04/03 GCGBHE - Fun in the Sun
http://www.scubadiving.com/talk/ and http://www.geocaching.com/



More information about the samba mailing list