[Samba] Linux/AD authentication stops working after ~5 minutes
McGlorfin
mcglorfin at yahoo.com
Wed Jan 18 20:02:45 GMT 2006
I'm trying to do something fairly simple: login to a Linux box using a
Windows AD-based account. I've followed the various recipes available
online for configuring Linux (winbind, PAM, etc.) to this send, and I've
got it working ... almost.
I'm able to authenticate an AD-based user immediately after bringing up
the Linux box, but a short time later (roughly 5 minutes, but it varies)
I can no longer authenticate. Running 'wbinfo -u' fixes the problem
temporarily, although I'm not sure how or why. The 'winbind cache time'
param in smb.conf has no effect on the problem.
Any ideas as to what's going on? Is this more likely to be a
misconfiguration or an issue with my version of Samba? Thanks in advance
for any insight.
System configuration info follows:
AD server is Windows Server 2003 SP1. There is only one AD domain, named
"DOMAIN.LOCAL", and it is small (for testing purposes).
Linux box is Fedora Core 3. Kernel is 2.6.9-1.667. It is joined to the
AD server domain only.
Win2k3 is running as a guest OS in VMware and Fedora is the host OS. (I
doubt this config has anything to do with the problem.)
Samba packages:
samba-common-3.0.10-1.fc3
samba-swat-3.0.10-1.fc3
samba-3.0.10-1.fc3
samba-client-3.0.10-1.fc3
I'm running winbind, but not smbd or nmbd. The latter doesn't seem to be
necessary, nor is it sufficient to solve my problem.
smb.conf:
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
server string = Samba Server
security = ADS
password server = vmdc1.domain.local
log level = 1 ads:10 auth:10 sam:10 rpc:10 winbind:5
log file = /var/log/samba/%m.log
max log size = 50
name resolve order = lmhosts bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
dns proxy = No
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind cache time = 10
winbind enum users = No
winbind enum groups = No
winbind use default domain = Yes
cups options = raw
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
PAM packages:
pam-0.77-65
pam_passwdqc-0.7.5-2
pam-devel-0.77-65
pam_smb-1.1.7-5
pam_krb5-2.1.2-1
pam_ccreds-1-3
/etc/pam.d/system-auth (used by /etc/pam.d/sshd, etc.):
#auth
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
#account
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_winbind.so
account required /lib/security/$ISA/pam_permit.so
#password
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so
#session
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
Relevant nsswitch.conf lines:
passwd: files winbind
shadow: files winbind
group: files winbind
EOM
More information about the samba
mailing list