[Samba] AD Domain member not authenticating
John Stile
john at stilen.com
Wed Dec 1 19:44:51 GMT 2004
Christian Merrill wrote:
> John Stile wrote:
>
>> On Wed, 2004-12-01 at 11:06 -0800, John Stile wrote:
>>
>>
>>> I had samba working, then I tried (unsuccessfully) to setup ssh pam
>>> auth.
>>> Now users are prompted for a password when accessing shares, but no
>>> password
>>> works. I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3. I
>>> forgot to backup pam file system-auth before modifying things, so I'm
>>> not sure if that is the problem.
>>> -------------------------------
>>> These commands succeed:
>>> wbinfo -u, wbinfo -g getent passwd
>>> getent group
>>> net ads info Time is within 2 seconds between 'net time' and 'date'
>>> -------------------------------
>>> Running winbind in interactive mode while trying to connect,
>>> winbindd -S -i -F -d 8 -Y
>>> The end of the output (as there is a lot) looks like this:
>>> ...
>>> remove_duplicate_gids: Enter 5 gids
>>> remove_duplicate_gids: Exit 5 gids
>>> [ 6411]: gid to sid 10001
>>> [ 6411]: gid to sid 10066
>>> [ 6411]: gid to sid 10067
>>> [ 6411]: gid to sid 10265
>>> [ 6411]: gid to sid 10274
>>> read failed on sock 20, pid 6411: EOF
>>> read failed on sock 19, pid 6411: EOF
>>> -------------------------------
>>> /etc/samba/smb.conf [global]
>>> server string = Samba Server
>>> workgroup = MYREALM
>>> realm = MYREALM.MY.DOMAIN.COM
>>> security = ADS
>>> username map = /etc/samba/smbusers
>>> map to guest = Bad User
>>> password server = *
>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>> preferred master = no
>>> local master = no
>>> domain master = no
>>> os level = 33
>>> wins server = 128.32.68.75 128.32.67.118
>>> ldap ssl = no
>>> idmap uid = 10000-20000
>>> idmap gid = 10000-20000
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind separator = +
>>> winbind use default domain = Yes
>>> template primary group = "Domain Users"
>>> template homedir = /home/%U
>>> template shell = /bin/bash
>>> load printers = no
>>> log level = 1
>>> syslog = 0
>>> log file = /var/log/samba/%m.log
>>> max log size = 0
>>> -------------------------------
>>> /etc/pam.d/system-auth
>>> #%PAM-1.0
>>> # This file is auto-generated.
>>> # User changes will be destroyed the next time authconfig is run.
>>> auth required /lib/security/$ISA/pam_env.so
>>> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
>>> auth sufficient /lib/security/$ISA/pam_smb_auth.so
>>> use_first_pass nolocal
>>> auth required /lib/security/$ISA/pam_deny.so
>>>
>>> account required /lib/security/$ISA/pam_unix.so
>>>
>>> password required /lib/security/$ISA/pam_cracklib.so retry=3
>>> type=
>>> password sufficient /lib/security/$ISA/pam_unix.so nullok
>>> use_authtok md5 shadow
>>> password required /lib/security/$ISA/pam_deny.so
>>>
>>> session required /lib/security/$ISA/pam_limits.so
>>> session required /lib/security/$ISA/pam_unix.so
>>> ------------------------------
>>>
>>
>> I'm also seeing errors in /var/log/samba/winbindd.log
>> [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
>> ads_krb5_mk_req: krb5_get_credentials failed for
>> actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm)
>> [2004/12/01 11:14:40, 1]
>> nsswitch/winbindd_ads.c:ads_cached_connection(81)
>> ads_connect for domain CAMPUS failed: Cannot find KDC for requested
>> realm
>> [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
>> ads_krb5_mk_req: krb5_get_credentials failed for
>> actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm)
>> [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
>> ads_krb5_mk_req: krb5_get_credentials failed for
>> actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm)
>> [2004/12/01 11:14:40, 1]
>> nsswitch/winbindd_ads.c:ads_cached_connection(81)
>> ads_connect for domain CAMPUS failed: Cannot find KDC for requested
>> realm
>>
>>
>>
>>
> what does your /etc/krb5.conf look like?
>
> Christian
>
For how I initially got it working see previous post:
Re: [Samba] AD member ticket verify errors
I need to see a copy of /etc/pam.d/system_auth from another RH-AS-3, to
compare. My /etc/krb5.conf has not changed since it was working, but it
looks like this:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = MYREALM.MY.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
MYREALM.MY.DOMAIN.COM = {
kdc = hcs-ad-a.myrealm.my.domain.com:88
admin_server = hcs-ad-a.myrealm.my.domain.com:749
default_domain = myrealm.my.domain.com
}
[domain_realm]
.myrealm.domain.com = MYREALM.MY.DOMAIN.COM
myrealm.domain.com = MYREALM.MY.DOMAIN.COM
.myrealm.my.domain.com = MYREALM.MY.DOMAIN.COM
myrealm.my.domain.com = MYREALM.MY.DOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
-------------------------
More information about the samba
mailing list