[Samba] Winbind Authentication Problem
L. Mark Stone
LMStone at RNoME.com
Wed Jun 9 18:13:09 GMT 2004
Had planned to use LDAP and replace an NT4 domain, but trouble with a
software vendor (long story) means we need to keep the NT4 domain and
use winbind for share authentication for the next few months.
So, I religiously followed the TOSHARG winbind chapter, stopping short
of making changes to /etc/pam.d files.
I can browse and see shares from the Samba box via KDE's LAN browser,
but authentication doesn't work.
When browsing from a Windows box, I don't even get that far.
I have set up several Samba boxes, but never used Winbind before, so I
expect I'm missing something simple here.
Using Samba 3.0.4-5 rpms compiled by Sernet (SuSE) on SuSE Pro 9.0 with
all updates.
Factoids:
The box appears in NT4's Server Manager highlighted (so it's a domain
member server as far as the domain is concerned.) Net Neighborhood on
a Windows box shows an icon for the Samba server.
From the Samba box running smbclient -L SHIRAZ generates a password
prompt (doesn't matter what I put in) and then an error "session setup
failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO"
From a Windows machine on the network, doing a Start > Run > \\SHIRAZ
[Enter] generates an error dialog box that reads: " configuration
information could not be read from the domain controller, either
because the machine is unavailable, or access has been denied."
The /var/log/messages file on the Samba server shows (I'm editing here):
nsswitch/winbindd_util.c:get_trust_pw(1024) could not fetch trust
account password for my domain MCCM
Here's /etc/pam.d/samba:
#%PAM-1.0
auth required pam_unix.so
account required pam_unix.so
Here's smb.conf (may wordwrap):
[global]
workgroup = MCCM
interfaces = 127.0.0.1 172.22.6.0/24 192.168.20.0/24 192.168.21.0/24
eth0
bind interfaces only = true
# printing = cups
# printcap name = cups
# load printers = yes
winbind separator = '\'
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%D/%U
security = domain
password server = *
wins server = 172.22.6.11
encrypt passwords = yes
[Accounting]
comment = Company Financial Reports
path = /data/Company/Accounting
valid users = @Accounting
read only = Yes
[AcctPrivate]
comment = Accounting Department Use Only
path = /data/Company/AcctPrivate
valid users = @Accounting-Private
[Billing]
comment = Billing Department Working Files
path = /data/Company/Billing
valid users = @Billing
[IT_Dept]
comment = Techie Stuff You May Need
path = /data/Company/IT_Dept
valid users = @"Domain Users"
[IT_Private]
comment = For IT Department Use Only
path = /data/Company/IT_Private
valid users = @IT_Dept
[Lab]
comment = For Lab Department Use Only
path = /data/Company/Lab
valid users = @Lab
[LabPrivate]
comment = Lab Management Use Only
path = /data/Company/LabPrivate
valid users = @Lab
# Change valid users to head of lab!
[Public]
comment = Public Documents
path = /data/Company/Public
valid users = @"Domain Users"
[Research]
comment = For Research Department Use Only
path = /data/Company/Public
valid users = @"Domain Users"
# Correct valid users to members of research local group.
And here's nsswitch.conf:
passwd: files winbind
shadow: files
group: files winbind
passwd: compat ldap
group: compat ldap
hosts: files dns wins
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis
aliases: files
All ideas gratefully accepted!
Thanks!
Mark
--
_____________________________________________
A Message From... L. Mark Stone
Reliable Networks of Maine, LLC
477 Congress Street, 5th Floor
Portland, ME 04101
Tel: (207) 772-5678
Web: http://www.RNoME.com
More information about the samba
mailing list