[Samba] AD logins using winbind looking for user in /etc/shadow
Jason Mogavero
chemhead at gmail.com
Wed Sep 6 00:00:56 GMT 2006
I'm running CentOS 4.3 with the most recent samba-client and samba-common
rpms. I've managed to configure samba/winbind to allow me to join the box
to the AD, create the UID and GID mappings, etc. However, when I try to
connect via ssh, the account cannot log in. /var/log/messages says the
following:
Sep 5 17:15:25 kdcdmz sshd[6263]: error: Could not get shadow information
for jason.mogavero
Sep 5 17:15:25 kdcdmz sshd[6263]: Failed password for jason.mogavero from
172.16.102.28 port 3646 ssh2
net ads status, getent passwd, and wbinfo all show the expected output with
no errors. I'll include some of that output at the end of the config files.
It shouldn't be looking for a shadow password, it should be checking against
the AD user database, right? Here are my configs. I've poured over them
and compared them to several How-Tos and working configs and can't find
anything different. If this would be better placed in the PAM list, let me
know and I'll send it there.
/etc/samba/smb.conf
workgroup = KDCTEST
realm = KDCTEST.COM
password server = adauth.kdctest.com
security = ads
encrypt passwords = yes
allow trusted domains = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
winbind separator = \
winbind cache time = 10
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
winbind use default domain = yes
template shell = /bin/bash
template homedir = /home/%U
client use spnego = yes
/etc/krb5.conf
[libdefaults]
default_realm = kdctest.com
dns_lookup_realm = true
dns_lookup_kdc = true
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[realms]
KDCTEST.COM = {
kdc = adauth.kdctest.com:88
admin_server = adauth.kdctest.com:749
default_domain = kdctest.com
}
kdctest.com = {
kdc = adauth.kdctest.com
admin_server = adauth.kdctest.com
}
KDCTEST.COM = {
kdc = adauth.kdctest.com
}
[domain_realm]
kdctest.com = KDCTEST.COM
.kdctest.com = KDCTEST.COM
adauth.kdctest.com = KDCTEST.COM
/etc/nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind
hosts: files dns
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: files
automount: files winbind
aliases: files
/etc/pam.d/sshd
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so
And finally, /etc/pam.d/system-auth
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
#auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
#account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_krb5.so
#account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_winbind.so
account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
#password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
#session optional /lib/security/$ISA/pam_krb5.so
Now here's some output from testing AD connectivity:
net ads info
LDAP server: 172.16.102.28
LDAP server name: adauth
Realm: KDCTEST.COM
Bind Path: dc=KDCTEST,dc=COM
LDAP port: 389
Server time: Tue, 05 Sep 2006 17:37:55 GMT
KDC server: 172.16.102.28
Server time offset: -14
getent passwd (just the AD stuff is shown here)
administrator:*:10000:10000:Administrator:/home/administrator:/bin/bash
guest:*:10001:10001:Guest:/home/guest:/bin/bash
adauth$:*:10002:10002:ADAUTH:/home/adauth_:/bin/bash
krbtgt:*:10003:10000:krbtgt:/home/krbtgt:/bin/bash
jason.mogavero:*:10004:10000:Jason Mogavero:/home/jason.mogavero:/bin/bash
kdctest02$:*:10005:10003:KDCTEST02:/home/kdctest02_:/bin/bash
kdcvps1$:*:10006:10003:kdcvps1:/home/kdcvps1_:/bin/bash
kdcdmz$:*:10007:10003:kdcdmz:/home/kdcdmz_:/bin/bash
wbinfo -u
Administrator
Guest
ADAUTH$
krbtgt
jason.mogavero
KDCTEST02$
kdcvps1$
kdcdmz$
Any ideas as to where the problem might lie? Thanks.
More information about the samba
mailing list