[Samba] winbind, ads, win2k3, trusted domains,
user mapping [UPDATED]
Linux Addict
linuxaddict7 at gmail.com
Thu May 22 18:01:31 GMT 2008
On Thu, May 22, 2008 at 2:03 PM, Jason Gerfen <jason.gerfen at scl.utah.edu> wrote:
> UPDATE
> Jason Gerfen wrote:
>>
>> I have been ready everything I can regarding this setup but am having a
>> problem that I am unsure of.
>>
>> I am unable to authenticate any user despite the following commands
>> working:
>> %> getent passwd <username>
>> %> wbinfo -u
>> %> wbinfo -g
>>
>> With the getent passwd I am able to see all of my UID/GID being mapped via
>> winbdind to the rid of the domain user account.
>>
>> This command fails:
>> %> wbinfo -i <username>
>
> This command works
> %> wbinfo --krb5auth=smb%password
>
> From a windows machine this fails
> %> net use x: \\server.domain.com\share /user:smb
>
>>
>> And in the log files when attempting to authenticate against this machine
>> by mapping a share the following is seen in the log files:
>> check_ntlm_password: Checking password for unmapped user
>> [server.domain.edu]\[username]@[DC] with the new password interface
>>
>> This is inacurate as with a krb5 tgt the correct line should look like:
>> check_ntlm_password: Checking password for unmapped user
>> [server.domain.edu]\[username]@[REALM.EDU] with the new password interface
>>
>> Unless I am missing something I believe my configuration shown below is
>> accurate and as of yet I have not received any real answer to this problem.
>>
>> Any help is appreciated.
>>
>> Here is my smb.conf
>> [global]
>> workgroup = scl
>> realm = SCL.DOMAIN.EDU
>> server string = valhalla.scl.domain.edu
>> netbios name = valhalla
>>
>> password server = *
>> encrypt passwords = true
>> security = ads
>>
>> os level = 20
>>
>> allow trusted domains = no
>>
>> ldap ssl = no
>>
>> idmap uid = 5000-2000000
>> idmap gid = 5000-2000000
>> idmap domains = SCL
>>
>> interfaces = eth0, lo
>> bind interfaces only = yes
>>
>> log level = 20
>> log file = /var/log/samba3/log.%m
>> max log size = 50
>>
>> client signing = yes
>> client schannel = no
>> client use spnego = yes
>>
>> preferred master = no
>> local master = no
>> domain master = no
>> wins proxy = no
>> dns proxy = No
>>
>> template shell = /bin/bash
>> nt acl support = yes
>> create mask = 0775
>> template homedir = /home/%U
>>
>> winbind uid = 500-2000000
>> winbind gid = 500-2000000
>> winbind separator = +
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind nested groups = yes
>> winbind use default domain = yes
>> winbind offline logon = true
>>
>> printcap name = cups
>> printing = cups
>> load printers = yes
>> cups options = raw
>> print command =
>> lpq command = %p
>> lprm command =
>>
>> [test]
>> comment = testing
>> browsable = yes
>> read only = yes
>> create mode = 0644
>> path = /home/jason
>>
>> Here is my krb5.conf
>> [libdefaults]
>> default_realm = UTAH.EDU
>>
>> [realms]
>> UTAH.EDU = {
>> kdc = 155.99.1.95
>> }
>>
>> [domain_realm]
>> .utah.edu = DOMAIN.EDU
>> DOMAIN.EDU = DOMAIN.EDU
>> scl.DOMAIN.EDU = DOMAIN.EDU
>>
>> [loggin]
>> default = FILE:/var/log/krb5.log
>>
>> [appdefaults]
>> pam = {
>> ticket_lifetime = 365d
>> renew_lifetime = 365d
>> forwardable = true
>> proxiable = false
>> retain_after_close = true
>> minimum_uid = 0
>> }
>>
>> The nsswitch.com file:
>> passwd: compat winbind
>> shadow: compat
>> group: compat winbind
>>
>> # passwd: db files nis
>> # shadow: db files nis
>> # group: db files nis
>>
>> hosts: files dns wins
>> networks: files
>>
>> services: db files
>> protocols: db files
>> rpc: db files
>> ethers: db files
>> netmasks: files
>> netgroup: files
>> bootparams: files
>>
>> automount: files
>> aliases: files
>>
>>
>
>
> --
> Jas
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
Have you checked your PAM configuration? What do you see on /var/log/secure?
More information about the samba
mailing list