[Samba] SOLVED - Samba as domain member server cannot authenticate
users
Breno Moiana
bm.lists at gmail.com
Fri Apr 29 18:32:14 GMT 2005
Okay, I found the problem here.
The issue was with authentication, which samba was trying to do as if
it was talking to an NT domain, when it was actually an Active
Directory server.
To solve, I did these changes to smb.conf:
1. ADDED "realm = fully.qualified.dom.ain"
2. CHANGED TO "security = ads"
With that, and the howto provided by Kent West on
http://faculty.acu.edu/westk/winbind.html , I was able to get things
working here.
I thank all for the help and patience :)
Best Regards,
Breno Moiana.
On 4/26/05, Breno Moiana <bm.lists at gmail.com> wrote:
> This problem was already described on a very similar way in Oct 2004
> on the following message:
> [http://lists.samba.org/archive/samba/2004-October/094683.html]
> As no solution was found so far, I am re-posting it on the hope that
> somebody can help.
> =================================================
>
> Situation:
> - A windows2000 domain with active directory up and running.
> - A Samba server with fileshares and printers. Debian Sarge, Samba 3.0.10
> - Windows clients
>
> Objective:
> - To have windows users being able to transparently map fileshares on
> the linux server, and to print to these linux printers without having
> to enter a separate password for the linux shares/printers. The linux
> server should accept the windows logged-in user.
>
> What I have accomplished:
> Installed samba, it worked fine with local authentication.
> Changed the samba configuration and installed winbind, and changed the
> /etc/nsswitch.conf, /etc/pam.d/login, so I could log in to the linux
> machine using the windows AD authentication.
> With those changes, I can successfully log in to the linux server with
> a windows user.
>
> What is missing:
> With this setup, I can't access the fileshares when I try to map them
> from a windows client. The linux server requests the password, and I
> try to enter "username", "domain\username", "username at domain",
> "\\domain\username", "DOMAIN\username", and nothing works.
>
> Diagnostics:
> When I try to access a share from a windows machine, the
> /var/log/samba/log.machinename reports this:
>
> ---log---
> [2005/04/25 18:51:13, 0] auth/pampass.c:smb_pam_accountcheck(781)
> smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting
> User MYDOMAIN\username!
> ---/log---
>
> However, if I log on locally, the user MYDOMAIN\username is a valid one!
>
> I have stripped out the comments, and post my my smb.conf
> below(mydomain being my domain, and username# being valid usernames):
>
> ---smb.conf---
> [global]
> workgroup = mydomain
> server string = %h server (Samba %v)
> include = /etc/samba/dhcp.conf
> dns proxy = no
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
>
> security = domain
> password server = *
>
> encrypt passwords = true
> passdb backend = tdbsam guest
>
> obey pam restrictions = yes
>
> guest account = nobody
> invalid users = root
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUNIX\spassword:* %n\n .
>
> SO_RCVBUF=8192 SO_SNDBUF=8192
> socket options = TCP_NODELAY
>
> domain master = no
> local master = no
> preferred master = no
>
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template shell = /bin/bash
>
> [testshare]
> comment = Testing share
> writable = yes
> path = /fileshare/testshare
> write list = username1,username2
> force create mode = 0775
> force directory mode = 6775
>
> ---/smb.conf---
>
> Something is wrong, I just couldnt figure out what. I believe it to be
> something to make samba "talk" to winbindd, identifying the users.
> If I find out the answer, will post it here.
>
> Thanks very much for the attention!
>
> Best Regards!
>
> Breno Moiana.
>
More information about the samba
mailing list