[Samba] Winbind NT domain authentication
Thomas Fazekas
tfa at missioncriticalit.com
Fri Jun 24 09:14:09 GMT 2005
Hi list,
Sorry for the cros-post, I'm not sure which list is better for
me as I got a question related to samba, configuration, FreeBSD.
I'm trying to configure NT authentication on FreeBSD 5.4 with
Samba 3.0.12 (installed form the ports collection).
I've folowed the Samba 3 howto I've managed the following :
wbinfo -g returns correctly the domain groups
wbinfo -u returns all the users (including those ones from the domain)
ntlm auth does authenticate the user correctly
ntlm_auth --username=usr1
password:
NT_STATUS_OK: Success (0x0)
and in the winbind log I get :
rpc: trusted_domains
[ 3141]: request interface version
[ 3141]: request location of privileged pipe
[ 3141]: request domain name
[ 3141]: request misc info
[ 3141]: pam auth MYDOMAIN\usr1
rpc_dc_name: Returning DC PASSV_SERV (_the_ip_) for domain MYDOMAIN
IPC$ connections done anonymously
Connecting to host=PASSV_SERV
Connecting to _the_ip_ at port 445
I suspect this means that my samba/winbind configuration is correct.
The trouble is that I still can't login (login or ssh) with usernames
from the domain.
If I try with MYDOMAIN\usr1 I just get an Access Denied.
The worse is that I'm not sure that I'm looking for the logs in the
right place, the auth.log of messages doesn't show any trace of
winbind beeing called.
My smb.conf :
workgroup = MYDOMAIN
netbios name = MY_BSD
password server = passwd_serv_ip
security = domain
encrypt passwords = yes
#passdb backend = tdbsam guest
server string = MY_BSD Samba Server
# separate domain and username with '\', like DOMAIN\username
winbind separator = \\
# use uids from 10000 to 20000 for domain users
idmap uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet access)
template homedir = /home/winnt/%D%U
template shell = /usr/local/bin/bash
My nsswitch.conf
group: compat winbind
group_compat: nis
hosts: files dns winbind
networks: files
passwd: compat winbind
passwd_compat: nis
shells: files
and finally my /etc/pam.d/sshd
# auth
auth required pam_nologin.so no_warn
#auth sufficient pam_opie.so no_warn no_fake_prompts
#auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
#auth required pam_unix.so no_warn try_first_pass
#tfa
auth sufficient pam_winbind.so debug try_first_pass
auth sufficient pam_unix.so no_warn try_first_pass
# account
#account required pam_krb5.so
account required pam_login_access.so
account sufficient pam_winbind.so debug
account sufficient pam_unix.so
# session
#session optional pam_ssh.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password sufficient pam_winbind.so debug try_first_pass
password sufficient pam_unix.so no_warn try_first_pass
I hope this question is not silly but only for NT authentication smbd/nmbd
is not necessary to run, isn't it ? Winbind should do de job.
This is the 2'nd week I keep trying setting this thing up, and one of the most
frustrating experience ever...
Can anybody give me some hints (other then going to a psychiatrist)
Thomas
More information about the samba
mailing list