[Samba] Winbind NT domain authentication

Fri Jun 24 09:14:09 GMT 2005

Hi list,

Sorry for the cros-post, I'm not sure which list is better for
me as I got a question related to samba, configuration, FreeBSD.

I'm trying to configure NT authentication on FreeBSD 5.4 with 
Samba 3.0.12 (installed form the ports collection).
I've folowed the Samba 3 howto I've managed the following :

wbinfo -g returns correctly the domain groups

wbinfo -u returns all the users (including those ones from the domain)

ntlm auth does authenticate the user correctly
ntlm_auth --username=usr1
password:
NT_STATUS_OK: Success (0x0)
and in the winbind log I get :
        rpc: trusted_domains
        [ 3141]: request interface version
        [ 3141]: request location of privileged pipe
        [ 3141]: request domain name
        [ 3141]: request misc info
        [ 3141]: pam auth MYDOMAIN\usr1
        rpc_dc_name: Returning DC PASSV_SERV (_the_ip_) for domain MYDOMAIN
        IPC$ connections done anonymously
        Connecting to host=PASSV_SERV
        Connecting to _the_ip_ at port 445

I suspect this means that my samba/winbind configuration is correct.
The trouble is that I still can't login (login or ssh) with usernames
from the domain.
If I try with MYDOMAIN\usr1 I just get an Access Denied.
The worse is that I'm not sure that I'm looking for the logs in the 
right place, the auth.log of messages doesn't show any trace of
winbind beeing called.

My smb.conf :

workgroup = MYDOMAIN
netbios name = MY_BSD
password server = passwd_serv_ip
security = domain
encrypt passwords = yes
#passdb backend = tdbsam guest
server string = MY_BSD Samba Server

# separate domain and username with '\', like DOMAIN\username
winbind separator = \\
# use uids from 10000 to 20000 for domain users
idmap uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet access)
template homedir = /home/winnt/%D%U
template shell = /usr/local/bin/bash

My nsswitch.conf

group: compat winbind
group_compat: nis
hosts: files dns winbind
networks: files
passwd: compat winbind
passwd_compat: nis
shells: files

and finally my /etc/pam.d/sshd

# auth
auth            required        pam_nologin.so          no_warn
#auth           sufficient      pam_opie.so             no_warn no_fake_prompts
#auth           requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
#auth           required        pam_unix.so             no_warn try_first_pass
#tfa
auth            sufficient      pam_winbind.so          debug try_first_pass
auth            sufficient      pam_unix.so             no_warn try_first_pass

# account
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         sufficient      pam_winbind.so          debug
account         sufficient      pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        sufficient      pam_winbind.so          debug try_first_pass
password        sufficient      pam_unix.so             no_warn try_first_pass

I hope this question is not silly but only for NT authentication smbd/nmbd
is not necessary to run, isn't it ? Winbind should do de job.

This is the 2'nd week I keep trying setting this thing up, and one of the most
frustrating experience ever...
Can anybody give me some hints (other then going to a psychiatrist)

Thomas