[Samba] winbind auth against ads not working via remote login-solaris 10. - Success!!

Garrett, Joseph JGARRETT at southernco.com
Tue Sep 5 13:20:08 GMT 2006 

Update: Success!!!!

The corrective action was to move the below pam.conf settings to the top
of each section.

auth sufficient         /usr/lib/security/pam_winbind.so try_first_pass
account sufficient      /usr/lib/security/pam_winbind.so try_first_pass
session sufficient      /usr/lib/security/pam_winbind.so try_first_pass

-----Original Message-----
From: Garrett, Joseph 
Sent: Thursday, August 31, 2006 8:40 AM
To: samba at lists.samba.org
Subject: RE: [Samba] winbind auth against ads not working via remote
login-solaris 10.

update: OS not allowing a winbind auth on Solaris 10 console. 

I added the below winbind options(see smb.conf). I now get
"NT_STATUS_OS" for the user(see winbind log) as I try to login but
Solaris 10 still reports a "Login Incorrect". What other OS configure am
I missing? Does the 
nss_winbind.so libraries need to be copied anywhere else?  



I copied the libnss_winbind.so  to /lib and /usr/lib and made the below
links.
/lib/nss_winbind.so     
/lib/nss_winbind.so.1

Nsswitch.conf is using "file nis winbind" . See pam.conf below.

Thanks and God bless!


Winbind Log:------------------
[2006/08/31 08:17:43, 5]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(445)
  Plain-text authentication for user jgarrett returned NT_STATUS_OK
(PAM: 0)


Smb.conf----------------

# cat smb.conf
# Global parameters
[global]
        workgroup = MYDOMAIN
        server string = Samba Server pdtsun03
        password server = MYPWDSERVERS
        encrypt passwords = yes
        log level = 10
        log file = /usr/local/samba/var/log.%m
        max log size = 50
        dns proxy = No
        guest account = visitor

realm = MYREALM
security = ads
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000

winbind cache time = 2
winbind use default domain = Yes
winbind trusted domains only = Yes
winbind nested groups = Yes

winbind uid = 20001-40000
winbind gid = 20001-40000

# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet
access)


Pam.conf--------------

# cat /etc/pam.conf
#
#ident  "@(#)pam.conf   1.28    04/04/21 SMI"
#
# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
login   auth sufficient         /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
rlogin  auth sufficient         /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth binding            pam_krb5.so.1
krlogin auth required           pam_unix_auth.so.1
krlogin auth sufficient         /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
rsh     auth sufficient         /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth binding            pam_krb5.so.1
krsh    auth required           pam_unix_auth.so.1
krsh    auth sufficient         /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth binding            pam_krb5.so.1
ktelnet auth required           pam_unix_auth.so.1
ktelnet auth sufficient         /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
ppp     auth sufficient         /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
other   auth sufficient         /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth required           pam_passwd_auth.so.1
passwd  auth sufficient         /usr/lib/security/pam_winbind.so
try_first_pass debug

#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
management
#
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
other   account sufficient      /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
management
#
other   session required        pam_unix_session.so.1
other   session sufficient      /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password
management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
other   password sufficient     /usr/lib/security/pam_winbind.so
try_first_pass use_authtok debug

#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#



-----Original Message-----
From: samba-bounces+jgarrett=southernco.com at lists.samba.org
[mailto:samba-bounces+jgarrett=southernco.com at lists.samba.org] On Behalf
Of Garrett, Joseph
Sent: Tuesday, August 29, 2006 2:56 PM
To: samba at lists.samba.org
Subject: [Samba] winbind auth against ads not working via remote login
-solaris 10.

I am attempting to use winbind for Telnet authentication but winbind pam
doesn't recognize ads realm or smb.conf workgroup..see error snapshot.
 
pdtsun03 is hostname of solaris 10 ADS domain member running samba
3.0.11. "net ads join" worked..."net ads user" returns all MYADSDOMAIN
users and samba shares work from both unix and NT side. 
 
one note..After make install, I had to manually copy compiled
nsswitch/pam_winbind.so file to /usr/lib/security. thanks for the help
 
samba configured args:
./configure --with-ads --with-winbind --with-krb5=/usr/local --with-pam
 
-------------------------
error snapshot:
 
[2006/08/29 14:31:49, 8] lib/util.c:is_myname(1810)
  is_myname("PDTSUN03") returns 1
[2006/08/29 14:31:49, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(259)
  Authentication for domain PDTSUN03 (local domain to this server) not
supported at this stage
[2006/08/29 14:31:49, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth(361)
  Plain-text authentication for user jgarrett returned
NT_STATUS_NO_SUCH_USER (PAM: 13)
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524)

---------------------------------
smb.conf
# Global parameters
[global]
        workgroup = MYADSDOMAIN
        server string = Samba Server pdtsun03
        password server = MYPWDSERVER(s)
        encrypt passwords = yes
        log level = 10
        log file = /usr/local/samba/var/log.%m
        max log size = 50
        dns proxy = No
        guest account = visitor
 
realm = MYREALM.COM
security = ads
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
 

[homes]
        comment = Home Directories
        read only = No
        browseable = No
 
[tmp]
        comment = Temporary file space
        path = /tmp
        read only = No

---------------------------------------
 
detail error - with debug level at 10:
 
[2006/08/29 14:31:49, 6] nsswitch/winbindd.c:new_connection(356)
  accepted socket 19
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470)
  client_read: read 1824 bytes. Need 0 more for a full request.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:process_request(321)
  process_request: request fn INTERFACE_VERSION
[2006/08/29 14:31:49, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [19587]: request interface version
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524)
  client_write: wrote 1300 bytes.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470)
  client_read: read 1824 bytes. Need 0 more for a full request.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:process_request(321)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2006/08/29 14:31:49, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [19587]: request location of privileged pipe
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524)
  client_write: wrote 1300 bytes.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(569)
  client_write: need to write 47 extra data bytes.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524)
  client_write: wrote 47 bytes.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(558)
  client_write: client_write: complete response written.
[2006/08/29 14:31:49, 6] nsswitch/winbindd.c:new_connection(356)
  accepted socket 20
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470)
  client_read: read 1824 bytes. Need 0 more for a full request.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:process_request(321)
  process_request: request fn PAM_AUTH
[2006/08/29 14:31:49, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(179)
  [19587]: pam auth jgarrett
[2006/08/29 14:31:49, 8] lib/util.c:is_myname(1810)
  is_myname("PDTSUN03") returns 1
[2006/08/29 14:31:49, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(259)
  Authentication for domain PDTSUN03 (local domain to this server) not
supported at this stage
[2006/08/29 14:31:49, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth(361)
  Plain-text authentication for user jgarrett returned
NT_STATUS_NO_SUCH_USER (PAM: 13)
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524)
  client_write: wrote 1300 bytes.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470)
  client_read: read 0 bytes. Need 1824 more for a full request.
[2006/08/29 14:31:49, 5] nsswitch/winbindd.c:winbind_client_read(477)
  read failed on sock 19, pid 19587: EOF
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470)
  client_read: read 0 bytes. Need 1824 more for a full request.
[2006/08/29 14:31:49, 5] nsswitch/winbindd.c:winbind_client_read(477)
  read failed on sock 20, pid 19587: EOF

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list