[Samba] Re: domain groups accessing samba share
Gavin Davenport
gavdav at gavdav.demon.co.uk
Wed Oct 15 16:14:26 GMT 2003
Ok - I replaced my /etc/pam.d/login with the one you've posted.
getent still lists me just local machine users and groups.
Trying to attach to the machine results in this in the hosts samba log:
Doing spnego session setup
NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002
5.1]
Got OID 1 2 840 48018 1 2 2
Got OID 1 2 840 113554 1 2 2
Got OID 1 3 6 1 4 1 311 2 2 10
Got secblob of size 1235
Ticket name is [gavdav at MYNETWORK.ISP.CO.UK]
Username gavdav is invalid on this system
error string = No such file or directory
error packet at smbd/sesssetup.c(220) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
timeout_processing: End of file from client (client has disconnected).
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Closing connections
Yielding connection to
yield_connection: tdb_delete for name failed with error Record does not
exist.
Server exit (normal exit)
Still stuck - what should I have in /etc/pam_smb.conf, and
/etc/pam.d/system-auth ??
smb.conf now:
# Global parameters
[global]
workgroup = MYDOMAIN
realm = MYNETWORK.ISP.CO.UK
server string = Revolver
security = ADS
password server = bashful
log level = 3
log file = /var/log/samba/log.%m
max log size = 100
smb ports = 139 445
announce as = NT Workstation
name resolve order = host bcast
client signing = Yes
server signing = Yes
client use spnego = Yes
use spnego = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
os level = 10
preferred master = No
local master = No
domain master = No
dns proxy = No
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind separator = +
winbind cache time = 2
winbind use default domain = Yes
template homedir = /home/%D/%U
template shell = /bin/bash
winbind enum users = yes
winbind enum groups = yeS
comment = Redhat 8.0 Samba
hosts allow = 127., 10.0.0.
[homes]
comment = Home Directories
read only = No
browseable = No
[usr-local]
path = /usr/local
read only = Yes
valid users = @MYNETWORK.ISP.CO.UK\"Domain Users"
Admin users = @MYNETWORK.ISP.CO.UK\gavdav
###################################################
Re: domain groups accessing samba share
Hi Gavin,
This is what I have for my /etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so nodelay use_first_pass
auth sufficient /lib/security/pam_krb5.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account sufficient /lib/security/pam_krb5.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
And when I issue getent group or getent passwd it lists both local and ADS
users.
Regards,
Luke
-----Original Message-----
From: Gavin Davenport [mailto:gavdav at gavdav.demon.co.uk]
Sent: 15 October 2003 09:05
To: samba at lists.samba.org
Cc: Tim Jordan, Network Services
Subject: RE: [Samba] Re: domain groups accessing samba share
Hiya Tim, Thanks for helping.
Can you post your
smb.conf
/etc/pam.d/login
wbinfo -g
wbinfo -u
getent passwd
getent group
Here we go:
# Global parameters
[global]
workgroup = MYDOMAIN
realm = MYNETWORK.ISP.CO.UK
server string = Linux Samba Server
security = ADS
password server = bashful
log level = 3
log file = /var/log/samba/log.%m
max log size = 100
smb ports = 445
announce as = NT Workstation
name resolve order = host bcast
wins server = 10.0.0.104
client signing = Yes
server signing = Yes
client use spnego = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
os level = 10
preferred master = No
local master = No
domain master = No
dns proxy = No
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
# winbind separator = +
winbind cache time = 2
# winbind use default domain = Yes
comment = Redhat 7.1 Samba
hosts allow = 127., 10.0.0.
[homes]
comment = Home Directories
read only = No
browseable = No
[Software]
comment = Software Library
path = /mnt/largeprimary/software
# valid users = @MYNETWORK.ISP.CO.UK\"Domain Users"
# Admin users = @MYNETWORK.ISP.CO.UK\gavdav
[root at potato /root]# more /etc/pam.d/login
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
wbinfo -u
[root at potato /root]# wbinfo -u
MYDOMAIN\gavdav
MYDOMAIN\Guest
MYDOMAIN\Administrator
MYDOMAIN\krbtgt
MYDOMAIN\SUPPORT_388945a0
MYDOMAIN\fbloggs
<snip>
wbinfo -g
[root at potato /root]# wbinfo -g
MYDOMAIN\Domain Computers
MYDOMAIN\Cert Publishers
MYDOMAIN\Domain Users
MYDOMAIN\Domain Guests
MYDOMAIN\RAS and IAS Servers
MYDOMAIN\Group Policy Creator Owners
MYDOMAIN\Schema Admins
MYDOMAIN\Enterprise Admins
MYDOMAIN\Domain Admins
MYDOMAIN\Domain Controllers
<snip>
[root at potato /root]# getent passwd
root:x:0:0:root:/root:/bin/bash
<snip>
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
gdm:x:42:42::/home/gdm:/bin/bash
gavdav:x:500:500:Gavin Davenport:/home/gavdav:/bin/bash
named:x:200:200:Nameserver:/var/named:/bin/false
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
[root at potato /root]# getent group
root:x:0:root
<snip>
nobody:x:99:
users:x:100:gavdav
<snip>
xfs:x:43:
gdm:x:42:
gavdav:x:500:
vcsa:x:69:
getent and setent are listing local users and groups.
What do I need to change in /etc/pam.d/login to fix it ?
Where should I be looking for help ?
More information about the samba
mailing list