[Samba] AD Domain member not authenticating
John Stile
john at stilen.com
Thu Dec 2 22:12:06 GMT 2004
I was just following directions on samba.org, and when one runs 'getent
passwd' or 'getent group' a '+' is used as a separator.
However 'testparrm -s' does warn:
'winbind separator = +' might cause probles with group membership.
So I'm lost too.
On Thu, 2004-12-02 at 08:04 -0500, Edward Wissner wrote:
> I have been following this thread. I have a similar configuration to John
> with the same problem. I am running Mandrake 10.1 Community. I have
> installed the latest krb5-1.3.X package from MIT. I am trying to authorize
> users using a w2k AD server.
> One question (possibly silly), why does every example smb.conf file use '+'
> as the winbind separator? If the defualt is '\' , why not leave it at that?
> I am able to authenticate to the serve, see the shared directories, but
> cannot authenticate to the directory. If I create a Unix/Samba user, that
> user can use the shared directories.
>
> ed
> -----Original Message-----
> From: John Stile [mailto:john at stilen.com]
> Sent: Wednesday, December 01, 2004 4:41 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] AD Domain member not authenticating
>
>
> On Wed, 2004-12-01 at 11:17 -0800, John Stile wrote:
> > On Wed, 2004-12-01 at 11:06 -0800, John Stile wrote:
> > > I had samba working, then I tried (unsuccessfully) to setup ssh pam
> auth.
> > > Now users are prompted for a password when accessing shares, but no
> password
> > > works. I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3.
> > > I forgot to backup pam file system-auth before modifying things, so I'm
> not sure if that is the problem.
> > > -------------------------------
> > > These commands succeed:
> > > wbinfo -u,
> > > wbinfo -g
> > > getent passwd
> > > getent group
> > > net ads info
> > > Time is within 2 seconds between 'net time' and 'date'
> > > -------------------------------
> > > Running winbind in interactive mode while trying to connect,
> > > winbindd -S -i -F -d 8 -Y
> > > The end of the output (as there is a lot) looks like this:
> > > ...
> > > remove_duplicate_gids: Enter 5 gids
> > > remove_duplicate_gids: Exit 5 gids
> > > [ 6411]: gid to sid 10001
> > > [ 6411]: gid to sid 10066
> > > [ 6411]: gid to sid 10067
> > > [ 6411]: gid to sid 10265
> > > [ 6411]: gid to sid 10274
> > > read failed on sock 20, pid 6411: EOF
> > > read failed on sock 19, pid 6411: EOF
> > > -------------------------------
> > > /etc/samba/smb.conf
> > > [global]
> > > server string = Samba Server
> > > workgroup = MYREALM
> > > realm = MYREALM.MY.DOMAIN.COM
> > > security = ADS
> > > username map = /etc/samba/smbusers
> > > map to guest = Bad User
> > > password server = *
> > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > > preferred master = no
> > > local master = no
> > > domain master = no
> > > os level = 33
> > > wins server = 128.32.68.75 128.32.67.118
> > > ldap ssl = no
> > > idmap uid = 10000-20000
> > > idmap gid = 10000-20000
> > > winbind enum users = yes
> > > winbind enum groups = yes
> > > winbind separator = +
> > > winbind use default domain = Yes
> > > template primary group = "Domain Users"
> > > template homedir = /home/%U
> > > template shell = /bin/bash
> > > load printers = no
> > > log level = 1
> > > syslog = 0
> > > log file = /var/log/samba/%m.log
> > > max log size = 0
> > > -------------------------------
> > > /etc/pam.d/system-auth
> > > #%PAM-1.0
> > > # This file is auto-generated.
> > > # User changes will be destroyed the next time authconfig is run.
> > > auth required /lib/security/$ISA/pam_env.so
> > > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> > > auth sufficient /lib/security/$ISA/pam_smb_auth.so
> use_first_pass nolocal
> > > auth required /lib/security/$ISA/pam_deny.so
> > >
> > > account required /lib/security/$ISA/pam_unix.so
> > >
> > > password required /lib/security/$ISA/pam_cracklib.so retry=3
> type=
> > > password sufficient /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> > > password required /lib/security/$ISA/pam_deny.so
> > >
> > > session required /lib/security/$ISA/pam_limits.so
> > > session required /lib/security/$ISA/pam_unix.so
> > > ------------------------------
> > I'm also seeing errors in /var/log/samba/winbindd.log
> > [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
> > ads_krb5_mk_req: krb5_get_credentials failed for
> actdir05$@CAMPUS.DOMAIN.COM (Cannot find KDC for requested realm)
> > [2004/12/01 11:14:40, 1]
> nsswitch/winbindd_ads.c:ads_cached_connection(81)
> > ads_connect for domain CAMPUS failed: Cannot find KDC for requested
> realm
> > [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
> > ads_krb5_mk_req: krb5_get_credentials failed for
> actdir05$@CAMPUS.DOMAIN.COM (Cannot find KDC for requested realm)
> > [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
> > ads_krb5_mk_req: krb5_get_credentials failed for
> actdir05$@CAMPUS.DOMAIN.COM (Cannot find KDC for requested realm)
> > [2004/12/01 11:14:40, 1]
> nsswitch/winbindd_ads.c:ads_cached_connection(81)
> > ads_connect for domain CAMPUS failed: Cannot find KDC for requested
> realm
> I'm still searching for a solution.
> /var/log/messages shows
> Dec 1 13:38:54 myhost smbd[7915]: [2004/12/01 13:38:54, 0]
> lib/util_sock.c:get_peer_addr(1000)
> Dec 1 13:38:54 myhost smbd[7915]: getpeername failed. Error was Transport
> endpoint is not connected
> Dec 1 13:38:54 myhost smbd[7915]: [2004/12/01 13:38:54, 0]
> lib/util_sock.c:get_peer_addr(1000)
> Dec 1 13:38:54 myhost smbd[7915]: getpeername failed. Error was Transport
> endpoint is not connected
> Dec 1 13:38:54 myhost smbd[7915]: [2004/12/01 13:38:54, 0]
> lib/util_sock.c:write_socket_data(430)
> Dec 1 13:38:54 myhost smbd[7915]: write_socket_data: write failure. Error
> = Connection reset by peer
> Dec 1 13:38:54 myhost smbd[7915]: [2004/12/01 13:38:54, 0]
> lib/util_sock.c:write_socket(455)
> Dec 1 13:38:54 myhost smbd[7915]: write_socket: Error writing 4 bytes to
> socket 22: ERRNO = Connection reset by peer
> Dec 1 13:38:54 myhost smbd[7915]: [2004/12/01 13:38:54, 0]
> lib/util_sock.c:send_smb(647)
> Dec 1 13:38:54 myhost smbd[7915]: Error writing 4 bytes to client. -1.
> (Connection reset by peer)
>
> --
> ._____________________.
> | \0/ John Stile |
> | UniX Administration |
> | / \ 510-305-3800 |
> | john at stilen.com |
> .---------------------.
>
>
--
._____________________.
| \0/ John Stile |
| UniX Administration |
| / \ 510-305-3800 |
| john at stilen.com |
.---------------------.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20041202/3527db3d/attachment.bin
More information about the samba
mailing list