[Samba] AD Domain member not authenticating
Edward Wissner
ewissner at gmlogic.com
Thu Dec 2 13:04:22 GMT 2004
I have been following this thread. I have a similar configuration to John
with the same problem. I am running Mandrake 10.1 Community. I have
installed the latest krb5-1.3.X package from MIT. I am trying to authorize
users using a w2k AD server.
One question (possibly silly), why does every example smb.conf file use '+'
as the winbind separator? If the defualt is '\' , why not leave it at that?
I am able to authenticate to the serve, see the shared directories, but
cannot authenticate to the directory. If I create a Unix/Samba user, that
user can use the shared directories.
ed
-----Original Message-----
From: John Stile [mailto:john at stilen.com]
Sent: Wednesday, December 01, 2004 4:41 PM
To: samba at lists.samba.org
Subject: Re: [Samba] AD Domain member not authenticating
On Wed, 2004-12-01 at 11:17 -0800, John Stile wrote:
> On Wed, 2004-12-01 at 11:06 -0800, John Stile wrote:
> > I had samba working, then I tried (unsuccessfully) to setup ssh pam
auth.
> > Now users are prompted for a password when accessing shares, but no
password
> > works. I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3.
> > I forgot to backup pam file system-auth before modifying things, so I'm
not sure if that is the problem.
> > -------------------------------
> > These commands succeed:
> > wbinfo -u,
> > wbinfo -g
> > getent passwd
> > getent group
> > net ads info
> > Time is within 2 seconds between 'net time' and 'date'
> > -------------------------------
> > Running winbind in interactive mode while trying to connect,
> > winbindd -S -i -F -d 8 -Y
> > The end of the output (as there is a lot) looks like this:
> > ...
> > remove_duplicate_gids: Enter 5 gids
> > remove_duplicate_gids: Exit 5 gids
> > [ 6411]: gid to sid 10001
> > [ 6411]: gid to sid 10066
> > [ 6411]: gid to sid 10067
> > [ 6411]: gid to sid 10265
> > [ 6411]: gid to sid 10274
> > read failed on sock 20, pid 6411: EOF
> > read failed on sock 19, pid 6411: EOF
> > -------------------------------
> > /etc/samba/smb.conf
> > [global]
> > server string = Samba Server
> > workgroup = MYREALM
> > realm = MYREALM.MY.DOMAIN.COM
> > security = ADS
> > username map = /etc/samba/smbusers
> > map to guest = Bad User
> > password server = *
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > preferred master = no
> > local master = no
> > domain master = no
> > os level = 33
> > wins server = 128.32.68.75 128.32.67.118
> > ldap ssl = no
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind separator = +
> > winbind use default domain = Yes
> > template primary group = "Domain Users"
> > template homedir = /home/%U
> > template shell = /bin/bash
> > load printers = no
> > log level = 1
> > syslog = 0
> > log file = /var/log/samba/%m.log
> > max log size = 0
> > -------------------------------
> > /etc/pam.d/system-auth
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth required /lib/security/$ISA/pam_env.so
> > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> > auth sufficient /lib/security/$ISA/pam_smb_auth.so
use_first_pass nolocal
> > auth required /lib/security/$ISA/pam_deny.so
> >
> > account required /lib/security/$ISA/pam_unix.so
> >
> > password required /lib/security/$ISA/pam_cracklib.so retry=3
type=
> > password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
> > password required /lib/security/$ISA/pam_deny.so
> >
> > session required /lib/security/$ISA/pam_limits.so
> > session required /lib/security/$ISA/pam_unix.so
> > ------------------------------
> I'm also seeing errors in /var/log/samba/winbindd.log
> [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
> ads_krb5_mk_req: krb5_get_credentials failed for
actdir05$@CAMPUS.DOMAIN.COM (Cannot find KDC for requested realm)
> [2004/12/01 11:14:40, 1]
nsswitch/winbindd_ads.c:ads_cached_connection(81)
> ads_connect for domain CAMPUS failed: Cannot find KDC for requested
realm
> [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
> ads_krb5_mk_req: krb5_get_credentials failed for
actdir05$@CAMPUS.DOMAIN.COM (Cannot find KDC for requested realm)
> [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
> ads_krb5_mk_req: krb5_get_credentials failed for
actdir05$@CAMPUS.DOMAIN.COM (Cannot find KDC for requested realm)
> [2004/12/01 11:14:40, 1]
nsswitch/winbindd_ads.c:ads_cached_connection(81)
> ads_connect for domain CAMPUS failed: Cannot find KDC for requested
realm
I'm still searching for a solution.
/var/log/messages shows
Dec 1 13:38:54 myhost smbd[7915]: [2004/12/01 13:38:54, 0]
lib/util_sock.c:get_peer_addr(1000)
Dec 1 13:38:54 myhost smbd[7915]: getpeername failed. Error was Transport
endpoint is not connected
Dec 1 13:38:54 myhost smbd[7915]: [2004/12/01 13:38:54, 0]
lib/util_sock.c:get_peer_addr(1000)
Dec 1 13:38:54 myhost smbd[7915]: getpeername failed. Error was Transport
endpoint is not connected
Dec 1 13:38:54 myhost smbd[7915]: [2004/12/01 13:38:54, 0]
lib/util_sock.c:write_socket_data(430)
Dec 1 13:38:54 myhost smbd[7915]: write_socket_data: write failure. Error
= Connection reset by peer
Dec 1 13:38:54 myhost smbd[7915]: [2004/12/01 13:38:54, 0]
lib/util_sock.c:write_socket(455)
Dec 1 13:38:54 myhost smbd[7915]: write_socket: Error writing 4 bytes to
socket 22: ERRNO = Connection reset by peer
Dec 1 13:38:54 myhost smbd[7915]: [2004/12/01 13:38:54, 0]
lib/util_sock.c:send_smb(647)
Dec 1 13:38:54 myhost smbd[7915]: Error writing 4 bytes to client. -1.
(Connection reset by peer)
--
._____________________.
| \0/ John Stile |
| UniX Administration |
| / \ 510-305-3800 |
| john at stilen.com |
.---------------------.
More information about the samba
mailing list