[Samba] AD Domain member not authenticating

John Stile john at stilen.com
Thu Dec 2 22:12:06 GMT 2004 

I was just following directions on samba.org, and when one runs 'getent
passwd' or 'getent group' a '+' is used as a separator.  
However 'testparrm  -s' does warn:
  'winbind separator = +' might cause probles with group membership.
So I'm lost too.

On Thu, 2004-12-02 at 08:04 -0500, Edward Wissner wrote:
> I have been following this thread.  I have a similar configuration to John
> with the same problem.  I am running Mandrake 10.1 Community.  I have
> installed the latest krb5-1.3.X package from MIT.  I am trying to authorize
> users using a w2k AD server.
> One question (possibly silly), why does every example smb.conf file use '+'
> as the winbind separator?  If the defualt is '\' , why not leave it at that?
> I am able to authenticate to the serve, see the shared directories, but
> cannot authenticate to the directory.  If I create a Unix/Samba user, that
> user can use the shared directories.
> 
> ed
> -----Original Message-----
> From: John Stile [mailto:john at stilen.com]
> Sent: Wednesday, December 01, 2004 4:41 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] AD Domain member not authenticating
> 
> 
> On Wed, 2004-12-01 at 11:17 -0800, John Stile wrote:
> > On Wed, 2004-12-01 at 11:06 -0800, John Stile wrote:
> > > I had samba working, then I tried (unsuccessfully) to setup ssh pam
> auth.
> > > Now users are prompted for a password when accessing shares, but no
> password
> > > works.  I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3.
> > > I forgot to backup pam file system-auth before modifying things, so I'm
> not sure if that is the problem.
> > > -------------------------------
> > > These commands succeed:
> > >   wbinfo -u,
> > >   wbinfo -g
> > >   getent passwd
> > >   getent group
> > >   net ads info
> > > Time is within 2 seconds between 'net time' and 'date'
> > > -------------------------------
> > > Running winbind in interactive mode while trying to connect,
> > >     winbindd -S -i -F -d 8 -Y
> > > The end of the output (as there is a lot) looks like this:
> > >     ...
> > >     remove_duplicate_gids: Enter 5 gids
> > >     remove_duplicate_gids: Exit 5 gids
> > >     [ 6411]: gid to sid 10001
> > >     [ 6411]: gid to sid 10066
> > >     [ 6411]: gid to sid 10067
> > >     [ 6411]: gid to sid 10265
> > >     [ 6411]: gid to sid 10274
> > >     read failed on sock 20, pid 6411: EOF
> > >     read failed on sock 19, pid 6411: EOF
> > > -------------------------------
> > > /etc/samba/smb.conf
> > > [global]
> > >    server string = Samba Server
> > >    workgroup = MYREALM
> > >    realm = MYREALM.MY.DOMAIN.COM
> > >    security = ADS
> > >    username map = /etc/samba/smbusers
> > >    map to guest = Bad User
> > >    password server = *
> > >    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > >    preferred master = no
> > >    local master = no
> > >    domain master = no
> > >    os level = 33
> > >    wins server = 128.32.68.75 128.32.67.118
> > >    ldap ssl = no
> > >    idmap uid = 10000-20000
> > >    idmap gid = 10000-20000
> > >    winbind enum users = yes
> > >    winbind enum groups = yes
> > >    winbind separator = +
> > >    winbind use default domain = Yes
> > >    template primary group = "Domain Users"
> > >    template homedir = /home/%U
> > >    template shell = /bin/bash
> > >    load printers = no
> > >    log level = 1
> > >    syslog = 0
> > >    log file = /var/log/samba/%m.log
> > >    max log size = 0
> > > -------------------------------
> > > /etc/pam.d/system-auth
> > > #%PAM-1.0
> > > # This file is auto-generated.
> > > # User changes will be destroyed the next time authconfig is run.
> > > auth        required      /lib/security/$ISA/pam_env.so
> > > auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> > > auth        sufficient    /lib/security/$ISA/pam_smb_auth.so
> use_first_pass nolocal
> > > auth        required      /lib/security/$ISA/pam_deny.so
> > >
> > > account     required      /lib/security/$ISA/pam_unix.so
> > >
> > > password    required      /lib/security/$ISA/pam_cracklib.so retry=3
> type=
> > > password    sufficient    /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> > > password    required      /lib/security/$ISA/pam_deny.so
> > >
> > > session     required      /lib/security/$ISA/pam_limits.so
> > > session     required      /lib/security/$ISA/pam_unix.so
> > > ------------------------------
> > I'm also seeing errors in /var/log/samba/winbindd.log
> >   [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
> >     ads_krb5_mk_req: krb5_get_credentials failed for
> actdir05$@CAMPUS.DOMAIN.COM (Cannot find KDC for requested realm)
> >   [2004/12/01 11:14:40, 1]
> nsswitch/winbindd_ads.c:ads_cached_connection(81)
> >     ads_connect for domain CAMPUS failed: Cannot find KDC for requested
> realm
> >   [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
> >     ads_krb5_mk_req: krb5_get_credentials failed for
> actdir05$@CAMPUS.DOMAIN.COM (Cannot find KDC for requested realm)
> >   [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
> >     ads_krb5_mk_req: krb5_get_credentials failed for
> actdir05$@CAMPUS.DOMAIN.COM (Cannot find KDC for requested realm)
> >   [2004/12/01 11:14:40, 1]
> nsswitch/winbindd_ads.c:ads_cached_connection(81)
> >     ads_connect for domain CAMPUS failed: Cannot find KDC for requested
> realm
> I'm still searching for a solution.
> /var/log/messages shows
> Dec  1 13:38:54 myhost smbd[7915]: [2004/12/01 13:38:54, 0]
> lib/util_sock.c:get_peer_addr(1000)
> Dec  1 13:38:54 myhost smbd[7915]:   getpeername failed. Error was Transport
> endpoint is not connected
> Dec  1 13:38:54 myhost smbd[7915]: [2004/12/01 13:38:54, 0]
> lib/util_sock.c:get_peer_addr(1000)
> Dec  1 13:38:54 myhost smbd[7915]:   getpeername failed. Error was Transport
> endpoint is not connected
> Dec  1 13:38:54 myhost smbd[7915]: [2004/12/01 13:38:54, 0]
> lib/util_sock.c:write_socket_data(430)
> Dec  1 13:38:54 myhost smbd[7915]:   write_socket_data: write failure. Error
> = Connection reset by peer
> Dec  1 13:38:54 myhost smbd[7915]: [2004/12/01 13:38:54, 0]
> lib/util_sock.c:write_socket(455)
> Dec  1 13:38:54 myhost smbd[7915]:   write_socket: Error writing 4 bytes to
> socket 22: ERRNO = Connection reset by peer
> Dec  1 13:38:54 myhost smbd[7915]: [2004/12/01 13:38:54, 0]
> lib/util_sock.c:send_smb(647)
> Dec  1 13:38:54 myhost smbd[7915]:   Error writing 4 bytes to client. -1.
> (Connection reset by peer)
> 
> --
> ._____________________.
> |   \0/    John Stile |
> | UniX Administration |
> |   / \  510-305-3800 |
> |     john at stilen.com |
> .---------------------.
> 
> 
-- 
._____________________.
|   \0/    John Stile |
| UniX Administration |
|   / \  510-305-3800 |     
|     john at stilen.com |
.---------------------.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20041202/3527db3d/attachment.bin

More information about the samba mailing list