[Samba] AD Domain member not authenticating
Christian Merrill
cmerrill at redhat.com
Wed Dec 1 19:20:30 GMT 2004
John Stile wrote:
>On Wed, 2004-12-01 at 11:06 -0800, John Stile wrote:
>
>
>>I had samba working, then I tried (unsuccessfully) to setup ssh pam auth.
>>Now users are prompted for a password when accessing shares, but no password
>>works. I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3.
>>I forgot to backup pam file system-auth before modifying things, so I'm not sure if that is the problem.
>>-------------------------------
>>These commands succeed:
>> wbinfo -u,
>> wbinfo -g
>> getent passwd
>> getent group
>> net ads info
>>Time is within 2 seconds between 'net time' and 'date'
>>-------------------------------
>>Running winbind in interactive mode while trying to connect,
>> winbindd -S -i -F -d 8 -Y
>>The end of the output (as there is a lot) looks like this:
>> ...
>> remove_duplicate_gids: Enter 5 gids
>> remove_duplicate_gids: Exit 5 gids
>> [ 6411]: gid to sid 10001
>> [ 6411]: gid to sid 10066
>> [ 6411]: gid to sid 10067
>> [ 6411]: gid to sid 10265
>> [ 6411]: gid to sid 10274
>> read failed on sock 20, pid 6411: EOF
>> read failed on sock 19, pid 6411: EOF
>>-------------------------------
>>/etc/samba/smb.conf
>>[global]
>> server string = Samba Server
>> workgroup = MYREALM
>> realm = MYREALM.MY.DOMAIN.COM
>> security = ADS
>> username map = /etc/samba/smbusers
>> map to guest = Bad User
>> password server = *
>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>> preferred master = no
>> local master = no
>> domain master = no
>> os level = 33
>> wins server = 128.32.68.75 128.32.67.118
>> ldap ssl = no
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind separator = +
>> winbind use default domain = Yes
>> template primary group = "Domain Users"
>> template homedir = /home/%U
>> template shell = /bin/bash
>> load printers = no
>> log level = 1
>> syslog = 0
>> log file = /var/log/samba/%m.log
>> max log size = 0
>>-------------------------------
>>/etc/pam.d/system-auth
>>#%PAM-1.0
>># This file is auto-generated.
>># User changes will be destroyed the next time authconfig is run.
>>auth required /lib/security/$ISA/pam_env.so
>>auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
>>auth sufficient /lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal
>>auth required /lib/security/$ISA/pam_deny.so
>>
>>account required /lib/security/$ISA/pam_unix.so
>>
>>password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
>>password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
>>password required /lib/security/$ISA/pam_deny.so
>>
>>session required /lib/security/$ISA/pam_limits.so
>>session required /lib/security/$ISA/pam_unix.so
>>------------------------------
>>
>>
>I'm also seeing errors in /var/log/samba/winbindd.log
> [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
> ads_krb5_mk_req: krb5_get_credentials failed for actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm)
> [2004/12/01 11:14:40, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
> ads_connect for domain CAMPUS failed: Cannot find KDC for requested realm
> [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
> ads_krb5_mk_req: krb5_get_credentials failed for actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm)
> [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
> ads_krb5_mk_req: krb5_get_credentials failed for actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm)
> [2004/12/01 11:14:40, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
> ads_connect for domain CAMPUS failed: Cannot find KDC for requested realm
>
>
>
>
what does your /etc/krb5.conf look like?
Christian
More information about the samba
mailing list