[Samba] Samba/winbind with Active Directory auth
Johan.Bergstrom at tieto.com
Johan.Bergstrom at tieto.com
Tue Feb 2 08:34:50 MST 2010
Hello Robert, Kris.
I have tried with client ntlmv2 auth = yes but I'm still getting the problem.
This is output from the messages log;
Feb 2 16:32:26 udcsp03 winbindd: [2010/02/02 16:32:26, 0] rpc_client/cli_pipe.c:cli_pipe_verify_schannel(354)
Feb 2 16:32:26 udcsp03 winbindd: cli_pipe_verify_schannel: auth_len 56.
Feb 2 16:32:26 udcsp03 winbindd: [2010/02/02 16:32:26, 0] nsswitch/idmap.c:smb_register_idmap(146)
Feb 2 16:32:26 udcsp03 winbindd: Idmap module rid already registered!
Feb 2 16:32:26 udcsp03 winbindd: [2010/02/02 16:32:26, 0] lib/module.c:do_smb_load_module(69)
Feb 2 16:32:26 udcsp03 winbindd: Module '/usr/lib64/samba/idmap/rid.so' initialization failed: NT_STATUS_OBJECT_NAME_COLLISION
The above is from when I do wbinfo -g or wbinfo -u
Feb 2 16:33:07 udcsp03 winbindd: [2010/02/02 16:33:07, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
Feb 2 16:33:07 udcsp03 winbindd: rpc_api_pipe: Remote machine INFRADC06.sweinfra.se pipe \NETLOGON fnum 0x8008returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
And above the main problem, wbinfo -a domainuser%password
I'm attaching my smb.conf.
> -----Original Message-----
> From: Robert Freeman-Day [mailto:presgas at gmail.com]
> Sent: den 2 februari 2010 15:31
> To: Kris Kaido
> Cc: Bergstrom Johan; samba at lists.samba.org
> Subject: Re: [Samba] Samba/winbind with Active Directory auth
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Kris and Johan,
> Both of you have not appended your smb.conf files. Maybe doing that
> would help as well.
> - From what I am seeing, the pam stack Kris gave was authenticating via
> winbind which would use either plaintext, lanman, ntlm or ntlmv2 and not
> configured to authenticate using kerberos. The plaintext password
> authentication is pretty insecure and this is what I suspect your setup
> is attempting to use. Win 2008 has that disabled by default as well as
> (afaik) lanman and ntlm. If you plan on using winbind to authenticate,
> you will likely need to add the following directive in the [global]
> section of your smb.conf file:
> client ntlmv2 auth = yes
> You may then need to restart winbindd and smbd (hell, you could restart
> the whole machine if you felt like it). Tell us if this works out for
> Volker Lendecke wrote:
> > On Tue, Jan 19, 2010 at 08:23:45AM +0400, Alexander R. Fahrutdinov
> >> В сообщении от Понедельник 18 января 2010 19:33:00 автор Kris Kaido
> >>> Hi List,
> >>> I'm installing a Samba server with the intended purpose of serving
> files to
> >>> Windows users with seamless authentication on the smb server.
> >>> For that, I've been reading and following every single google search
> >>> regarding the subject, but it seems I'm stuck at some point where
> >>> people are not blocked ...
> >>> To summarize, I have these commands OK:
> >>> # kinit admin_user at DOMAIN.EXAMPLE.COM
> >>> # klist (ticket ok)
> >>> # net join ads -S server -U admin_user
> >>> # wbinfo -u and -g (both showing "DOMAIN\...")
> >>> # wbinfo -t (succeeded)
> >> Try to use Kerberos auth (wbinfo -K login%pass). It's possible, Windows
> >> does not support NT-style auth via pipe. Also, try 'nt pipe support =
> >> option in smb.conf file.
> > ???
> > nt pipe support = no
> > is extremely unlikely to ever help these days.
> > Volker
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> -----END PGP SIGNATURE-----
More information about the samba