[Samba] AD Domain member not authenticating

John Stile john at stilen.com
Wed Dec 1 19:44:51 GMT 2004 

Christian Merrill wrote:
> John Stile wrote:
> 
>> On Wed, 2004-12-01 at 11:06 -0800, John Stile wrote:
>>  
>>
>>> I had samba working, then I tried (unsuccessfully) to setup ssh pam 
>>> auth.
>>> Now users are prompted for a password when accessing shares, but no 
>>> password
>>> works.  I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3.  I 
>>> forgot to backup pam file system-auth before modifying things, so I'm 
>>> not sure if that is the problem.
>>> -------------------------------
>>> These commands succeed:
>>>  wbinfo -u,  wbinfo -g   getent passwd
>>>  getent group
>>>  net ads info Time is within 2 seconds between 'net time' and 'date'
>>> -------------------------------
>>> Running winbind in interactive mode while trying to connect,    
>>> winbindd -S -i -F -d 8 -Y
>>> The end of the output (as there is a lot) looks like this:
>>>    ...
>>>    remove_duplicate_gids: Enter 5 gids
>>>    remove_duplicate_gids: Exit 5 gids
>>>    [ 6411]: gid to sid 10001
>>>    [ 6411]: gid to sid 10066
>>>    [ 6411]: gid to sid 10067
>>>    [ 6411]: gid to sid 10265
>>>    [ 6411]: gid to sid 10274
>>>    read failed on sock 20, pid 6411: EOF
>>>    read failed on sock 19, pid 6411: EOF
>>> -------------------------------
>>> /etc/samba/smb.conf [global]
>>>   server string = Samba Server
>>>   workgroup = MYREALM
>>>   realm = MYREALM.MY.DOMAIN.COM
>>>   security = ADS
>>>   username map = /etc/samba/smbusers
>>>   map to guest = Bad User
>>>   password server = *
>>>   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>>   preferred master = no
>>>   local master = no
>>>   domain master = no
>>>   os level = 33
>>>   wins server = 128.32.68.75 128.32.67.118
>>>   ldap ssl = no
>>>   idmap uid = 10000-20000
>>>   idmap gid = 10000-20000
>>>   winbind enum users = yes
>>>   winbind enum groups = yes
>>>   winbind separator = +
>>>   winbind use default domain = Yes
>>>   template primary group = "Domain Users"
>>>   template homedir = /home/%U
>>>   template shell = /bin/bash
>>>   load printers = no
>>>   log level = 1
>>>   syslog = 0
>>>   log file = /var/log/samba/%m.log
>>>   max log size = 0
>>> -------------------------------
>>> /etc/pam.d/system-auth
>>> #%PAM-1.0
>>> # This file is auto-generated.
>>> # User changes will be destroyed the next time authconfig is run.
>>> auth        required      /lib/security/$ISA/pam_env.so
>>> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
>>> auth        sufficient    /lib/security/$ISA/pam_smb_auth.so 
>>> use_first_pass nolocal
>>> auth        required      /lib/security/$ISA/pam_deny.so
>>>
>>> account     required      /lib/security/$ISA/pam_unix.so
>>>
>>> password    required      /lib/security/$ISA/pam_cracklib.so retry=3 
>>> type=
>>> password    sufficient    /lib/security/$ISA/pam_unix.so nullok 
>>> use_authtok md5 shadow
>>> password    required      /lib/security/$ISA/pam_deny.so
>>>
>>> session     required      /lib/security/$ISA/pam_limits.so
>>> session     required      /lib/security/$ISA/pam_unix.so
>>> ------------------------------
>>>   
>>
>> I'm also seeing errors in /var/log/samba/winbindd.log
>>  [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
>>    ads_krb5_mk_req: krb5_get_credentials failed for 
>> actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm)
>>  [2004/12/01 11:14:40, 1] 
>> nsswitch/winbindd_ads.c:ads_cached_connection(81)
>>    ads_connect for domain CAMPUS failed: Cannot find KDC for requested 
>> realm
>>  [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
>>    ads_krb5_mk_req: krb5_get_credentials failed for 
>> actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm)
>>  [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
>>    ads_krb5_mk_req: krb5_get_credentials failed for 
>> actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm)
>>  [2004/12/01 11:14:40, 1] 
>> nsswitch/winbindd_ads.c:ads_cached_connection(81)
>>    ads_connect for domain CAMPUS failed: Cannot find KDC for requested 
>> realm
>>
>>
>>  
>>
> what does your /etc/krb5.conf look like?
> 
> Christian
> 
For how I initially got it working see previous post:
       Re: [Samba] AD member ticket verify errors
I need to see a copy of /etc/pam.d/system_auth from another RH-AS-3, to 
compare.  My /etc/krb5.conf has not changed since it was working, but it 
looks like this:
[logging]
   default = FILE:/var/log/krb5libs.log
   kdc = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/kadmind.log
  [libdefaults]
   ticket_lifetime = 24000
   default_realm = MYREALM.MY.DOMAIN.COM
   dns_lookup_realm = true
   dns_lookup_kdc = true
  [realms]
   MYREALM.MY.DOMAIN.COM = {
    kdc = hcs-ad-a.myrealm.my.domain.com:88
    admin_server = hcs-ad-a.myrealm.my.domain.com:749
    default_domain = myrealm.my.domain.com
   }

  [domain_realm]
   .myrealm.domain.com = MYREALM.MY.DOMAIN.COM
   myrealm.domain.com = MYREALM.MY.DOMAIN.COM
   .myrealm.my.domain.com = MYREALM.MY.DOMAIN.COM
   myrealm.my.domain.com = MYREALM.MY.DOMAIN.COM
  [kdc]
   profile = /var/kerberos/krb5kdc/kdc.conf
  [appdefaults]
   pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
   }
-------------------------

More information about the samba mailing list