[Samba] Help with RHEL4 and AD 2003 Authentication

Anoop Bhat mywebsftp at gmail.com
Fri Jun 30 15:01:31 GMT 2006


I've been reading up on lots of documents that mention the different ways to
do things as far as joining a linux machine to AD and authentication. I've
tried most of them but its not helping at all. I've included my config files
for smb.conf, krb5.conf, pam.d/system-auth and the applicable
nsswitch.conflines. For security reasons, i've obscured part of the
domain name. Any help
is appreciated.

Here are the questions:

1. Do i need to edit more than one pam.d file? For now, I'm just trying to
be able to SSH in as a domain account and as a local user account.
2. Do all the config files here look correct?
3. When logging in, what should my login name be? DOMAIN\Username or just
Username or username at DOMAIN.NAME.COM ? I've tried all with no luck.
4. Can AD group policy affect this in someway?

At the bottom, I have attached the output of some commands that may also

Thank you in advance for any help/advice.


# pam.d/system-auth
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
account     [default=bad success=ok user_unknown=ignore]
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

# krb5.conf
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = CORP.OBSCURED.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes
 default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
 default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
 preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC

  kdc = dmc01.corp.obscured.com
  kdc = dmc02.corp.obscured.com
  default_domain = CORP.OBSCURED.COM
  kdc = dmc03.corp.obscured.com

 .example.com = CORP.OBSCURED.COM
 example.com = CORP.OBSCURED.COM

 profile = /var/kerberos/krb5kdc/kdc.conf

 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

# smb.conf
workgroup = CORP
netbios name = ADTEST01
server string = A test server
printcap name = /etc/printcap
load printers = yes
log file = /var/log/samba/%m.log
log level = 10
max log size = 50
security = ads
encrypt passwords = yes
preferred master = no
smb passwd file = /etc/samba/smbpasswd
allow trusted domains = yes
unix password sync = yes
password server = *
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
pam password change = yes
obey pam restrictions = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 10000-20000
idmap gid = 10000-20000
enhanced browsing = no
winbind use default domain = no
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U

# nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind

hosts:      files dns

bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:        files
services:   files winbind
netgroup:   files winbind
publickey:  files
automount:  files winbind
aliases:    files


# net ads join -U Administrator
bhataadmin's password:
[2006/06/30 09:54:14, 0] libads/ldap.c:ads_add_machine_acct(1368)
  ads_add_machine_acct: Host account for ADTEST01 already exists - modifying
old account
Using short domain name -- CORP
Joined 'ADTEST01' to realm 'CORP.OBSCURED.COM'

# kinit Administrator at CORP.OBSCURED.COM
Password for Administrator at CORP.OBSCURED.COM:

# wbinfo -u
Error looking up domain users
# wbinfo -g
Error looking up domain groups
# wbinfo -t
checking the trust secret via RPC calls failed
error code was  (0x0)
Could not check secret

Thanks very much.

More information about the samba mailing list