[Samba] wbinfo -a is failing

Tim Jordan timothy_jordan at labor.state.ak.us
Tue Apr 13 21:12:45 GMT 2004 


-----Forwarded Message-----

> From: Tim Jordan <timothy_jordan at labor.state.ak.us>
> To: Jim Smith <elemint1 at linuxmail.org>, aklug at aklug.org
> Subject: Re: [Samba] wbinfo -a is failing
> Date: Tue, 13 Apr 2004 14:40:05 -0800
> 
> Samba Team, could you please advise if I have broken security by making
> the following changes.....Thanks.........TJ
> This may or may not be applicable to your case but take a look at the
> following I just did on my Mandrake box:
> 
> 
> > [tim at localhost tim]$ wbinfo -a tim%secret
> > plaintext password authentication succeeded
> > challenge/response password authentication failed
> > error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> > error messsage was: winbind client not authorized to use winbindd_pam_auth_crap.  Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly.
> > Could not authenticate user tim with challenge/response
> > [tim at localhost tim]$ ls -l /var/cache/samba/w
> > winbindd_cache.tdb   winbindd_idmap.tdb   winbindd_privileged
> > [tim at localhost tim]$ ls -l /var/cache/samba/winbindd_privileged/
> > ls: /var/cache/samba/winbindd_privileged/: Permission denied
> > 
> > [tim at localhost tim]$ su
> > Password:
> > 
> > [root at localhost tim]# ls -l /var/cache/samba/
> > total 6852
> > drwxr-x---  2 root root    4096 Apr 13 13:43 winbindd_privileged/
> > 
> > 
> 
> 
> Once this worked I changed the group ownership to "Domain Admins".  Then I tried again, no root this time, and it seceded!
> 
> 
> > [root at localhost tim]# chgrp "Domain Admins" /var/cache/samba/winbindd_privileged/
> > [tim at localhost tim]$ ls -l /var/cache/samba/
> > drwxrwx---  2 root Domain Admins    4096 Apr 13 13:43 winbindd_privileged/
> > [tim at localhost tim]$ wbinfo -a tim%secret
> > plaintext password authentication succeeded
> > challenge/response password authentication succeeded
> > 
> 
> 
> 
> I hope this helps.....TJ
> 
> On Tue, 2004-04-13 at 14:16, Jim Smith wrote:
> 
> > I have edited /etc/pam.d/login to include the following
> > 
> > auth       sufficient   /lib/security/pam_winbind.so
> > 
> > account    sufficient   /lib/security/pam_winbind.so
> > 
> > but at that point I still not able to use wbinfo -a but that also broke wbinfo -u and wbinfo -g 
> > 
> > I got the documentatin from here.
> > 
> > http://us3.samba.org/samba/docs/using_samba/ch09.html
> > 
> > 
> > 
> > 
> > 
> > Jim
> > 
> > 
> > 
> > ----- Original Message -----
> > From: Tim Jordan <timothy_jordan at labor.state.ak.us>
> > Date: Tue, 13 Apr 2004 11:29:50 -0800
> > To: Jim Smith <elemint1 at linuxmail.org>
> > Subject: Re: [Samba] wbinfo -a is failing
> > 
> > > Good winbindd is working.
> > > 
> > > Here are notes from a server I configured about year ago.  This may help
> > > in your case.  I do know that some systems function differently with
> > > pam.  Also pam is very "touchy" - so you may have to tweak your configs
> > > until it works.
> > > 
> > > /etc/pam.d/login
> > > auth    required    /lib/security/pam_securetty.so
> > > auth    required    /lib/security/pam_nologin.so
> > > auth    sufficient    /lib/security/pam_winbind.so
> > > auth    sufficient    /lib/security/pam_env.so
> > > auth    required     /lib/security/pam_unix.so use_first_pass nullok
> > > 
> > > account    sufficient    /lib/security/pam_winbind.so
> > > account    sufficient    /lib/security/pam_unix.so
> > > 
> > > 
> > > /etc/pam.d/system-auth
> > > auth    required     /lib/security/pam_env.so
> > > auth    sufficient     /lib/security/pam_winbind.so
> > > auth    sufficient     /lib/security/pam_unix.so use_first_pass nullok
> > > use_first_pass
> > > auth    required    /lib/security/pam_deny.so
> > > 
> > > account    sufficient    /lib/security/pam_winbind.so
> > > account    sufficient    /lib/security/pam_unix.so
> > > 
> > > 
> > > I'll be here for another hour if I can help,
> > > TJ
> > > 
> > > On Tue, 2004-04-13 at 13:12, Jim Smith wrote:
> > > 
> > > > wbinfo -u and wbinfo -g both work and report back the users and groups from the AD domian.
> > > > 
> > > > 
> > > > JIm
> > > > ----- Original Message -----
> > > > From: Tim Jordan <timothy_jordan at labor.state.ak.us>
> > > > Date: Tue, 13 Apr 2004 10:44:18 -0800
> > > > To: Jim Smith <elemint1 at linuxmail.org>
> > > > Subject: Re: [Samba] wbinfo -a is failing
> > > > 
> > > > > If your going to logon with AD doing the authentication - then yes you
> > > > > need to tweak your pam.d/login.
> > > > > 
> > > > > You should be able to query the domain for users and groups if you
> > > > > configured properly.
> > > > > wbinfo -u
> > > > > wbinfo -g
> > > > > 
> > > > > Let me know,
> > > > > TJ
> > > > > On Tue, 2004-04-13 at 12:28, Jim Smith wrote:
> > > > > 
> > > > > > I specified it in my smb.conf by  password server = ip.address.of.MS.AD.server
> > > > > > 
> > > > > > I have not edited my /etc/pam.d/login file maybe that is the problem...
> > > > > > 
> > > > > > When I try to use wbinfo and I check tcpdump I do not see any traffic coming accross to the AD server so it seems the traffic is not getting off the samba server and going to the AD server.
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > Jim
> > > > > > ----- Original Message -----
> > > > > > From: Tim Jordan <timothy_jordan at labor.state.ak.us>
> > > > > > Date: Tue, 13 Apr 2004 10:22:00 -0800
> > > > > > To: Jim Smith <elemint1 at linuxmail.org>
> > > > > > Subject: Re: [Samba] wbinfo -a is failing
> > > > > > 
> > > > > > > Jim, did you specify the password server in your smb.conf?
> > > > > > > 
> > > > > > > On Tue, 2004-04-13 at 11:28, Jim Smith wrote:
> > > > > > > 
> > > > > > > > I have been reading the FAQ and the online samba how to's and been googeling to find out why wbinfo is failing on me.
> > > > > > > > 
> > > > > > > > 
> > > > > > > > I am tryitng to use wbinfo -a domainname\\username%password to authenticate to my MS AD domain but what is happening is every time I try I get the following output.
> > > > > > > > 
> > > > > > > > plaintext password authentication failed
> > > > > > > > error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
> > > > > > > > error messsage was: No logon servers
> > > > > > > > Could not authenticate user domain\username%password with plaintext password
> > > > > > > > challenge/response password authentication failed
> > > > > > > > error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
> > > > > > > > error messsage was: No logon servers
> > > > > > > > Could not authenticate user doamin\username with challenge/response
> > > > > > > > 
> > > > > > > > 
> > > > > > > > OS Debian
> > > > > > > > Samba 3.0.2a-1
> > > > > > > > 
> > > > > > > > 
> > > > > > > > Jim
> > > > > > > > -- 
> > > > > > > > ______________________________________________
> > > > > > > > Check out the latest SMS services @ http://www.linuxmail.org
> > > > > > > > This allows you to send and receive SMS through your mailbox.
> > > > > > > > 
> > > > > > > > 
> > > > > > > > Powered by Outblaze
> 
> 
> ---------
> To unsubscribe, send email to <aklug-request at aklug.org>
> with 'unsubscribe' in the message body.
>

More information about the samba mailing list