[Samba] Kerberos and PAM

M Azer azermina at gmail.com
Sat Jan 6 18:16:10 GMT 2007 

Thank you all for your replies. i have read the samba docs and followed it
to the letter  i have supplied my configurations please let me know if i am
missing anything -

*smb.conf*
[global]
workgroup = CAD
netbios name = itbox
hosts allow = 192.168.1. 192.168.0. 127.
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind cache time = 10
template homedir = /home/%D/%U
template shell = /bin/bash
security = ADS
realm = CAD.TESTDOMAIN
password server = vdc2.CAD.TESTDOMAIN
encrypt passwords = yes
log file = /var/log/samba/%m.log
log level = 10
max log size= 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
directory mask = 0700
create mask = 0700

[data]
comment = Doc Samba Server
path = /data
read only = yes
guest only = yes


*nsswitch.conf*
passwd: files winbind
shadow: files winbind
group: files winbind

*krb5.conf*
[libdefaults]
default_realm = CAD.TESTDOMAIN

[realms]
CAD.TESTDOMAIN = {
kdc = vdc2.cad.testdomain
}

[domain_realms]
.kerberos.server = CAD.TESTDOMAIN


*pam.d/login*
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so

*pam.d/samba*
#%PAM-1.0
auth required pam_nologin.so
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth

[mina at itbox pam.d]$ wbinfo -t
checking the trust secret via RPC calls succeeded

[mina at itbox pam.d]$ wbinfo -m
itbox
CAD

[mina at itbox pam.d]$ getent passwd admin_mina
admin_mina:*:10001:10002:admin mina:/home/CAD/admin_mina:/bin/bash


[root at itbox pam.d]# /usr/bin/net ads join -Uadministrator
administrator's password:
Using short domain name -- CAD
Joined 'ITBOX' to realm 'CAD.TESTDOMAIN'

wbinfo -u, wbinfo -g all work fine

ps aux | grep winbind
root 2965 0.0 0.3 10188 2848 ? Ss Jan05 0:00 winbindd
root 2966 0.0 0.4 10676 3292 ? S Jan05 0:00 winbindd

smbclient -L itbox
Password:
session setup failed: NT_STATUS_LOGON_FAILURE


when i use a xp client machine to login i see the share, data and home
directory, i am able to open data however when i click on homedir windows
logon screen comes up requesting username and password - always says wrong
username and password please try again

any help will be appreciated.

On 1/5/07, kk <c_kitu at yahoo.co.in> wrote:
>
> Refer this :
> http://kbase.redhat.com/faq/FAQ_85_5787.shtm
>
>
> Regards,
> Kaustubh
> --- M Azer <azermina at gmail.com> wrote:
>
> > I am new to samba. I followed the docs on samba.com
> > to configure samba as
> > "domain member", security = domain, and to user
> > winbind to authenticate
> > users against windows 2003 AD. well, my question is
> > the steps mentioned the
> > use of PAM to do the authentications against the AD
> > but it doesn't work - do
> > I also need to configure kerberos for this type of
> > installation?
> >
> > [root at itbox john]# smbclient -L testbox
> > Password:
> > session setup failed: *NT_STATUS_LOGON_FAILURE*
> >
> > client machines XP pro are able to browse the
> > network and
> > get to see my share (user share) however when i
> > double click it i get a
> > login asking for the user name and password
> >
> > smb.conf:
> > [global]
> > workgroup = CAD
> > netbios name = itbox
> > security = DOMAIN
> > encrypt passwords = yes
> > winbind separator = +
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind use default domain = yes
> > [homes]
> > comment = Home Directories
> > valid users = %S
> > read only = No
> > browseable = No
> >
> > pam.d/samba
> > #%PAM-1.0
> > auth required pam_nologin.so
> > auth required pam_stack.so service=system-auth
> > auth required pam_winbind.so
> > account required pam_winbind.so
> > account required pam_stack.so service=system-auth
> > session required pam_mkhomedir.so
> > skel=/etc/samba/skel umask=0022
> > session required pam_stack.so service=system-auth
> > password required pam_stack.so service=system-auth
> > --
> > To unsubscribe from this list go to the following
> > URL and read the
> > instructions:
> > https://lists.samba.org/mailman/listinfo/samba
> >
>
>
> Do not go where the path may lead, go instead where there is no path and
> leave a trail. -----
>
> KK
>
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>

More information about the samba mailing list