[Samba] pam winbind seems to have trouble with idmap backend = ldap

Gutholm, James GutholmJ at evergreen.edu
Tue Jul 25 19:07:28 GMT 2006


Environment is
samba-3.0.10-1.4E.6
RedHat ES4, kernel 2.6.9-34.0.2.ELsmp
AD domain Win2003 SP2 Native mode

This system was initially setup in ads security mode, joined to a Win
2003 AD domain and configured to use winbind for both samba file shares
and authz/authn for sshd and local logins. In this configuration the
winbind idmap was the default local database. Everything worked fine.
Users could login via ssh and access controls on files were properly
working, samba file sharing worked properly, etc.

In an effort to synchronize the uid/gid to sid mapping across multiple
machines we configured a system to use idmap backend = ldap. Initially
it seemed that this new configuration was working. After deleting the
winbind cache and local database and restarting smb/winbind, getent
passwd populated the ldap directory with mapping info and samba file
sharing worked fine. The problem is that now ssh and console logins
don't work for AD accounts, only local accounts.

The short version is, with idmap... commented out, fileshares and ssh
work for AD accounts. With idmap... file shares work but ssh does not.
Errors while using ssh are included below.

-- smb.conf ------------------------------------------------------
[global]
   workgroup = AC_COMPUTING
   server string = JAMESDIRTEST
   log file = /var/log/samba/%m.log
   log level = 3 passdb:5 auth:10 winbind:3
   max log size = 50
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   dns proxy = no
   security = ads
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/bash
   template homedir = /home/%U
   username map = /etc/samba/smbusers
   winbind use default domain = yes
   realm = EVERGREEN.EDU
   password server = EVDC1 EVDC2
   winbind enum users=yes
   winbind enum groups=yes
   client schannel = no
   client use spnego = no
   ldap admin dn = cn=manager,ou=users,dc=sambaidmap,dc=evergreen,dc=edu
   ldap idmap suffix = ou=idmap
   ldap suffix = dc=sambaidmap,dc=evergreen,dc=edu
   #idmap backend = ldap:"ldap://adappmode.evergreen.edu:50000"
[setup-staging]
    comment = Local Install Setup
    path = /setup-staging
    valid users = @"Network Services GG" @"Admin Computing GG"
    public = no
    writable = yes
    printable = no
    create mask = 0775
    force group = Network Services GG
... more shares...
------------------------------------------------------------------

-- nsswitch.conf -------------------------------------------------
passwd:     files winbind
shadow:     files
group:      files winbind
hosts:      files dns
bootparams: files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  files
automount:  files
aliases:    files
------------------------------------------------------------------

-- pam.d/sshd ----------------------------------------------------
#%PAM-1.0
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_winbind.so
use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
auth        required     pam_nologin.so
#
#
account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so
#
#
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so
#
#
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0022
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
------------------------------------------------------------------

-- tail of var/log/messages --------------------------------------
Jul 25 11:14:25 jamesdirtest winbind: winbindd startup succeeded
Jul 25 11:14:25 jamesdirtest smb: smbd startup succeeded
Jul 25 11:14:25 jamesdirtest smb: nmbd startup succeeded
Jul 25 11:14:41 jamesdirtest smbd[6416]: [2006/07/25 11:14:41, 0]
smbd/service.c:set_current_service(51) 
Jul 25 11:14:41 jamesdirtest smbd[6416]:   chdir (/setup-staging) failed

Jul 25 11:14:41 jamesdirtest smbd[6416]: [2006/07/25 11:14:41, 0]
smbd/service.c:set_current_service(51) 
Jul 25 11:14:41 jamesdirtest smbd[6416]:   chdir (/setup-staging) failed

Jul 25 11:15:06 jamesdirtest sshd(pam_unix)[6418]: authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=jamesdirtest.evergreen.edu  user=james_su
Jul 25 11:15:06 jamesdirtest pam_winbind[6418]: request failed: Wrong
Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD
Jul 25 11:15:06 jamesdirtest pam_winbind[6418]: user `james_su' denied
access (incorrect password or invalid membership)
Jul 25 11:15:12 jamesdirtest pam_winbind[6418]: request failed: Wrong
Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD
Jul 25 11:15:12 jamesdirtest pam_winbind[6418]: user `james_su' denied
access (incorrect password or invalid membership)
Jul 25 11:15:17 jamesdirtest pam_winbind[6418]: request failed: Wrong
Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD
Jul 25 11:15:17 jamesdirtest pam_winbind[6418]: user `james_su' denied
access (incorrect password or invalid membership)
Jul 25 11:15:19 jamesdirtest sshd(pam_unix)[6418]: 2 more authentication
failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=jamesdirtest.evergreen.edu  user=james_su
Jul 25 11:15:31 jamesdirtest winbind: winbindd shutdown succeeded
Jul 25 11:15:31 jamesdirtest smb: smbd shutdown succeeded
Jul 25 11:15:31 jamesdirtest nmbd[6412]: [2006/07/25 11:15:31, 0]
nmbd/nmbd.c:terminate(56) 
Jul 25 11:15:31 jamesdirtest nmbd[6412]:   Got SIGTERM: going down... 
Jul 25 11:15:31 jamesdirtest smb: nmbd shutdown succeeded
------------------------------------------------------------------


More information about the samba mailing list