[Samba] SSO Samba/AD integration

Brian Atkins batkins at tlcdelivers.com
Thu Sep 15 17:47:22 GMT 2005 

I added 'template shell = /bin/bash' and now 'getent passwd' shows the
proper shell extensions.  However, login still fails.  I tried multiple
methods to include the AD domain name in the login id:

DOMAIN\username
DOMAIN.FQDN\username
DOMAIN+username
DOMAIN.FQDN+username

and none work.  The logs show:

# more log.winbindd
[2005/09/15 13:37:46, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'gdm' does not exist
[2005/09/15 13:38:18, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
  user 'batkins' does not exist
[2005/09/15 13:38:18, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
  user 'batkins' does not exist
...

# more log.nmbd
[2005/09/15 13:39:06, 0] nmbd/nmbd_namequery.c:query_name_response(101)
  query_name_response: Multiple (2) responses received for a query on
subnet 10.10.59.97 for name UNICITY<1d>.
  This response was from IP 10.10.57.99, reporting an IP address of
192.168.211.1.
[2005/09/15 13:39:06, 0] nmbd/nmbd_namequery.c:query_name_response(101)
  query_name_response: Multiple (3) responses received for a query on
subnet 10.10.59.97 for name UNICITY<1d>.
  This response was from IP 10.10.57.212, reporting an IP address of
223.1.1.128.

However, I don't see anything related to a failed login attempt... 
Curiouser and curiouser...


Bruno Guerreiro wrote:

>Hi,
>/bin/false prevents a user from logging to the machine, while allowing it to
>athenticate... You can use shares which are located in your samba server,
>access via FTP,etc. Just can't logon to the machine itself
>Not sure about this one ( don't use AD), but have you tried setting this:
>
>template shell = (whatever shel you want normally /bin/bash)
>
>
>>From man smb.conf:
>
>       template shell (G)
>              When filling out the user information for a Windows NT user,
>the winbindd(8) daemon uses this parameter to fill in the login shell  for
>that
>              user.
>
>              No default
>
>
>Best Regards,
>Bruno Guerreiro
>
>
>  
>
>>-----Original Message-----
>>From: Brian Atkins [mailto:batkins at tlcdelivers.com]
>>Sent: quinta-feira, 15 de Setembro de 2005 14:04
>>To: samba at lists.samba.org
>>Subject: [Samba] SSO Samba/AD integration
>>
>>
>>OK, I'm certain that this topic has been beat to death, but I need some
>>assistance.  I am trying to migrate to a SSO for the majority of our
>>workstations and servers within our organization.  I am 
>>currently trying
>>to integrate a Gentoo Linux workstation to authenticate to the AD
>>server.  Once I get the process nailed down, I'll be moving on 
>>to bigger
>>and better things...
>>
>>Prior to starting, I already had Samba installed and was able to share
>>files with Windows based boxes, though only through a guest account. 
>>Since yesterday, I have installed openLDAP with mit-krb5 and Samba
>>support enabled.  I modified smb.conf, nsswitch.conf, and /etc/hosts in
>>accordance with a document I located on the Gentoo site.  It was pretty
>>straight forward, nothing earth-shattering.  Once Samba was restarted
>>(with windbind), I was able to use kinit to join the domain
>>successfully, and can now get user and group listings using the 'getent
>>[passwd|group]' commands.  However, when I try signing into the
>>workstation using an AD account, the login is denied.  What gives? 
>>
>>Here are my basics:
>>
>>nsswitch.conf:
>>--------------
>>passwd:      compat winbind
>>shadow:      compat
>>group:       compat winbind
>>
>># passwd:    db files nis
>># shadow:    db files nis
>># group:     db files nis
>>
>>hosts:       files dns winbind
>>networks:    files dns
>>
>>services:    db files
>>protocols:   db files
>>rpc:         db files
>>ethers:      db files
>>netmasks:    files
>>netgroup:    files
>>bootparams:  files
>>
>>automount:   files
>>aliases:     files
>>
>>
>>hosts
>>-----
>>...
>>10.10.57.124    tlcdcm.UNICITY.TLCDELIVERS.COM  tlcdcm UNICITY
>>10.10.57.140    tlcdcm2.UNICITY.TLCDELIVERS.COM tlcdcm2
>>10.10.56.111    web-backupws.UNICITY.TLCDELIVERS.COM    web-backupws
>>...
>>
>>smb.conf
>>--------
>>[global]
>>  netbios name = briansrapier
>>  socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
>>  idmap uid = 10000-20000
>>  idmap gid = 10000-20000
>>  winbind enum users = yes
>>  winbind gid = 10000-20000
>>  workgroup = UNICITY
>>  os level = 20
>>  winbind enum groups = yes
>>  password server = *
>>  preferred master = no
>>  winbind separator = +
>>  max log size = 50
>>  log file = /var/log/samba3/log.%m
>>  encrypt passwords = yes
>>  dns proxy = no
>>  realm = UNICITY.TLCDELIVERS.COM
>>  security = ADS
>>  wins server = 10.10.57.124
>>  wins proxy = no
>>...
>>
>>Doing a 'getent passwd' returns users similar to:
>>...
>>UNICITY+cfedeles:x:10172:10000:NAME:/home/UNICITY/cfedeles:/bin/false
>>UNICITY+tevans:x:10173:10000:NAME:/home/UNICITY/tevans:/bin/false
>>UNICITY+mbare:x:10174:10000:NAME:/home/UNICITY/mbare:/bin/false
>>...
>>
>>But also lists computer accounts as well:
>>...
>>UNICITY+imd-gsanchez$:x:10539:10004:IMD-GSANCHEZ:/home/UNICITY/
>>imd-gsanchez_:/bin/false
>>UNICITY+imd-sharepoint$:x:10553:10004:IMD-SHAREPOINT:/home/UNIC
>>ITY/imd-sharepoint_:/bin/false
>>UNICITY+imd-alucchiani$:x:10559:10004:IMD-ALUCCHIANI:/home/UNIC
>>ITY/imd-alucchiani_:/bin/false
>>...
>>
>>However, 'getent group' works just fine:
>>...
>>UNICITY+Exchange Domain Servers:x:10025:
>>UNICITY+Exchange Enterprise Servers:x:10026:
>>UNICITY+Trainers:x:10027:UNICITY+sblizzard,UNICITY+jedgell,UNICITY+jime
>>...
>>
>>The '/bin/false' login shell in the passwd schema leads me to 
>>believe that is where the problem lies, but I am not sure what 
>>to do to fix it.
>>
>>Thanks for the input.
>>
>>-- 
>>Brian Atkins
>>
>>"An adventure is never an adventure 
>>when it's happening.  Challenging
>>experiences need time to ferment, 
>>and an adventure is simply physical 
>>and emotional discomfort recollected 
>>in tranquility." -- Tim Cahill
>>
>>-- 
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
>>    
>>
>
>  
>

-- 
Brian Atkins
IT Services
The Library Corporation
http://TLCdelivers.com
Ph: 800.624.0559
Fx: 304.229.0295

"An adventure is never an adventure 
when it's happening.  Challenging
experiences need time to ferment, 
and an adventure is simply physical 
and emotional discomfort recollected 
in tranquility." -- Tim Cahill

More information about the samba mailing list