[Samba] getting samba to authenticate with kerberos/PAM

Trimble, Ronald D Ronald.Trimble at unisys.com
Thu Mar 9 04:08:26 GMT 2006


No problem.  Glad I could point you in the tight direction.

-----Original Message-----
From: Guillermo Gutierrez [mailto:ggutierrez at marketscan.com] 
Sent: Wednesday, March 08, 2006 10:08 PM
To: Trimble, Ronald D
Cc: samba at lists.samba.org
Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM

well...
after some playing around with the example you provided to me, I finally
got it to work.
I did have to do things a little different, but I finally got it to
work.

thank you sooo much for your help, here is how my /etc/pam.d/sshd looks:

#%PAM-1.0

auth       sufficient   /lib/security/pam_winbind.so
auth       sufficient   /lib/security/pam_unix.so use_first_pass
likeauth nullok
auth       required     /lib/security/pam_shells.so
auth       required     /lib/security/pam_deny.so
auth       required     /lib/security/pam_nologin.so
auth       required     /lib/security/pam_env.so

account    sufficient   /lib/security/pam_winbind.so
account    required     /lib/security/pam_unix.so
account    required     /lib/security/pam_nologin.so

#password   required     /lib/security/pam_pwcheck.so
password   required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_unix.so use_first_pass
use_authtok

session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_mkhomedir.so skel=/etc/skel
umask=0077

I realize that some of these lines might not be needed, I just have to
figure out which ones and remove them for clean up.

thanks again,

Guillermo Gutierrez

-----Original Message-----
From: Trimble, Ronald D [mailto:Ronald.Trimble at unisys.com]
Sent: Wednesday, March 08, 2006 4:25 PM
To: Guillermo Gutierrez
Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM


Setting up SSH to use AD accounts
Follow the directions in the Samba section of this wiki before
continuing with these steps since SSH logins will require the use of
winbind. 

Make a backup of all files before editing anything since a mistake in a
PAM module could render your machine unuseable. 

Edit the /etc/pam.d/sshd file. Ours looks like this: 

#%PAM-1.0
auth      required       pam_unix2.so      # set_secrpc
auth      required       pam_nologin.so
auth      required       pam_env.so
account   required       pam_unix2.so
account   required       pam_nologin.so
password  required       pam_pwcheck.so
password  required       pam_unix2.so      use_first_pass use_authtok
session   optional       pam_mkhomedir.so  skel=/etc/skel/ umask=0077
session   required       pam_unix2.so      none # trace or debug
session   required       pam_limits.so
Next, edit /etc/security/pam_unix2.conf. Ours looks like this: 

auth:           call_modules=winbind
account:        call_modules=winbind
password:       blowfish
session:        none
Finally, create the top level home directory and assign the proper
permissions. 

Your default home directories will be created in /home/domain/username. 

mkdir /home/domain
chmod 755 /home/domain
When you login via SSH, use your AD account. Remember in Samba we
configured the winbind separator to be a '+'. I, for example, would log
in as NA+trimblrd and then specify my NA password. Once I do this, a
home directory will be created for me. 

If everything works, your login will look like this. 

login as: NA+trimblrd
Using keyboard-interactive authentication.
Password:
Last login: Tue Dec 20 12:29:08 2005 from
ustr-trimblrd.na.uis.unisys.com
NA+trimblrd at USTR-LINUXTEST:~>
[edit]Logging into the server with an AD account
If you want to take this example a step further, you can also configure
your server so that you can use your AD account to logon locally of
through VNC. To enable this requires modifying only one more file. 

Edit /etc/pam.d/login. (Remember to make a backup.) Ours looks like
this: 

#%PAM-1.0
auth      requisite      pam_unix2.so            nullok #set_secrpc
auth      required       pam_securetty.so
auth      required       pam_nologin.so
auth      required       pam_env.so
auth      required       pam_mail.so
account   required       pam_unix2.so
password  required       pam_pwcheck.so          nullok
password  required       pam_unix2.so            nullok use_first_pass
use_authtok
session   optional       pam_mkhomedir.so        skel=/etc/skel/
umask=0077
session   required       pam_unix2.so            none # debug or trace
session   required       pam_limits.so
session   required       pam_resmgr.so
Now you will be able to log onto the server without the use of a local
account. 

Retrieved from "http://ustr-linux-1/wiki/index.php/SSH"

-----Original Message-----
From: samba-bounces+ronald.trimble=unisys.com at lists.samba.org
[mailto:samba-bounces+ronald.trimble=unisys.com at lists.samba.org] On
Behalf Of Guillermo Gutierrez
Sent: Wednesday, March 08, 2006 6:14 PM
To: samba at lists.samba.org
Subject: FW: [Samba] getting samba to authenticate with kerberos/PAM

ummm....is there certain info that I need to be including the first time
through?
I have been fighting with this problem for a week now and I have not
gotten any responses since my first or second thread. 

I am stuck/lost/frustrated and at the mercy of the everyone in this list
who knows samba much better than me.
Please help me, I am pretty sure this is just some misconfiguration on
my part.

-----Original Message-----
From: samba-bounces+ggutierrez=marketscan.com at lists.samba.org
[mailto:samba-bounces+ggutierrez=marketscan.com at lists.samba.org]On
Behalf Of Guillermo Gutierrez
Sent: Wednesday, March 08, 2006 11:02 AM
To: samba at lists.samba.org
Subject: [Samba] getting samba to authenticate with kerberos/PAM


Hello,
I reeeeally  need someone's help here. I guide after guide from all
sorts of sources but I still cannot get samba to authenticate a domain
login via winbind off of the windows 2003 DC on our network. 

Here is what I can do:
I can successfully do a kinit command and can verify the existance on
the samba server in active directory on the DC.
I can login using domain profiles on the samba server linux box's
(Gentoo) console.
I can login as root from ssh only, not at the console.
I can not login with domain profiles through ssh (haven't tried to
modify /etc/pam.d/sshd for fear of not being able to login as root at
all).
I can get to my /home/samba/public samba share through netBIOS.
I can not get into my /home/<DOMAIN>/<domainuser> samba share, I recieve
a "network path not found" error in windows.
When the above happens, one samba log (log.<machinename>) will say:

[2006/03/08 10:36:19, 5] smbd/reply.c:reply_special(537)
  init msg_type=0x81 msg_flags=0x0
[2006/03/08 10:36:19, 0] lib/util_sock.c:write_data(557)
  write_data: write failure in writing to client 10.11.7.56. Error
Connection reset by peer
[2006/03/08 10:36:19, 0] lib/util_sock.c:send_smb(765)
  Error writing 4 bytes to client. -1. (Connection reset by peer)
[2006/03/08 10:36:19, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/03/08 10:36:19, 5] auth/auth_util.c:debug_nt_user_token(433)
  NT user token: (NULL)
[2006/03/08 10:36:19, 5] auth/auth_util.c:debug_unix_user_token(454)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2006/03/08 10:36:19, 5] smbd/uid.c:change_to_root_user(324)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2006/03/08 10:36:19, 2] smbd/server.c:exit_server(614)
  Closing connections
[2006/03/08 10:36:19, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2006/03/08 10:36:19, 3] smbd/connection.c:yield_connection(76)
  yield_connection: tdb_delete for name  failed with error Record does
not exist.
[2006/03/08 10:36:19, 3] smbd/server.c:exit_server(655)
  Server exit (process_smb: send_smb failed.)

The other samba log (log.<IPAddress>) will say:

[2006/03/08 10:40:26, 5] auth/auth_util.c:debug_nt_user_token(433)
  NT user token: (NULL)
[2006/03/08 10:40:26, 5] auth/auth_util.c:debug_unix_user_token(454)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2006/03/08 10:40:26, 5] smbd/uid.c:change_to_root_user(324)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2006/03/08 10:40:26, 5] lib/util.c:show_msg(454)
[2006/03/08 10:40:26, 5] lib/util.c:show_msg(464)
  size=35
  smb_com=0x71
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=136
  smb_flg2=51201
  smb_tid=1
  smb_pid=65279
  smb_uid=101
  smb_mid=448
  smt_wct=0
  smb_bcc=0
[2006/03/08 10:40:26, 3] smbd/process.c:timeout_processing(1447)
  timeout_processing: End of file from client (client has disconnected).
[2006/03/08 10:40:26, 5] lib/gencache.c:gencache_shutdown(89)
  Closing cache file
[2006/03/08 10:40:26, 5] libsmb/namecache.c:namecache_shutdown(79)
  namecache_shutdown: netbios namecache closed successfully.
[2006/03/08 10:40:26, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/03/08 10:40:26, 5] auth/auth_util.c:debug_nt_user_token(433)
  NT user token: (NULL)
[2006/03/08 10:40:26, 5] auth/auth_util.c:debug_unix_user_token(454)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2006/03/08 10:40:26, 5] smbd/uid.c:change_to_root_user(324)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2006/03/08 10:40:26, 2] smbd/server.c:exit_server(614)
  Closing connections
[2006/03/08 10:40:26, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2006/03/08 10:40:26, 3] smbd/server.c:exit_server(655)
  Server exit (normal exit)

and a whole bunch of other stuff that extends into the .old archive of
this log.

Please help me figure out what the source of my issue is or point me to
a step-by-step set of instructions that will work.

Here is some info on my setup:

Samba Server: samba 3.0.21c on a Gentoo Linux system
Network: 	windows 2003 Active Directory domain with a Novell
Server on the network.
OS of client used for testing connection: windows XP SP2

thanks in advance, 

Guillermo Gutierrez
Development Systems Engineer
Market Scan Information Systems
(818) 575-2000 x2427
ggutierrez at marketscan.com

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


More information about the samba mailing list