[Samba] getting samba to authenticate with kerberos/PAM
Guillermo Gutierrez
ggutierrez at marketscan.com
Thu Mar 9 01:29:58 GMT 2006
Oops, forgot to include the list.
I dont seem to have pam_unix2.so or pam_unix2.conf, just pam_unix.so.
Will pam_unix.so read a conf file?
-----Original Message-----
From: Trimble, Ronald D [mailto:Ronald.Trimble at unisys.com]
Sent: Wednesday, March 08, 2006 5:23 PM
To: Guillermo Gutierrez
Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM
You should be able to do both. These are the instructions I used when I
configured my server. The only note I didn't make yet is that if you
are not using a winbind separator, you will need to specify a double
backslash when logging in. I can give you an example if you are not
sure what I am talking about.
-----Original Message-----
From: Guillermo Gutierrez [mailto:ggutierrez at marketscan.com]
Sent: Wednesday, March 08, 2006 8:14 PM
To: Trimble, Ronald D
Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM
This is great, I am about to try it out. One question, should I still be
able to login as a local account through SSH?
I am paranoid about getting locked out as root (this happened once
before and I reinstalled gentoo).
-----Original Message-----
From: Trimble, Ronald D [mailto:Ronald.Trimble at unisys.com]
Sent: Wednesday, March 08, 2006 4:25 PM
To: Guillermo Gutierrez
Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM
Setting up SSH to use AD accounts
Follow the directions in the Samba section of this wiki before
continuing with these steps since SSH logins will require the use of
winbind.
Make a backup of all files before editing anything since a mistake in a
PAM module could render your machine unuseable.
Edit the /etc/pam.d/sshd file. Ours looks like this:
#%PAM-1.0
auth required pam_unix2.so # set_secrpc
auth required pam_nologin.so
auth required pam_env.so
account required pam_unix2.so
account required pam_nologin.so
password required pam_pwcheck.so
password required pam_unix2.so use_first_pass use_authtok
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_unix2.so none # trace or debug
session required pam_limits.so
Next, edit /etc/security/pam_unix2.conf. Ours looks like this:
auth: call_modules=winbind
account: call_modules=winbind
password: blowfish
session: none
Finally, create the top level home directory and assign the proper
permissions.
Your default home directories will be created in /home/domain/username.
mkdir /home/domain
chmod 755 /home/domain
When you login via SSH, use your AD account. Remember in Samba we
configured the winbind separator to be a '+'. I, for example, would log
in as NA+trimblrd and then specify my NA password. Once I do this, a
home directory will be created for me.
If everything works, your login will look like this.
login as: NA+trimblrd
Using keyboard-interactive authentication.
Password:
Last login: Tue Dec 20 12:29:08 2005 from
ustr-trimblrd.na.uis.unisys.com
NA+trimblrd at USTR-LINUXTEST:~>
[edit]Logging into the server with an AD account
If you want to take this example a step further, you can also configure
your server so that you can use your AD account to logon locally of
through VNC. To enable this requires modifying only one more file.
Edit /etc/pam.d/login. (Remember to make a backup.) Ours looks like
this:
#%PAM-1.0
auth requisite pam_unix2.so nullok #set_secrpc
auth required pam_securetty.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_mail.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass
use_authtok
session optional pam_mkhomedir.so skel=/etc/skel/
umask=0077
session required pam_unix2.so none # debug or trace
session required pam_limits.so
session required pam_resmgr.so
Now you will be able to log onto the server without the use of a local
account.
Retrieved from "http://ustr-linux-1/wiki/index.php/SSH"
-----Original Message-----
From: samba-bounces+ronald.trimble=unisys.com at lists.samba.org
[mailto:samba-bounces+ronald.trimble=unisys.com at lists.samba.org] On
Behalf Of Guillermo Gutierrez
Sent: Wednesday, March 08, 2006 6:14 PM
To: samba at lists.samba.org
Subject: FW: [Samba] getting samba to authenticate with kerberos/PAM
ummm....is there certain info that I need to be including the first time
through?
I have been fighting with this problem for a week now and I have not
gotten any responses since my first or second thread.
I am stuck/lost/frustrated and at the mercy of the everyone in this list
who knows samba much better than me.
Please help me, I am pretty sure this is just some misconfiguration on
my part.
-----Original Message-----
From: samba-bounces+ggutierrez=marketscan.com at lists.samba.org
[mailto:samba-bounces+ggutierrez=marketscan.com at lists.samba.org]On
Behalf Of Guillermo Gutierrez
Sent: Wednesday, March 08, 2006 11:02 AM
To: samba at lists.samba.org
Subject: [Samba] getting samba to authenticate with kerberos/PAM
Hello,
I reeeeally need someone's help here. I guide after guide from all
sorts of sources but I still cannot get samba to authenticate a domain
login via winbind off of the windows 2003 DC on our network.
Here is what I can do:
I can successfully do a kinit command and can verify the existance on
the samba server in active directory on the DC.
I can login using domain profiles on the samba server linux box's
(Gentoo) console.
I can login as root from ssh only, not at the console.
I can not login with domain profiles through ssh (haven't tried to
modify /etc/pam.d/sshd for fear of not being able to login as root at
all).
I can get to my /home/samba/public samba share through netBIOS.
I can not get into my /home/<DOMAIN>/<domainuser> samba share, I recieve
a "network path not found" error in windows.
When the above happens, one samba log (log.<machinename>) will say:
[2006/03/08 10:36:19, 5] smbd/reply.c:reply_special(537)
init msg_type=0x81 msg_flags=0x0
[2006/03/08 10:36:19, 0] lib/util_sock.c:write_data(557)
write_data: write failure in writing to client 10.11.7.56. Error
Connection reset by peer
[2006/03/08 10:36:19, 0] lib/util_sock.c:send_smb(765)
Error writing 4 bytes to client. -1. (Connection reset by peer)
[2006/03/08 10:36:19, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/03/08 10:36:19, 5] auth/auth_util.c:debug_nt_user_token(433)
NT user token: (NULL)
[2006/03/08 10:36:19, 5] auth/auth_util.c:debug_unix_user_token(454)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2006/03/08 10:36:19, 5] smbd/uid.c:change_to_root_user(324)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2006/03/08 10:36:19, 2] smbd/server.c:exit_server(614)
Closing connections
[2006/03/08 10:36:19, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2006/03/08 10:36:19, 3] smbd/connection.c:yield_connection(76)
yield_connection: tdb_delete for name failed with error Record does
not exist.
[2006/03/08 10:36:19, 3] smbd/server.c:exit_server(655)
Server exit (process_smb: send_smb failed.)
The other samba log (log.<IPAddress>) will say:
[2006/03/08 10:40:26, 5] auth/auth_util.c:debug_nt_user_token(433)
NT user token: (NULL)
[2006/03/08 10:40:26, 5] auth/auth_util.c:debug_unix_user_token(454)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2006/03/08 10:40:26, 5] smbd/uid.c:change_to_root_user(324)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2006/03/08 10:40:26, 5] lib/util.c:show_msg(454)
[2006/03/08 10:40:26, 5] lib/util.c:show_msg(464)
size=35
smb_com=0x71
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=1
smb_pid=65279
smb_uid=101
smb_mid=448
smt_wct=0
smb_bcc=0
[2006/03/08 10:40:26, 3] smbd/process.c:timeout_processing(1447)
timeout_processing: End of file from client (client has disconnected).
[2006/03/08 10:40:26, 5] lib/gencache.c:gencache_shutdown(89)
Closing cache file
[2006/03/08 10:40:26, 5] libsmb/namecache.c:namecache_shutdown(79)
namecache_shutdown: netbios namecache closed successfully.
[2006/03/08 10:40:26, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/03/08 10:40:26, 5] auth/auth_util.c:debug_nt_user_token(433)
NT user token: (NULL)
[2006/03/08 10:40:26, 5] auth/auth_util.c:debug_unix_user_token(454)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2006/03/08 10:40:26, 5] smbd/uid.c:change_to_root_user(324)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2006/03/08 10:40:26, 2] smbd/server.c:exit_server(614)
Closing connections
[2006/03/08 10:40:26, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2006/03/08 10:40:26, 3] smbd/server.c:exit_server(655)
Server exit (normal exit)
and a whole bunch of other stuff that extends into the .old archive of
this log.
Please help me figure out what the source of my issue is or point me to
a step-by-step set of instructions that will work.
Here is some info on my setup:
Samba Server: samba 3.0.21c on a Gentoo Linux system
Network: windows 2003 Active Directory domain with a Novell
Server on the network.
OS of client used for testing connection: windows XP SP2
thanks in advance,
Guillermo Gutierrez
Development Systems Engineer
Market Scan Information Systems
(818) 575-2000 x2427
ggutierrez at marketscan.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list