[Samba] AD Domain member not authenticating
Christian Merrill
cmerrill at redhat.com
Wed Dec 1 19:10:39 GMT 2004
John Stile wrote:
>I had samba working, then I tried (unsuccessfully) to setup ssh pam auth.
>Now users are prompted for a password when accessing shares, but no password
>works. I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3.
>I forgot to backup pam file system-auth before modifying things, so I'm not sure if that is the problem.
>-------------------------------
>These commands succeed:
> wbinfo -u,
> wbinfo -g
> getent passwd
> getent group
> net ads info
>Time is within 2 seconds between 'net time' and 'date'
>-------------------------------
>Running winbind in interactive mode while trying to connect,
> winbindd -S -i -F -d 8 -Y
>The end of the output (as there is a lot) looks like this:
> ...
> remove_duplicate_gids: Enter 5 gids
> remove_duplicate_gids: Exit 5 gids
> [ 6411]: gid to sid 10001
> [ 6411]: gid to sid 10066
> [ 6411]: gid to sid 10067
> [ 6411]: gid to sid 10265
> [ 6411]: gid to sid 10274
> read failed on sock 20, pid 6411: EOF
> read failed on sock 19, pid 6411: EOF
>-------------------------------
>/etc/samba/smb.conf
>[global]
> server string = Samba Server
> workgroup = MYREALM
> realm = MYREALM.MY.DOMAIN.COM
> security = ADS
> username map = /etc/samba/smbusers
> map to guest = Bad User
> password server = *
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> preferred master = no
> local master = no
> domain master = no
> os level = 33
> wins server = 128.32.68.75 128.32.67.118
> ldap ssl = no
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> winbind separator = +
> winbind use default domain = Yes
> template primary group = "Domain Users"
> template homedir = /home/%U
> template shell = /bin/bash
> load printers = no
> log level = 1
> syslog = 0
> log file = /var/log/samba/%m.log
> max log size = 0
>-------------------------------
>/etc/pam.d/system-auth
>#%PAM-1.0
># This file is auto-generated.
># User changes will be destroyed the next time authconfig is run.
>auth required /lib/security/$ISA/pam_env.so
>auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
>auth sufficient /lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal
>auth required /lib/security/$ISA/pam_deny.so
>
>account required /lib/security/$ISA/pam_unix.so
>
>password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
>password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
>password required /lib/security/$ISA/pam_deny.so
>
>session required /lib/security/$ISA/pam_limits.so
>session required /lib/security/$ISA/pam_unix.so
>------------------------------
>
>
>
This sounds a lot like the kerberos incompatibility issue we know about
with 2003 DC's....Are you using 2003 or 2000? Also, are you sure you
are running the 1.3.x MIT kerberos packages? RHEL3 doesn't ship with
them and if you managed to get it installed I'd be curious how you did so.
Christian
More information about the samba
mailing list