[Samba] winbind, ads, win2k3, trusted domains, user mapping [UPDATED]

Linux Addict linuxaddict7 at gmail.com
Thu May 22 18:42:28 GMT 2008


On Thu, May 22, 2008 at 2:25 PM, Jason Gerfen <jason.gerfen at scl.utah.edu> wrote:
> Forget my pam stack data
>
> auth       required     pam_env.so
> auth       sufficient   pam_winbind.so
> auth       sufficient   pam_unix.so try_first_pass likeauth nullok
> auth       sufficient   pam_krb5.so use_first_pass
> auth       required     pam_deny.so
>
> account    required     pam_unix.so
> account    sufficient   pam_krb5.so ignore_root
> account    sufficient   pam_winbind.so
>
> password   optional     pam_krb5.so
> password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2
> try_first_pass retry=3
> password   sufficient   pam_unix.so try_first_pass use_authtok nullok md5
> shadow
> password   required     pam_deny.so
>
> session    required     pam_mkhomedir.so umask=0000 skel=/etc/skel/ silent
> session    required     pam_limits.so
> session    required     pam_unix.so
> session    optional     pam_krb5.so
>
>
> Linux Addict wrote:
>>
>> On Thu, May 22, 2008 at 2:03 PM, Jason Gerfen <jason.gerfen at scl.utah.edu>
>> wrote:
>>>
>>> UPDATE
>>> Jason Gerfen wrote:
>>>>
>>>> I have been ready everything I can regarding this setup but am having a
>>>> problem that I am unsure of.
>>>>
>>>> I am unable to authenticate any user despite the following commands
>>>> working:
>>>> %> getent passwd <username>
>>>> %> wbinfo -u
>>>> %> wbinfo -g
>>>>
>>>> With the getent passwd I am able to see all of my UID/GID being mapped
>>>> via
>>>> winbdind to the rid of the domain user account.
>>>>
>>>> This command fails:
>>>> %> wbinfo -i <username>
>>>
>>> This command works
>>> %> wbinfo --krb5auth=smb%password
>>>
>>> From a windows machine this fails
>>> %> net use x: \\server.domain.com\share /user:smb
>>>
>>>> And in the log files when attempting to authenticate against this
>>>> machine
>>>> by mapping a share the following is seen in the log files:
>>>> check_ntlm_password:  Checking password for unmapped user
>>>> [server.domain.edu]\[username]@[DC] with the new password interface
>>>>
>>>> This is inacurate as with a krb5 tgt the correct line should look like:
>>>> check_ntlm_password:  Checking password for unmapped user
>>>> [server.domain.edu]\[username]@[REALM.EDU] with the new password
>>>> interface
>>>>
>>>> Unless I am missing something I believe my configuration shown below is
>>>> accurate and as of yet I have not received any real answer to this
>>>> problem.
>>>>
>>>> Any help is appreciated.
>>>>
>>>> Here is my smb.conf
>>>> [global]
>>>>       workgroup = scl
>>>>       realm = SCL.DOMAIN.EDU
>>>>       server string = valhalla.scl.domain.edu
>>>>       netbios name = valhalla
>>>>
>>>>       password server = *
>>>>       encrypt passwords = true
>>>>       security = ads
>>>>
>>>>       os level = 20
>>>>
>>>>       allow trusted domains = no
>>>>
>>>>       ldap ssl = no
>>>>
>>>>       idmap uid = 5000-2000000
>>>>       idmap gid = 5000-2000000
>>>>       idmap domains = SCL
>>>>
>>>>       interfaces = eth0, lo
>>>>       bind interfaces only = yes
>>>>
>>>>       log level = 20
>>>>       log file = /var/log/samba3/log.%m
>>>>       max log size = 50
>>>>
>>>>       client signing = yes
>>>>       client schannel = no
>>>>       client use spnego = yes
>>>>
>>>>       preferred master = no
>>>>       local master = no
>>>>       domain master = no
>>>>       wins proxy = no
>>>>       dns proxy = No
>>>>
>>>>       template shell = /bin/bash
>>>>       nt acl support = yes
>>>>       create mask = 0775
>>>>       template homedir = /home/%U
>>>>
>>>>       winbind uid = 500-2000000
>>>>       winbind gid = 500-2000000
>>>>       winbind separator = +
>>>>       winbind enum users = yes
>>>>       winbind enum groups = yes
>>>>       winbind nested groups = yes
>>>>       winbind use default domain = yes
>>>>       winbind offline logon = true
>>>>
>>>>       printcap name = cups
>>>>       printing = cups
>>>>       load printers = yes
>>>>       cups options = raw
>>>>       print command =
>>>>       lpq command = %p
>>>>       lprm command =
>>>>
>>>> [test]
>>>>       comment = testing
>>>>       browsable = yes
>>>>       read only = yes
>>>>       create mode = 0644
>>>>       path = /home/jason
>>>>
>>>> Here is my krb5.conf
>>>> [libdefaults]
>>>>       default_realm = UTAH.EDU
>>>>
>>>> [realms]
>>>>       UTAH.EDU = {
>>>>               kdc = 155.99.1.95
>>>>       }
>>>>
>>>> [domain_realm]
>>>>       .utah.edu = DOMAIN.EDU
>>>>       DOMAIN.EDU = DOMAIN.EDU
>>>>       scl.DOMAIN.EDU = DOMAIN.EDU
>>>>
>>>> [loggin]
>>>>       default = FILE:/var/log/krb5.log
>>>>
>>>> [appdefaults]
>>>>       pam = {
>>>>               ticket_lifetime = 365d
>>>>               renew_lifetime = 365d
>>>>               forwardable = true
>>>>               proxiable = false
>>>>               retain_after_close = true
>>>>               minimum_uid = 0
>>>>       }
>>>>
>>>> The nsswitch.com file:
>>>> passwd:      compat winbind
>>>> shadow:      compat
>>>> group:       compat winbind
>>>>
>>>> # passwd:    db files nis
>>>> # shadow:    db files nis
>>>> # group:     db files nis
>>>>
>>>> hosts:       files dns wins
>>>> networks:    files
>>>>
>>>> services:    db files
>>>> protocols:   db files
>>>> rpc:         db files
>>>> ethers:      db files
>>>> netmasks:    files
>>>> netgroup:    files
>>>> bootparams:  files
>>>>
>>>> automount:   files
>>>> aliases:     files
>>>>
>>>>
>>>
>>> --
>>> Jas
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>>
>>
>> Have you checked your PAM configuration? What do you see on
>> /var/log/secure?
>
>
> --
> Jas
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

1. Did you tried su and ssh? What is the result?
2. Remove the *.tdb files on /var/lib/samba and restart the winbind.
There may be corruption.
3. Does the kinit gets ticket?

I suggest you make su or ssh work first, then start with smb. Also
check the /var/log/secure as it shud log anything related to
authentication.

Your pam configuration looks good. If you krb is configured correctly,
then winbind.so entries are not really required.


More information about the samba mailing list