[Samba] FreeBSD 7.2 and Samba 3.3.7 AD 2003 Authentication Problem
Vladimir Orlic
vorlic at ucsd.edu
Fri Aug 28 12:36:38 MDT 2009
I am having problems upgrading samba 3.0.36 to 3.3.7. I have a working
installation of Samba 3.0.36 on FreeBSD 7.2 amd64, configured as a
domain member in a 2003 AD, running in native mode. Domain controllers
have Services for Unix 3.5 installed and I am using idmap backend with
SFU schema mode. I have enclosed my configuration files and compile
options further down. When I upgrade to version 3.3.7 I can see user
information (pw user show -a) and they have correct info, but when I try
to login using ssh, connection breaks after I enter username and I get
the following error messages in the /var/log/messages:
sshd[44500]: in openpam_load_module(): no /usr/local/lib/pam_winbind.so
found
sshd[44500]: fatal: PAM: initialisation failed
Also there is a following message in /var/log/messages:
winbindd[44685]: request_len_recv: Invalid request size received: 2088
(expected 2096)
Logging using system console fails as well, but not as verbosely. I can
use root account to log on console, not through ssh (I enabled it for
testing purposes).
Upgrade steps are:
# /usr/local/etc/rc.d/samba stop
# net ads leave -U adminuser
# rm /usr/local/etc/samba/*tdb
# rm /var/db/samba/*tdb
# cd /usr/ports/net/samba3/
# make deinstall distclean
# cd /usr/ports/net/samba33/
# make KRB5_HOME=/usr/local/ reinstall distclean
# net ads join -U adminuser
# /usr/local/etc/rc.d/samba start
I test the installation with:
# net ads testjoin
# wbinfo -u
# wbinfo -g
# pw user show -a
And I can see all users with their uids set on the SFU PDC
If I comment out the following lines from config file I still get the
same problem:
idmap backend = ad
idmap uid = 50001 - 100000
idmap gid = 50001 - 100000
I hope you can help me resolve this issue. Please let me know if you
need any additional info.
Thanks,
Vladimir Orlic
# more /var/db/ports/samba3/options
_OPTIONS_READ=samba-3.0.35,1
WITH_LDAP=true
WITH_ADS=true
WITHOUT_CUPS=true
WITH_WINBIND=true
WITH_ACL_SUPPORT=true
WITHOUT_AIO_SUPPORT=true
WITHOUT_FAM_SUPPORT=true
WITH_SYSLOG=true
WITHOUT_QUOTAS=true
WITH_UTMP=true
WITH_PAM_SMBPASS=true
WITHOUT_CLUSTER=true
WITH_DNSUPDATE=true
WITH_EXP_MODULES=true
WITH_POPT=true
WITH_PCH=true
WITHOUT_MAX_DEBUG=true
WITHOUT_SMBTORTURE=true
# more /var/db/ports/samba33/options
# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for samba-3.3.7
_OPTIONS_READ=samba-3.3.7
WITH_LDAP=true
WITH_ADS=true
WITHOUT_CUPS=true
WITH_WINBIND=true
WITHOUT_SWAT=true
WITH_ACL_SUPPORT=true
WITHOUT_AIO_SUPPORT=true
WITHOUT_FAM_SUPPORT=true
WITH_SYSLOG=true
WITHOUT_QUOTAS=true
WITH_UTMP=true
WITH_PAM_SMBPASS=true
WITH_DNSUPDATE=true
WITHOUT_DNSSD=true
WITH_EXP_MODULES=true
WITH_POPT=true
WITHOUT_MAX_DEBUG=true
WITHOUT_SMBTORTURE=true
I use this line to compile Samba and I make sure that samba daemons are
not running and that I've left the domain.
# make reinstall distclean
# more smb.conf
#======================= Global Settings
=====================================
[global]
security = ads
realm = MYDOMAIN.UCSD.EDU
workgroup = MYDOMAIN
password server = pdc.mydomain.ucsd.edu
server string = Samba File Server
encrypt passwords = yes
netbios name = MACHINENAME
ldap ssl = no
unix extensions = no
# Log settings
log level = 1
log file = /var/log/samba/log.%m
max log size = 50
syslog = 1
# Browser settings
local master = no
domain master = no
preferred master = no
# ACL settings
inherit acls = yes
acl compatibility = auto
acl check permissions = true
acl map full control = true
dos filemode = yes
# Config domain security
idmap backend = ad
idmap alloc config: range = 50001 - 100000
#idmap uid = 50001 - 100000
#idmap gid = 50001 - 100000
idmap config MYDOMAIN:default = yes
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:range = 10000 - 50000
idmap config MYDOMAIN:schema_mode = sfu
# Winbind settings
# Enable offline logon support
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nss info = sfu
winbind nested groups = yes
winbind separator = /
winbind use default domain = yes
allow trusted domains = no
#============================ Share Definitions
============================== [Files]
comment = My File Server
browseable = yes
writable = yes
path = /usr/local/smbmnt/Files
printable = no
create mask = 0664
directory mask = 0775
delete read only = yes
# more /etc/krb5.conf
[libdefaults]
deafult_realm = MYDOMAIN.UCSD.EDU
forwardable = yes
[realms]
MYDOMAIN.UCSD.EDU = {
kdc = pdc.mydomain.ucsd.edu
admin_server = pdc. mydomain.ucsd.edu
default_domain = mydomain.ucsd.edu
}
[domain_realm]
mydomain.ucsd.edu = MYDOMAIN.UCSD.EDU
.mydomain.ucsd.edu = MYDOMAIN.UCSD.EDU
# more /etc/nsswitch.conf
group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
# more /etc/pam.d/sshd
# auth
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn
allow_local
auth sufficient /usr/local/lib/pam_winbind.so
try_first_pass
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth required pam_unix.so no_warn
try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account sufficient /usr/local/lib/pam_winbind.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
#session required /usr/local/lib/pam_mkhomedir.so
session required pam_permit.so
# password
password sufficient /usr/local/lib/pam_winbind.so
try_first_pass
#password sufficient pam_krb5.so no_warn
try_first_pass
password required pam_unix.so no_warn
try_first_pass
# more /etc/pam.d/system
# auth
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn
allow_local
auth sufficient /usr/local/lib/pam_winbind.so
try_first_pass
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth required pam_unix.so no_warn
try_first_pass nullok
# account
account sufficient /usr/local/lib/pam_winbind.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_lastlog.so no_fail
# password
password sufficient /usr/local/lib/pam_winbind.so
try_first_pass
#password sufficient pam_krb5.so no_warn
try_first_pass
password required pam_unix.so no_warn
try_first_pass
More information about the samba
mailing list