[Samba] AD Domain member not authenticating

Christian Merrill cmerrill at redhat.com
Wed Dec 1 19:10:39 GMT 2004 

John Stile wrote:

>I had samba working, then I tried (unsuccessfully) to setup ssh pam auth.
>Now users are prompted for a password when accessing shares, but no password
>works.  I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3.  
>I forgot to backup pam file system-auth before modifying things, so I'm not sure if that is the problem.
>-------------------------------
>These commands succeed:
>  wbinfo -u, 
>  wbinfo -g  
>  getent passwd
>  getent group
>  net ads info 
>Time is within 2 seconds between 'net time' and 'date'
>-------------------------------
>Running winbind in interactive mode while trying to connect, 
>    winbindd -S -i -F -d 8 -Y
>The end of the output (as there is a lot) looks like this:
>    ...
>    remove_duplicate_gids: Enter 5 gids
>    remove_duplicate_gids: Exit 5 gids
>    [ 6411]: gid to sid 10001
>    [ 6411]: gid to sid 10066
>    [ 6411]: gid to sid 10067
>    [ 6411]: gid to sid 10265
>    [ 6411]: gid to sid 10274
>    read failed on sock 20, pid 6411: EOF
>    read failed on sock 19, pid 6411: EOF
>-------------------------------
>/etc/samba/smb.conf 
>[global]
>   server string = Samba Server
>   workgroup = MYREALM
>   realm = MYREALM.MY.DOMAIN.COM
>   security = ADS
>   username map = /etc/samba/smbusers
>   map to guest = Bad User
>   password server = *
>   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>   preferred master = no
>   local master = no
>   domain master = no
>   os level = 33
>   wins server = 128.32.68.75 128.32.67.118
>   ldap ssl = no
>   idmap uid = 10000-20000
>   idmap gid = 10000-20000
>   winbind enum users = yes
>   winbind enum groups = yes
>   winbind separator = +
>   winbind use default domain = Yes
>   template primary group = "Domain Users"
>   template homedir = /home/%U
>   template shell = /bin/bash
>   load printers = no
>   log level = 1
>   syslog = 0
>   log file = /var/log/samba/%m.log
>   max log size = 0
>-------------------------------
>/etc/pam.d/system-auth
>#%PAM-1.0
># This file is auto-generated.
># User changes will be destroyed the next time authconfig is run.
>auth        required      /lib/security/$ISA/pam_env.so
>auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
>auth        sufficient    /lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal
>auth        required      /lib/security/$ISA/pam_deny.so
>
>account     required      /lib/security/$ISA/pam_unix.so
>
>password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
>password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
>password    required      /lib/security/$ISA/pam_deny.so
>
>session     required      /lib/security/$ISA/pam_limits.so
>session     required      /lib/security/$ISA/pam_unix.so
>------------------------------
>
>  
>
This sounds a lot like the kerberos incompatibility issue we know about 
with 2003 DC's....Are you using 2003 or 2000?  Also, are you sure you 
are running the 1.3.x MIT kerberos packages?  RHEL3 doesn't ship with 
them and if you managed to get it installed I'd be curious how you did so.

Christian

More information about the samba mailing list