[Samba] AD Domain member not authenticating
John Stile
john at stilen.com
Wed Dec 1 19:17:44 GMT 2004
On Wed, 2004-12-01 at 11:06 -0800, John Stile wrote:
> I had samba working, then I tried (unsuccessfully) to setup ssh pam auth.
> Now users are prompted for a password when accessing shares, but no password
> works. I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3.
> I forgot to backup pam file system-auth before modifying things, so I'm not sure if that is the problem.
> -------------------------------
> These commands succeed:
> wbinfo -u,
> wbinfo -g
> getent passwd
> getent group
> net ads info
> Time is within 2 seconds between 'net time' and 'date'
> -------------------------------
> Running winbind in interactive mode while trying to connect,
> winbindd -S -i -F -d 8 -Y
> The end of the output (as there is a lot) looks like this:
> ...
> remove_duplicate_gids: Enter 5 gids
> remove_duplicate_gids: Exit 5 gids
> [ 6411]: gid to sid 10001
> [ 6411]: gid to sid 10066
> [ 6411]: gid to sid 10067
> [ 6411]: gid to sid 10265
> [ 6411]: gid to sid 10274
> read failed on sock 20, pid 6411: EOF
> read failed on sock 19, pid 6411: EOF
> -------------------------------
> /etc/samba/smb.conf
> [global]
> server string = Samba Server
> workgroup = MYREALM
> realm = MYREALM.MY.DOMAIN.COM
> security = ADS
> username map = /etc/samba/smbusers
> map to guest = Bad User
> password server = *
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> preferred master = no
> local master = no
> domain master = no
> os level = 33
> wins server = 128.32.68.75 128.32.67.118
> ldap ssl = no
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> winbind separator = +
> winbind use default domain = Yes
> template primary group = "Domain Users"
> template homedir = /home/%U
> template shell = /bin/bash
> load printers = no
> log level = 1
> syslog = 0
> log file = /var/log/samba/%m.log
> max log size = 0
> -------------------------------
> /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal
> auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so
>
> password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
> password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> ------------------------------
I'm also seeing errors in /var/log/samba/winbindd.log
[2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
ads_krb5_mk_req: krb5_get_credentials failed for actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm)
[2004/12/01 11:14:40, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
ads_connect for domain CAMPUS failed: Cannot find KDC for requested realm
[2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
ads_krb5_mk_req: krb5_get_credentials failed for actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm)
[2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
ads_krb5_mk_req: krb5_get_credentials failed for actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm)
[2004/12/01 11:14:40, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
ads_connect for domain CAMPUS failed: Cannot find KDC for requested realm
More information about the samba
mailing list