[Samba] Samba/winbind with Active Directory auth

Tue Feb 2 08:34:50 MST 2010

Hello Robert, Kris.

I have tried with client ntlmv2 auth = yes but I'm still getting the problem.

This is output from the messages log;

Feb  2 16:32:26 udcsp03 winbindd[19999]: [2010/02/02 16:32:26, 0] rpc_client/cli_pipe.c:cli_pipe_verify_schannel(354)
Feb  2 16:32:26 udcsp03 winbindd[19999]:   cli_pipe_verify_schannel: auth_len 56.

Above Startup

Feb  2 16:32:26 udcsp03 winbindd[20007]: [2010/02/02 16:32:26, 0] nsswitch/idmap.c:smb_register_idmap(146)
Feb  2 16:32:26 udcsp03 winbindd[20007]:   Idmap module rid already registered!
Feb  2 16:32:26 udcsp03 winbindd[20007]: [2010/02/02 16:32:26, 0] lib/module.c:do_smb_load_module(69)
Feb  2 16:32:26 udcsp03 winbindd[20007]:   Module '/usr/lib64/samba/idmap/rid.so' initialization failed: NT_STATUS_OBJECT_NAME_COLLISION

The above is from when I do wbinfo -g or wbinfo -u

Feb  2 16:33:07 udcsp03 winbindd[19999]: [2010/02/02 16:33:07, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
Feb  2 16:33:07 udcsp03 winbindd[19999]:   rpc_api_pipe: Remote machine INFRADC06.sweinfra.se pipe \NETLOGON fnum 0x8008returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED

And above the main problem, wbinfo -a domainuser%password

I'm attaching my smb.conf.

/JB

> -----Original Message-----
> From: Robert Freeman-Day [mailto:presgas at gmail.com]
> Sent: den 2 februari 2010 15:31
> To: Kris Kaido
> Cc: Bergstrom Johan; samba at lists.samba.org
> Subject: Re: [Samba] Samba/winbind with Active Directory auth
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Kris and Johan,
> 
> Both of you have not appended your smb.conf files.  Maybe doing that
> would help as well.
> 
> - From what I am seeing, the pam stack Kris gave was authenticating via
> winbind which would use either plaintext, lanman, ntlm or ntlmv2 and not
> configured to authenticate using kerberos.  The plaintext password
> authentication is pretty insecure and this is what I suspect your setup
> is attempting to use.  Win 2008 has that disabled by default as well as
> (afaik) lanman and ntlm.  If you plan on using winbind to authenticate,
> you will likely need to add the following directive in the [global]
> section of your smb.conf file:
> 
> client ntlmv2 auth = yes
> 
> You may then need to restart winbindd and smbd (hell, you could restart
> the whole machine if you felt like it).  Tell us if this works out for
> you.
> 
> 
> Volker Lendecke wrote:
> > On Tue, Jan 19, 2010 at 08:23:45AM +0400, Alexander R. Fahrutdinov
> wrote:
> >> В сообщении от Понедельник 18 января 2010 19:33:00 автор Kris Kaido
> написал:
> >>> Hi List,
> >>>
> >>> I'm installing a Samba server with the intended purpose of serving
> files to
> >>> Windows users with seamless authentication on the smb server.
> >>> For that, I've been reading and following every single google search
> result
> >>> regarding the subject, but it seems I'm stuck at some point where
> other
> >>> people are not blocked ...
> >>>
> >>> To summarize, I have these commands OK:
> >>> # kinit admin_user at DOMAIN.EXAMPLE.COM
> >>> # klist (ticket ok)
> >>> # net join ads -S server -U admin_user
> >>> # wbinfo -u and -g (both showing "DOMAIN\...")
> >>> # wbinfo -t (succeeded)
> >>
> >> Try to use Kerberos auth (wbinfo -K login%pass). It's possible, Windows
> PDC
> >> does not support NT-style auth via pipe. Also, try 'nt pipe support =
> no'
> >> option in smb.conf file.
> >
> > ???
> >
> > nt pipe support = no
> >
> > is extremely unlikely to ever help these days.
> >
> > Volker
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> 
> iEYEARECAAYFAktoNyMACgkQup357T5MfTZZQACfddZOp6HuFaC7yQ4ccQY3s/Gx
> DqQAn3/1pdGzOj+LnnNEFNiabeMff/Qq
> =F63l
> -----END PGP SIGNATURE-----