[Samba] Samba, winbind, krb5 Auth problem
Eric.PORTRAIT at external.thalesgroup.com
Eric.PORTRAIT at external.thalesgroup.com
Tue Sep 5 10:15:42 GMT 2006
Hi all
I'm actually trying to setup an AD authentication on linux workstations.
- I've setup an windows AD 2003 server, which work fine.
- I've setup linux redhat 4 enterprise server (used as a workstation for the moment)
- On the redhat, I already have setup smb.conf, krb5.conf, nsswitch.conf, pam.d/login, pam.d/system_auth. I have pasted all these files below.
==> I get successful result using wbinfo -u and wbinfo -g
==> kinit user2 works fine (user2 is one of my AD users)
==> net join works, i get a nes computer on my windows AD console
but getent password doesn't works, and, of course, I cannot authenticate on Linux using AD account.
Any help would be welcome, I have to make this working by the end of the week.
Regards
===============================================================================
SMB.CONF
[global]
security = domain
realm = SD1.COM
password server = winsd1.sd1.com
workgroup = SD1
winbind separator = +
idmap uid = 10000-29999
idmap gid = 10000-29999
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
server string =
log file = /var/log/samba/%m.log
max log size = 50
domain logons = yes
dns proxy = no
winbind use default domain = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
===============================================================================
nssswitch.conf
passwd: compat winbind
shadow: compat winbind
group: compat winbind
#passwd: files winbind krb5 ldap
#shadow: files winbind krb5 ldap
#group: files winbind krb5 ldap
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind ldap
rpc: files winbind
services: files winbind ldap
netgroup: files winbind ldap
publickey: nisplus
automount: files winbind ldap
aliases: files nisplus
===============================================================================
krb.conf
[logging]
default = FILE:/var/log/krb5libs.log
# kdc = FILE:/var/log/krb5kdc.log
# admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SD1.COM
ticket_lifetime = 24000
#dns_lookup_realm = true
# dns_lookup_kdc = true
default_tkt-enctypes = 3des-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-ctsarcfour-hmac-md5
default_tgs-enctypes = 3des-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-ctsarcfour-hmac-md5
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
SD1.COM = {
# kdc = winsd1.sd1.com
kdc = winsd1.sd1.com:88
admin_server = winsd1.sd1.com:749
default_domain = SD1.COM
kdc = winsd1.sd1.com
}
# sd1.com = {
# kdc = winsd1.sd1.com:88
# admin_server = winsd1.sd1.com:749
# }
[domain_realm]
.sd1.com = SD1.COM
sd1.com = SD1.COM
#SD1.COM = sd1.com
.#SD1.COM = sd1.com
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
#[appdefaults]
# pam = {
# debug = false
# ticket_lifetime = 36000
# renew_lifetime = 36000
# forwardable = true
# krb4_convert = false
# }
===============================================================================
in pam:d : auth-config
#%PAM-1.0
auth sufficient /lib/security/$ISA/pam_rootok.so
auth required /lib/security/$ISA/pam_stack.so service=system-auth
service=system-auth
#auth required /lib/security/pam_securetty.so
#auth required /lib/security/pam_nologin.so
#auth sufficient /lib/security/pam_winbind.so
#auth required /lib/security/pam_pwdb.so
#use_first_pass shadow nullok
#account required /lib/security/pam_winbind.so
account required /lib/security/$ISA/pam_permit.so
session required /lib/security/$ISA/pam_permit.so
===============================================================================
in pam.d gdm
#%PAM-1.0
auth required pam_env.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
###
auth sufficient pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
account required pam_stack.so service=system-auth
###
account sufficient pam_winbind.so
password required pam_stack.so service=system-auth
####
session required /lib/security/pam_mkhomedir.so umask=0022 skel=/etc/skel
session required pam_stack.so service=system-auth
session optional pam_console.so
===============================================================================
in pam.d login
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
#####
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so nullok_secure use_first_pass
account required pam_stack.so service=system-auth
#####
account sufficient /lib/security/pam_winbind.so
account sufficient /lib/security/pam_unix.so
#####
password required pam_stack.so service=system-auth
####
password required /lib/security/pam_unix.so nullok obscure min=4 max=50 md5
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so multiple open
########
session required /lib/security/pam_unix.so
session required /lib/security/pam_mkhomedir.so umask=0022 skel=/etc/skel
===============================================================================
in pam.d system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth sufficient /lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
###
auth sufficient /lib/security/pam_winbind.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
account required /lib/security/$ISA/pam_permit.so
###
account sufficient /lib/security/pam_winbind.so
account sufficient /lib/security/pam_unix.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so
session optional /lib/security/$ISA/pam_ldap.so
###
session optional /lib/security/pam_winbind.so
More information about the samba
mailing list