[Samba] Samba 2.2.8a/winbindd - 2K Domain users password challenged

Stewart, Eric eric at lib.usf.edu
Thu Jul 17 14:41:59 GMT 2003 

	I know it's been less than a day but I'm kind of surprised that I
haven't gotten an answer on this one way or the other ... so let me ask a
simpler question:

	Are winbind served users of a Linux machine supposed to have access
to the samba shares served by that Linux machine?  If so, please provide
sample smb.conf's (if they differ from mine below) and pam.d/* files.  As
my users only need access to the samba shares, and not login access, I'm
hesitant to change any /etc/pam.d/ file aside from /etc/pam.d/samba ...

	A bit of further testing has shown that at the very least, samba
continues to attempt to look for "user" instead of "DOM+user" when trying
to validate.  Please!  This is the last step I *must* get past before I
can move mission critical services from a Sun Solaris 8 box to this Redhat
Linux 9 machine ...

Eric Stewart - Network Admin - USF Tampa Library - eric at lib.usf.edu
SCUBA Diver: 220 Dives  Most Recent: 05/10/03 Chankanaab Park, Cozumel
GeoCacher:    58 Found  Most Recent: 07/04/03 GCGBHE - Fun in the Sun
http://www.scubadiving.com/talk/ and http://www.geocaching.com/

> -----Original Message-----
> From: Stewart, Eric 
> Sent: Wednesday, July 16, 2003 3:21 PM
> To: samba at lists.samba.org
> Subject: [Samba] Samba 2.2.8a/winbindd - 2K Domain users password
> challenged
> 
> 
> 	I have a RedHat Linux 9 server that I would like to 
> allow users in my Windows 2000 domain to be able to map 
> shares from without actually having an account on the system. 
>  Compiled samba, configured with "./configure --with-pam".  
> Got the server into the domain, and regular "security = 
> domain" seems to be working appropriately - providing there's 
> a local account with the same username as the 2K Domain user.
> 	winbind appears to be providing the accounts 
> appropriately - both wbinfo and getent return what you'd 
> expect them to; a wbinfo -a with a user on the domain (the 
> one trying to connect, in fact) gets:
> 
> plaintext password authentication succeeded
> 
> 	It simply appears as if, when a user attempts to 
> connect to the share, it fails to try to match the W2K 
> account (IE, DOM\user) to the winbind account (DOM+user) and 
> near as I can tell, fails since there isn't an account on the 
> system under "user".
> 	Here are the relevant smb.conf lines:
> 
> [global]
>    netbios name = newweb
>    load printers = no
>    guest account = nobody
>    workgroup = LIB
>    security = domain
>    password server = *
>    encrypt passwords = yes
>    local master = no
>    os level = 1
>    wins server = 131.247.112.6
>    server string = LIB309 -Sys-Library Web Server
>    preserve case = yes
>    invalid users = root mail daemon
>    log level = 3
>    debug uid = yes
>    debug pid = yes
>    log file = /usr/local/samba/logs/log.%m
>    lock directory = /usr/local/samba/var/locks
>    share modes = yes
>    winbind separator = +
>    winbind uid = 12500-19999
>    winbind gid = 12500-19999
>    winbind enum users = yes
>    winbind enum groups = yes
>    template homedir = /dev/null
> 
> [webdocs]
>    comment = Webdocs Share
>    browseable = yes
>    force create mode = 0664
>    force directory mode = 0775
>    path = /data1/webdocs
>    valid users = @web, at wheel, at LIB+Technology
>    read only = yes
>    locking = no
> 
> 	Not sure that this is set up right, or that I might be 
> missing something else:
> 
> /etc/pam.d/samba
> auth            sufficient      /lib/security/pam_winbind.so
> auth            required        /lib/security/pam_pwdb.so 
> use_first_pass
>     shadow nullok
> account         required        /lib/security/pam_winbind.so
> session         required        /lib/security/pam_pwdb.so
> password        required        /lib/security/pam_pwdb.so # shadow md5
>     nullok audit
> 
> 	When a user that doesn't have a matching Linux account 
> tries to access the share, they get challenged.
> 	Please let me know what I'm missing - either in my 
> Samba configuration or in the information I've attempted to 
> provide to you.`
> 	Thanks muchly in advance for your assistance.
> 
> Eric Stewart - Network Admin - USF Tampa Library - eric at lib.usf.edu
> SCUBA Diver: 220 Dives  Most Recent: 05/10/03 Chankanaab Park, Cozumel
> GeoCacher:    58 Found  Most Recent: 07/04/03 GCGBHE - Fun in the Sun
> http://www.scubadiving.com/talk/ and http://www.geocaching.com/
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
>

More information about the samba mailing list