[Samba] Winbind not quite working yet

Kent L. Nasveschuk kent at wareham.k12.ma.us
Thu Jan 1 19:04:45 GMT 2004 

Hello,
I'm trying to get Winbind to authenticate users that don't have local
accounts on a SAMBA BDC.

I have (3) BDCs (1) PDC running OpenLDAP 2.1.23 pass backend and Samba
3.0. These are on RedHat 8.0 systems. 3 BDC are also slave LDAP and 1
master directory server on the PDC.


I went through the Samba documentation CH21 and made modifications to
the BDCs and PDC as follows:

nsswitch.conf files winbind for passwd and group

pam.d/login

#%PAM-1.0
#auth       required     /lib/security/pam_securetty.so
auth       sufficient   /lib/security/pam_winbind.so
auth       sufficient   /lib/security/pam_unix.so use_first_pass
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    sufficient   /lib/security/pam_winbind.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so


pam.d/samba

#%PAM-1.0
#auth    required        /lib/security/pam_stack.so service=system-auth
#account required        /lib/security/pam_stack.so service=system-auth
auth    required        /lib/security/pam_nologin.so
auth    required        /lib/security/pam_pwdb.so nullok shadow
auth    required        /lib/security/pam_stack.so service=system-auth
account required        /lib/security/pam_winbind.so
account required        /lib/security/pam_pwdb.so
account required        /lib/security/pam_stack.so service=system-auth
session required        /lib/security/pam_stack.so service=system-auth
password required       /lib/security/pam_stack.so service=system-auth


pam.d.system-auth

#%PAM-1.0
auth        sufficient    /lib/security/pam_winbind.so
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
use_first_pass
auth        required      /lib/security/pam_deny.so
account     sufficient    /lib/security/pam_winbind.so
account     required      /lib/security/pam_unix.so
password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_mkhomedir.so umask=0022
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

pam_winbind.s is in /lib/security

libnss_winbind.so and symbolic link to it from libnss_winbind.so.2

smb.conf
...
        winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /accounts/default/%D/%U
        template shell = /bin/bash
        winbind use default domain = yes

...

If I run smbclient on a BDC:
smbclient -L localhost -U fred

where fred is a local account I get shares and an appropriate response.
When I check the logs, samba.bdc name it indicates that samba is getting
information from the LDAP directory, including password.

When I do the same for a person without a local account, the LDAP
directory returns user found but :

session setup failed: NT_STATUS_LOGON_FAILURE

Also when I run getent passwd as root I only get local accounts. When I
run wbinfo -u I get all users in the LDAP directory, wbinfo -g only
domain groups no local groups.

Any help would be appreciated. I'm a little stumped with this one.
-- 
Kent
nasve525 at regis.edu
kent at wareham.k12.ma.us

Tips:---------------------------------------------->
"OpenOffice.org ... Stops Word macro viruses DEAD!"
"Postgresql.org ... Don't 'kill -9' the postmaster"
"Technology is legislation - C. Einfeldt on OO.o discuss list"

More information about the samba mailing list