[Samba] Winbind: can't log in as domain user

Gerald (Jerry) Carter jerry at samba.org
Fri Oct 31 17:59:28 GMT 2003

Hash: SHA1

Mike Ely wrote:

| Basic problem is that domain users can't successfully log
| into the linux box.  I'm trying to set this box up as
| an ltsp server authenticating against our existing AD


|     [libdefaults]
|             default_realm = LTSP.FOO.BAR
|             dns_lookup_realm = false
|             dns_lookup_kdc = true

Did you enable the DNS lookup during compile?  If so then you can get
rid of the [realms] section below.

|     [realms]
|             LTSP.FOO.BAR = {

| I can successfully join the domain using "net ads join -U username" and
| all that.  Net ads info looks right, and smbd, nmbd, and winbindd start
| up successfully at boot (although winbindd shows up twice when I do "ps
| -ae | grep winbindd").

winbindd shoulod show up twice by default (in 3.0).

| kinit administrator at LTSP.FOO.BAR works as it should, I think.  I get
| prompted for a password, and then klist shows the ticket, although the
| following also shows up with klist
|     Kerberos 4 ticket cache: /tmp/tkt0
|     klist: You have no tickets cached

That's fine as well.

| wbinfo -u shows all my top-level users, and wbinfo shows all my
| top-level groups - anyone in a secondary OU is not visible to wbinfo -
| problem 1.

How are the users/groups laid out in AD?

| Now, as root, I can change users to any domain user I want to without
| entering a password, using, for example:
|     su LTSP+fred
| and "whoami" returns the correct value.  However, if I log in as a local
| non-root account and try the same thing, or if I attempt to connect
| remotely using "ssh -l LTSP+fred" I get a failed password error even
| though I'm using a known-good password for that account.  BIG problem #2.

Have you setup pam_winbind.so ?

| I'm sure there's something simple that needs to be changed and all will
| suddenly Just Work.  Once that happens, perhaps someone could answer
| this: how do I automatically map the home directory of a domain user to
| their AD-defined home directory (//ltsp-fs1/staff/fred <-->
| /home/LTSP/fred, for example)?  I want to have no local storage for
| domain users on the linux box.

See pam_mount.so and smbfs (or patches for the newer cifsvfs).

cheers, jerry
~ ----------------------------------------------------------------------
~ Hewlett-Packard            ------------------------- http://www.hp.com
~ SAMBA Team                 ---------------------- http://www.samba.org
~ GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
~ "You can never go home again, Oatman, but I guess you can shop there."
~                            --John Cusack - "Grosse Point Blank" (1997)

Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list