[Samba] winbind, ads, win2k3, trusted domains,
user mapping [UPDATED]
Linux Addict
linuxaddict7 at gmail.com
Thu May 22 18:42:28 GMT 2008
On Thu, May 22, 2008 at 2:25 PM, Jason Gerfen <jason.gerfen at scl.utah.edu> wrote:
> Forget my pam stack data
>
> auth required pam_env.so
> auth sufficient pam_winbind.so
> auth sufficient pam_unix.so try_first_pass likeauth nullok
> auth sufficient pam_krb5.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so
> account sufficient pam_krb5.so ignore_root
> account sufficient pam_winbind.so
>
> password optional pam_krb5.so
> password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2
> try_first_pass retry=3
> password sufficient pam_unix.so try_first_pass use_authtok nullok md5
> shadow
> password required pam_deny.so
>
> session required pam_mkhomedir.so umask=0000 skel=/etc/skel/ silent
> session required pam_limits.so
> session required pam_unix.so
> session optional pam_krb5.so
>
>
> Linux Addict wrote:
>>
>> On Thu, May 22, 2008 at 2:03 PM, Jason Gerfen <jason.gerfen at scl.utah.edu>
>> wrote:
>>>
>>> UPDATE
>>> Jason Gerfen wrote:
>>>>
>>>> I have been ready everything I can regarding this setup but am having a
>>>> problem that I am unsure of.
>>>>
>>>> I am unable to authenticate any user despite the following commands
>>>> working:
>>>> %> getent passwd <username>
>>>> %> wbinfo -u
>>>> %> wbinfo -g
>>>>
>>>> With the getent passwd I am able to see all of my UID/GID being mapped
>>>> via
>>>> winbdind to the rid of the domain user account.
>>>>
>>>> This command fails:
>>>> %> wbinfo -i <username>
>>>
>>> This command works
>>> %> wbinfo --krb5auth=smb%password
>>>
>>> From a windows machine this fails
>>> %> net use x: \\server.domain.com\share /user:smb
>>>
>>>> And in the log files when attempting to authenticate against this
>>>> machine
>>>> by mapping a share the following is seen in the log files:
>>>> check_ntlm_password: Checking password for unmapped user
>>>> [server.domain.edu]\[username]@[DC] with the new password interface
>>>>
>>>> This is inacurate as with a krb5 tgt the correct line should look like:
>>>> check_ntlm_password: Checking password for unmapped user
>>>> [server.domain.edu]\[username]@[REALM.EDU] with the new password
>>>> interface
>>>>
>>>> Unless I am missing something I believe my configuration shown below is
>>>> accurate and as of yet I have not received any real answer to this
>>>> problem.
>>>>
>>>> Any help is appreciated.
>>>>
>>>> Here is my smb.conf
>>>> [global]
>>>> workgroup = scl
>>>> realm = SCL.DOMAIN.EDU
>>>> server string = valhalla.scl.domain.edu
>>>> netbios name = valhalla
>>>>
>>>> password server = *
>>>> encrypt passwords = true
>>>> security = ads
>>>>
>>>> os level = 20
>>>>
>>>> allow trusted domains = no
>>>>
>>>> ldap ssl = no
>>>>
>>>> idmap uid = 5000-2000000
>>>> idmap gid = 5000-2000000
>>>> idmap domains = SCL
>>>>
>>>> interfaces = eth0, lo
>>>> bind interfaces only = yes
>>>>
>>>> log level = 20
>>>> log file = /var/log/samba3/log.%m
>>>> max log size = 50
>>>>
>>>> client signing = yes
>>>> client schannel = no
>>>> client use spnego = yes
>>>>
>>>> preferred master = no
>>>> local master = no
>>>> domain master = no
>>>> wins proxy = no
>>>> dns proxy = No
>>>>
>>>> template shell = /bin/bash
>>>> nt acl support = yes
>>>> create mask = 0775
>>>> template homedir = /home/%U
>>>>
>>>> winbind uid = 500-2000000
>>>> winbind gid = 500-2000000
>>>> winbind separator = +
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>> winbind nested groups = yes
>>>> winbind use default domain = yes
>>>> winbind offline logon = true
>>>>
>>>> printcap name = cups
>>>> printing = cups
>>>> load printers = yes
>>>> cups options = raw
>>>> print command =
>>>> lpq command = %p
>>>> lprm command =
>>>>
>>>> [test]
>>>> comment = testing
>>>> browsable = yes
>>>> read only = yes
>>>> create mode = 0644
>>>> path = /home/jason
>>>>
>>>> Here is my krb5.conf
>>>> [libdefaults]
>>>> default_realm = UTAH.EDU
>>>>
>>>> [realms]
>>>> UTAH.EDU = {
>>>> kdc = 155.99.1.95
>>>> }
>>>>
>>>> [domain_realm]
>>>> .utah.edu = DOMAIN.EDU
>>>> DOMAIN.EDU = DOMAIN.EDU
>>>> scl.DOMAIN.EDU = DOMAIN.EDU
>>>>
>>>> [loggin]
>>>> default = FILE:/var/log/krb5.log
>>>>
>>>> [appdefaults]
>>>> pam = {
>>>> ticket_lifetime = 365d
>>>> renew_lifetime = 365d
>>>> forwardable = true
>>>> proxiable = false
>>>> retain_after_close = true
>>>> minimum_uid = 0
>>>> }
>>>>
>>>> The nsswitch.com file:
>>>> passwd: compat winbind
>>>> shadow: compat
>>>> group: compat winbind
>>>>
>>>> # passwd: db files nis
>>>> # shadow: db files nis
>>>> # group: db files nis
>>>>
>>>> hosts: files dns wins
>>>> networks: files
>>>>
>>>> services: db files
>>>> protocols: db files
>>>> rpc: db files
>>>> ethers: db files
>>>> netmasks: files
>>>> netgroup: files
>>>> bootparams: files
>>>>
>>>> automount: files
>>>> aliases: files
>>>>
>>>>
>>>
>>> --
>>> Jas
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/listinfo/samba
>>>
>>
>> Have you checked your PAM configuration? What do you see on
>> /var/log/secure?
>
>
> --
> Jas
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
1. Did you tried su and ssh? What is the result?
2. Remove the *.tdb files on /var/lib/samba and restart the winbind.
There may be corruption.
3. Does the kinit gets ticket?
I suggest you make su or ssh work first, then start with smb. Also
check the /var/log/secure as it shud log anything related to
authentication.
Your pam configuration looks good. If you krb is configured correctly,
then winbind.so entries are not really required.
More information about the samba
mailing list