[Samba] wbinfo works, getent and check via smbclient not

Karsten Römke k.roemke at gmx.de
Wed Mar 3 07:51:40 MST 2010 

Walter Neu schrieb:
> set the following in the [global] section and try again
>
> winbind enum users = yes
> winbind enum groups = yes
>
>

Hello,
thanks for your hint, I have done that,
I think I should post my smb.conf, the krb5.conf
and the nsswitch.conf in some parts:

smb.conf
[global]
        workgroup = NT_TECHNOLOGIE
        #printing = cups
        #printcap name = cups
        #printcap cache time = 750
        #cups options = raw
        map to guest = Bad User
        #logon path = \\%L\profiles\.msprofile
        #logon home = \\%L\%U\.9xprofile
        #logon drive = P:
        #usershare allow guests = No
        netbios name = www
        #passdb backend = smbpasswd
        wins server = hhbnt12.hhb.bonn.de
        wins support = No
        security = ads

        #zusaetzlich zu yast
        password server = hhbnt12.hhb.bonn.de
        client use spnego = yes
        realm  = HHB.BONN.DE
        winbind separator = /
        winbind use default domain = Yes
        winbind enum groups = yes
        winbind enum users = yes
        log level = 0 passdb:3 auth:3

        winbind nested groups = Yes
        template shell = /bin/bash

        #sehr unsicher:
        passdb backend = tdbsam
        idmap backend = ad


[documentswrite]
        comment = Count Dooku
        inherit acls = No
        path = /srv/www/htdocs/documents
        read only = Yes
        valid users = roemke römke roemkea


krb5.conf
[libdefaults]
#       default_realm = EXAMPLE.COM
default_realm = HHB.BONN.DE

[realms]
HHB.BONN.DE = {
        kdc = hhbnt12.hhb.bonn.de
        }

#folgendes von prolinux
[appdefaults]
       pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                retain_after_close = false
                minimum_uid = 0
                debug = false
        }



and parts from nsswitch.conf
#passwd:        compat winbind
passwd: files winbind
#group: files ldap winbind
group: files winbind
shadow: files winbind

I have nothing done in /etc/pam.d/ - I don't want logins of
Windows-Users.



Karsten


> 
> Karsten Römke schrieb:
>> Hello,
>> I have a problem in authentification vs ads.
>>
>> History:
>> - Samba works as stand-alone server (non productive)
>> - some experiments with connection to a ldap-Server running on another -
>> machine.
>> - Trying to join to Active Directory, since I have no success I
>> deinstalled
>>   samba completely and reinstall it.
>>
>> Versions:
>>
>>      OpenSuse 11.1 (actual apart from the kernel)
>>          Samba samba-3.2.7-11.4.1
>>          winbind: samba-winbind-3.2.7-11.4.1
>>          Windows 2003 Server with ADS
>>
>> I followed the artikel in
>> http://www.pro-linux.de/NB3/artikel/2/1110/3,next.html
>> (sorry it's german) and looked to the official samba howto.
>>
>>
>> The following tests I have done:
>>
>> not sure: kinit, I set up /etc/krb5.conf
>>
>> (roemke is a local user and a user of ADS with
>> admin rights)
>>
>> net ads join -S hhbnt12.hhb.bonn.de -Uroemke%xyz
>> seems to work, Server says that I have joined the
>> Domain but DNS update failed.
>>
>> test:
>> www:/etc/samba # net ads testjoin
>> Join is OK
>>
>> test:
>> wbinfo -u
>> -> shows all usernames on active directory but no machines
>>   as mentioned in the samba wiki
>>
>> www:/etc/samba # wbinfo -a roemkea%xyz
>> plaintext password authentication succeeded
>> challenge/response password authentication succeeded
>> roemkea is a non local user, only available in the ads
>>
>> getent passwd
>> shows only local users :-(
>>
>> I checked the nsswitch.conf and do symbolik links
>> /lib/libnss_winbind ...
>>
>>
>> I think at that point I could stop, bu I tested via smbclient:
>>
>> (roemkea is ADS User)
>> smbclient //www/documentsWrite -Uroemkea
>> ->  NT_STATUS_ACCESS_DENIED
>> Log-File:
>> [2010/03/03 14:34:25,  3] auth/auth.c:check_ntlm_password(220)
>>   check_ntlm_password:  Checking password for unmapped user
>>  [NT_TECHNOLOGIE]\[roemkea]@[WWW] with the new password interface
>> [2010/03/03 14:34:25,  3] auth/auth.c:check_ntlm_password(223)
>>   check_ntlm_password:  mapped user is: [NT_TECHNOLOGIE]\[roemkea]@[WWW]
>> [2010/03/03 14:34:25,  2] auth/auth.c:check_ntlm_password(318)
>>   check_ntlm_password:  Authentication for user [roemkea] -> [roemkea]
>>  FAILED with error NT_STATUS_NO_SUCH_USER
>>
>> with localuser roemke:
>> NT_STATUS_ACCESS_DENIED
>> but  in the Log-File
>> [2010/03/03 14:35:33,  3] auth/auth.c:check_ntlm_password(220)
>>   check_ntlm_password:  Checking password for unmapped user
>>  [NT_TECHNOLOGIE]\[roemke]@[WWW] with the new password interface
>> [2010/03/03 14:35:33,  3] auth/auth.c:check_ntlm_password(223)
>>   check_ntlm_password:  mapped user is: [NT_TECHNOLOGIE]\[roemke]@[WWW]
>> [2010/03/03 14:35:33,  3] auth/auth.c:check_ntlm_password(269)
>>   check_ntlm_password: winbind authentication for user [roemke] succeeded
>> [2010/03/03 14:35:33,  2] auth/auth.c:check_ntlm_password(308)
>>   check_ntlm_password:  authentication for user [roemke] -> [roemke] ->
>>  [roemke] succeeded
>>
>> I found no hint.
>> It seems that for a local user winbind ask the ADS and get back that
>> the authentification is ok, but I don't get access.
>> For a non local user I get the Information that there is no such user.
>>
>> I don't understand what happens.
>>
>> Any help would be nice
>>
>>       Karsten
>>   
>

More information about the samba mailing list