[Samba] Can't authenticate, from a linux client,
against a samba PDC/tdbsam
orlando carvalho
carlos.om.carvalho at gmail.com
Fri Feb 2 16:30:05 GMT 2007
Hi all,
Since September 2006, I've been using a samba PDC (3.0.20) with tdbsam, to
authenticate the users of a school network (90 XP boxes). All the users are
able to log in the network from XP boxes.
Recently, I've installed a samba client (K12LTSP) in the domain, but, I' ve
a problem getting linux client to authenticate against the Samba PDC. After
setup all the config files (smb.conf, nsswitch, system-auth/pam amd
pam_mount.conf) and start all services, I can't log in. The error message is
"Account disabled by the administrator". This happen with all accounts.
When I try to logon into the linux client machine with a username and
password stored in samba I get the following in /var/log/messages:
==> messages <==
Jan 31 17:41:38 ltspserver1 nmbd[2954]:
Jan 31 17:41:38 ltspserver1 nmbd[2954]: *****
Jan 31 17:42:29 ltspserver1 pam_winbind[3455]: user 'p1012' OK
Jan 31 17:42:29 ltspserver1 pam_winbind[3455]: user 'p1012' granted access
Jan 31 17:42:29 ltspserver1 gdm[3740]: session_child_run: Utilizador não
autorizado a iniciar sessão
Jan 31 17:59:44 ltspserver1 restorecond: Reset file context /etc/mtab:
system_u:object_r:etc_t:s0->system_u:object_r:etc_runtime_t:s0
Jan 31 18:00:18 ltspserver1 pam_winbind[3832]: user 'p1012' OK
Jan 31 18:00:18 ltspserver1 pam_winbind[3832]: user 'p1012' granted access
Jan 31 18:00:18 ltspserver1 gdm[3846]: session_child_run: Utilizador não
autorizado a iniciar sessão
Jan 31 18:08:28 ws253.ltsp -- MARK --
TRANSLATION of "Utilizador não autorizado a iniciar sessão": User not
allowed to start session
In Samba PDC the command pdbedit -Lv p1012, prints:
Unix username: p1012
NT username:
Account Flags: [UX ]
User SID: S-1-5-21-3881466999-1126814743-3210567677-7692
Primary Group SID: S-1-5-21-3881466999-1126814743-3210567677-2113
Full Name: Carlos Carvalho
Home Directory: \\servlinux\p1012
HomeDir Drive: X:
Logon Script: logon.bat
Profile Path:
Domain: ESCOLA
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Tue, 19 Jan 2038 03:14:07 GMT
Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT
Password last set: Thu, 04 Jan 2007 18:00:11 GMT
Password can change: Thu, 04 Jan 2007 18:00:11 GMT
Password must change: Tue, 19 Jan 2038 03:14:07 GMT
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
All the following commands succeeded:
wbinfo -u
wbinfo -g
wbinfo -t
getent passwd
My config files are:
SMB.CONF (SAMBA PDC):
[global]
unix charset = iso8859-1
display charset = cp850
workgroup = ESCOLA
server string = Samba Server
passdb backend = tdbsam
passwd chat = *new*password* %n\n re-enter*new*password* %n\n
password*changed*
username map = /etc/samba/smbusers
log level = 2 auth
syslog = 0
log file = /var/log/samba/%m.log
max log size = 50
name resolve order = wins bcast hosts
time server = Yes
printcap name = cups
show add printer wizard = No
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u
logon script = logon.bat
logon path =
logon drive = X:
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
admin users = root
veto oplock files = /*.doc/*.xls/*.mdb/
[homes]
comment = Home Directories - %p
valid users = %S
read only = No
browseable = No
[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = No
[netlogon]
comment = Network Logon Service
path = /home/netlogon/%u
read only = No
browseable = No
[software]
comment = Instalacao de SW
path = /apps/programas
create mode = 770
directory mode = 770
valid users = root @ti
admin users = p650 p1012 p894
writeable = yes
browseable = no
[professores]
comment = Ficheiros para professores
path = /apps/professores
create mode = 770
directory mode = 770
valid users = root @professores
admin users = p650 p1012 p894
writeable = yes
browseable = no
[administracao]
comment = Programas de Gestao
path = /apps/administracao
create mode = 775
directory mode = 775
valid users = root @professores @t1213
admin users = p894 p774 p140
writeable = yes
browseable = no
[software_livre]
comment = Software Livre
path = /dados/livre
create mode = 777
directory mode = 777
valid users = root @professores @alunos @formacao
admin users = p1012 p755 p650 p894
writeable = yes
browseable = yes
SMB.CONF (LINUX CLIENT):
[global]
workgroup = ESCOLA
security = domain
log file = /var/log/samba/%m.log
max log size = 50
wins server = 192.168.1.10
password server = 192.168.1.10
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/false
winbind use default domain = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /usr/spool/samba
browseable = no
SYSTEM-AUTH (LINUX CLIENT):
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_mount.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_smb_auth.so use_first_pass nolocal
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_mkhomedir.so skel=/etc/skel umask 0022
session optional pam_mount.so use_first_pass
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
PAM_MOUNT (LINUX CLIENT):
debug 0
mkmountpoint 1
fsckloop /dev/loop7
options_allow nosuid,nodev,loop,encryption
options_require nosuid,nodev
lsof /usr/sbin/lsof %(MNTPT)
fsck /sbin/fsck -p %(FSCKTARGET)
losetup /sbin/losetup -p0 "%(before=\"-e \" CIPHER)" "%(before=\"-k \"
KEYBITS)" %(FSCKLOOP) %(VOLUME)
unlosetup /sbin/losetup -d %(FSCKLOOP)
cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o
"username=%(USER)%(before=\",\" OPTIONS)"
smbmount /bin/mount -t smbfs //%(SERVER)/%(VOLUME) %(MNTPT) -o
"username=%(USER)%(before=\",\" OPTIONS)"
ncpmount /bin/mount -t ncpfs %(SERVER)/%(USER) %(MNTPT) -o
"pass-fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)"
umount /bin/umount %(MNTPT)
lclmount /bin/mount -p0 %(VOLUME) %(MNTPT) "%(before=\"-o \" OPTIONS)"
cryptmount /bin/mount -t crypt "%(before=\"-o \" OPTIONS)" %(VOLUME)
%(MNTPT)
nfsmount /bin/mount %(SERVER):%(VOLUME) "%(MNTPT)%(before=\"-o \" OPTIONS)"
mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT)
mntcheck /bin/mount # For BSD's (don't have /etc/mtab)
pmvarrun /usr/sbin/pmvarrun -u %(USER) -d -o %(OPERATION)
volume * smb 192.168.1.10 & /home/&/online uid=&,dmask=0570 - -
I've made tests with k12ltsp 5.0/k12ltsp 6.0 and Samba 3.0.23c/Samba
3.0.23d without success. Before testing, I installed all the updates
availables.
Almost everything is working well and the system is able to create the users
home directories with pam_mkhomedir.so skel=/etc/skel umask 0022.
I tried the commands <<smbpasswd -e p1012>> and <<pdbedit -r -c "[X ]
p1012>> without success.
Meanwhile, I joined with success, a linux client Fedora core 4.
I need an easy way to deploy terminals, so, could you help me to find
correct way to solve my problem?
Thank You,
Carlos Carvalho
More information about the samba
mailing list