[Samba] Active directory authentication and Solaris 9 problems
Robert M. Martel
bob at urban.csuohio.edu
Tue Jun 21 18:06:59 GMT 2005
Greetings,
I currently have Samba 3.0.14a built using gcc 3.2.2 on a Solaris
9/Sparc box. This Samba server is a member server of our Active
Directory (AD) domain called "CSUNET". When logged unto a windows
client machine as an AD user I can see and access resources on the
Solaris server.
I've been trying to get PAM working to pam_windbind.so and correctly
configured. So far I am unable to log onto the solaris box as an AD
user. If I am root, I can "su" to an AD user. If I am not root, I
cannot "su" to an AD user. I cannot logon to the machine at all with an
AD account, only the ones available in /etc/passwd - for which I am
password prompted twice.
/etc/nsswitch is set with the following:
passwd: files winbind
group: files winbind
I think I have my /etc/pam.conf set up as it should be (at bottom of
this message.) I don't know if I missed something there, if there is a
problem with my build of samba - or supporting software - or if the
issue is with out Active Directory server.
The AD server is Windows 2003 vanilla. The people in charge of it DO
NOT want to make any sort of change from the Microsoft stock configuration.
Any ideas will be appreciated. I was able to get a SuSE 9.2 configured
to work with AD and allow logins, but the Solaris machine seems to enjoy
being more of a challenge.
In /var/adm/messages I see:
-----------
Jun 21 13:39:13 techops pam_winbind[4648]: [ID 467601 auth.error]
request failed: No such user, PAM error was 13, NT error was
NT_STATUS_NO_SUCH_USER
Jun 21 13:39:15 techops last message repeated 1 time
Jun 21 13:40:56 techops su[4658]: [ID 810491 auth.crit] 'su 1001362'
failed for bob on /dev/pts/7
-----------
From the winbind log it looks like winbind is getting correct info from
the AD server - the UID and GID I see are correct, them it becomes
unhappy around the end with "client_read: read 0 bytes. Need 1824 more
for a full request"
(A more complete copy if anyone want to look at it is at:
http://urban.csuohio.edu/~bob/samba3/smblog.winbindd.txt )
---------------------------------------------------
...
[2005/06/21 13:40:56, 10] sam/idmap_tdb.c:internal_get_id_from_sid(228)
internal_get_id_from_sid: record
S-1-5-21-3414352988-972178952-4124595837-91888 -> UID 10000
[2005/06/21 13:40:56, 10] sam/idmap_tdb.c:internal_get_id_from_sid(243)
internal_get_id_from_sid: ID_USERID fetching record
S-1-5-21-3414352988-972178952-4124595837-91888 -> UID 10000
[2005/06/21 13:40:56, 10] sam/idmap_tdb.c:internal_get_sid_from_id(190)
internal_get_sid_from_id: fetching record UID 10000
[2005/06/21 13:40:56, 10] sam/idmap_tdb.c:internal_get_sid_from_id(196)
internal_get_sid_from_id: fetching record UID 10000 ->
S-1-5-21-3414352988-972178952-4124595837-91888
[2005/06/21 13:40:56, 10] sam/idmap_util.c:idmap_sid_to_uid(157)
idmap_sid_to_uid: uid = [10000]
[2005/06/21 13:40:56, 10] sam/idmap_util.c:idmap_sid_to_gid(179)
sid_to_gid: sid = [S-1-5-21-3414352988-972178952-4124595837-513]
[2005/06/21 13:40:56, 10] sam/idmap_tdb.c:db_get_id_from_sid(315)
db_get_id_from_sid
[2005/06/21 13:40:56, 10] sam/idmap_tdb.c:internal_get_id_from_sid(221)
internal_get_id_from_sid: fetching record
S-1-5-21-3414352988-972178952-4124595837-513 of type 0x2
[2005/06/21 13:40:56, 10] sam/idmap_tdb.c:internal_get_id_from_sid(228)
internal_get_id_from_sid: record
S-1-5-21-3414352988-972178952-4124595837-513 -> GID 10000
[2005/06/21 13:40:56, 10] sam/idmap_tdb.c:internal_get_id_from_sid(262)
internal_get_id_from_sid: ID_GROUPID fetching record
S-1-5-21-3414352988-972178952-4124595837-513 -> GID 10000
[2005/06/21 13:40:56, 10] sam/idmap_tdb.c:internal_get_sid_from_id(190)
internal_get_sid_from_id: fetching record GID 10000
[2005/06/21 13:40:56, 10] sam/idmap_tdb.c:internal_get_sid_from_id(196)
internal_get_sid_from_id: fetching record GID 10000 ->
S-1-5-21-3414352988-972178952-4124595837-513
[2005/06/21 13:40:56, 10] sam/idmap_util.c:idmap_sid_to_gid(187)
idmap_sid_to_gid: gid = [10000]
[2005/06/21 13:40:56, 10] nsswitch/winbindd.c:client_write(524)
client_write: wrote 1300 bytes.
[2005/06/21 13:40:56, 10] nsswitch/winbindd.c:winbind_client_read(470)
client_read: read 0 bytes. Need 1824 more for a full request.
[2005/06/21 13:40:56, 5] nsswitch/winbindd.c:winbind_client_read(477)
read failed on sock 21, pid 4658: EOF
[2005/06/21 13:40:56, 10] nsswitch/winbindd.c:winbind_client_read(470)
client_read: read 0 bytes. Need 1824 more for a full request.
[2005/06/21 13:40:56, 5] nsswitch/winbindd.c:winbind_client_read(477)
read failed on sock 20, pid 4658: EOF
-------------------------------------------------
/etc/pam.conf
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth required /usr/lib/security/pam_winbind.so debug
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_auth.so.1 try_first_pass
login auth required pam_dial_auth.so.1 try_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient /usr/lib/security/pam_winbind.so debug
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
other auth sufficient /usr/lib/security/pam_winbind.so debug
rsh auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other auth sufficient /usr/lib/security/pam_winbind.so debug
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
Much thanks to anyone that looked at this whole, long message.
-Bob
--
***********************************************************************
Bob Martel,System Administrator I met someone who looks a lot like you
Levin College of Urban Affairs She does the things you do
Cleveland State University But she is an IBM
(216) 687-2214
bob at urban.csuohio.edu -Jeff Lynne
***********************************************************************
More information about the samba
mailing list