[Samba] Winbind 3.0.26a cannot authenticate with ActiveDirectory
Guillermo Gutierrez
guillermogutierrezjr at gmail.com
Fri Feb 22 19:52:53 GMT 2008
something that has worked for me on occasion with the later samba verisons
is to change:
*idmap uid*, and *idmap gid*
to
*winbind uid*, and *winbind gid*
I dont understand why, because the man page says that winbind uid/gid is a
wrapper for idmap uid/gid. But maybe that is why.
I hope it helps.
- Guillermo Gutierrez
On Fri, Feb 22, 2008 at 11:43 AM, Walter Huf <hufman+samba at gmail.com> wrote:
> I am using Ubuntu Gutsy, which comes with Winbind 3.0.26a. I am using the
> same configuration that worked on Ubuntu Feisty, which uses Winbind 3.0.24
> .
> Something changed with Winbind, apparently, to break the configuration
> that
> was working perfectly. How can I fix my configuration to work with the new
> version?
>
> The symptoms are as follows:
> wbinfo -t works
> wbinfo can retrieve a list of users
> wbinfo can look up a user's SID by it's username
> wbinfo can look up a user's username by it's SID
> ntlm_auth can authenticate a user. I can not use wbinfo to verify this
> because my password has a ! in it. Windows Event Viewer does not show an
> event for this.
> Logging in fails, generating a Windows Event with error code 0xC000006A.
> su username does not work, failing with "Unknown id: username"
>
> The relevant section of smb.conf:
> workgroup = WORKGROUP
> realm = WORKGROUP.TLD
> security = ADS
> winbind enum groups = yes
> winbind enum users = yes
> winbind cache time = 600
> winbind nested groups = yes
> winbind nss info = sfu
> winbind separator = +
> winbind use default domain = yes
>
> idmap gid = 500-45000
> idmap uid = 500-45000
> idmap backend = ad
>
> nsswitch.conf has the following:
> passwd: files winbind
> group: files winbind
>
> Pam configuration:
> auth requisite pam_nologin.so debug
> auth [success=1 default=ignore] pam_localuser.so debug
> auth [success=done auth_err=bad] pam_winbind.so debug
> auth required pam_unix.so nullok_secure debug
>
> account sufficient pam_winbind.so debug
> account required pam_unix_acct.so debug
>
> Relevent part of auth.log:
> Feb 22 11:25:49 client sshd[4620]: Invalid user username from X.X.X.X
> Feb 22 11:25:49 client sshd[4620]: Failed none for invalid user username
> from X.X.X.X port 2086 ssh2
> Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): [pamh:
> 0x8006e940]
> ENTER: pam_sm_authenticate (flags: 0x0001)
> Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): getting password
> (0x00000001)
> Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): Verify user
> 'username'
> Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): request failed:
> Wrong Password, PAM error was Authentication failure (7), NT error was
> NT_STATUS_WRONG_PASSWORD
> Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): user 'username'
> denied access (incorrect password or invalid membership)
> Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): [pamh:
> 0x8006e940]
> LEAVE: pam_sm_authenticate returning 7
> Feb 22 11:25:49 client sshd[4620]: pam_unix(ssh:auth): check pass; user
> unknown
> Feb 22 11:25:50 client sshd[4620]: pam_unix(ssh:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.X.X
> Feb 22 11:25:51 client sshd[4620]: Failed password for invalid user
> username
> from X.X.X.X port 2086 ssh2
>
> klist output:
> Default principal: principal at WORKGROUP.TLD
>
> Valid starting Expires Service principal
> 02/22/08 10:51:58 02/22/08 20:51:43 krbtgt/WORKGROUP.TLD at WORKGROUP.TLD
> renew until 02/23/08 10:51:58
> 02/22/08 11:20:58 02/22/08 20:51:43 dc$@WORKGROUP.TLD
> renew until 02/23/08 10:51:58
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
>
> Does anyone have any ways to fix this serious problem?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
--
Guillermo Gutierrez
guillermogutierrezjr at gmail.com
More information about the samba
mailing list