[Samba] wbinfo works, getent and check via smbclient not
Karsten Römke
k.roemke at gmx.de
Wed Mar 3 07:51:40 MST 2010
Walter Neu schrieb:
> set the following in the [global] section and try again
>
> winbind enum users = yes
> winbind enum groups = yes
>
>
Hello,
thanks for your hint, I have done that,
I think I should post my smb.conf, the krb5.conf
and the nsswitch.conf in some parts:
smb.conf
[global]
workgroup = NT_TECHNOLOGIE
#printing = cups
#printcap name = cups
#printcap cache time = 750
#cups options = raw
map to guest = Bad User
#logon path = \\%L\profiles\.msprofile
#logon home = \\%L\%U\.9xprofile
#logon drive = P:
#usershare allow guests = No
netbios name = www
#passdb backend = smbpasswd
wins server = hhbnt12.hhb.bonn.de
wins support = No
security = ads
#zusaetzlich zu yast
password server = hhbnt12.hhb.bonn.de
client use spnego = yes
realm = HHB.BONN.DE
winbind separator = /
winbind use default domain = Yes
winbind enum groups = yes
winbind enum users = yes
log level = 0 passdb:3 auth:3
winbind nested groups = Yes
template shell = /bin/bash
#sehr unsicher:
passdb backend = tdbsam
idmap backend = ad
[documentswrite]
comment = Count Dooku
inherit acls = No
path = /srv/www/htdocs/documents
read only = Yes
valid users = roemke römke roemkea
krb5.conf
[libdefaults]
# default_realm = EXAMPLE.COM
default_realm = HHB.BONN.DE
[realms]
HHB.BONN.DE = {
kdc = hhbnt12.hhb.bonn.de
}
#folgendes von prolinux
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
and parts from nsswitch.conf
#passwd: compat winbind
passwd: files winbind
#group: files ldap winbind
group: files winbind
shadow: files winbind
I have nothing done in /etc/pam.d/ - I don't want logins of
Windows-Users.
Karsten
>
> Karsten Römke schrieb:
>> Hello,
>> I have a problem in authentification vs ads.
>>
>> History:
>> - Samba works as stand-alone server (non productive)
>> - some experiments with connection to a ldap-Server running on another -
>> machine.
>> - Trying to join to Active Directory, since I have no success I
>> deinstalled
>> samba completely and reinstall it.
>>
>> Versions:
>>
>> OpenSuse 11.1 (actual apart from the kernel)
>> Samba samba-3.2.7-11.4.1
>> winbind: samba-winbind-3.2.7-11.4.1
>> Windows 2003 Server with ADS
>>
>> I followed the artikel in
>> http://www.pro-linux.de/NB3/artikel/2/1110/3,next.html
>> (sorry it's german) and looked to the official samba howto.
>>
>>
>> The following tests I have done:
>>
>> not sure: kinit, I set up /etc/krb5.conf
>>
>> (roemke is a local user and a user of ADS with
>> admin rights)
>>
>> net ads join -S hhbnt12.hhb.bonn.de -Uroemke%xyz
>> seems to work, Server says that I have joined the
>> Domain but DNS update failed.
>>
>> test:
>> www:/etc/samba # net ads testjoin
>> Join is OK
>>
>> test:
>> wbinfo -u
>> -> shows all usernames on active directory but no machines
>> as mentioned in the samba wiki
>>
>> www:/etc/samba # wbinfo -a roemkea%xyz
>> plaintext password authentication succeeded
>> challenge/response password authentication succeeded
>> roemkea is a non local user, only available in the ads
>>
>> getent passwd
>> shows only local users :-(
>>
>> I checked the nsswitch.conf and do symbolik links
>> /lib/libnss_winbind ...
>>
>>
>> I think at that point I could stop, bu I tested via smbclient:
>>
>> (roemkea is ADS User)
>> smbclient //www/documentsWrite -Uroemkea
>> -> NT_STATUS_ACCESS_DENIED
>> Log-File:
>> [2010/03/03 14:34:25, 3] auth/auth.c:check_ntlm_password(220)
>> check_ntlm_password: Checking password for unmapped user
>> [NT_TECHNOLOGIE]\[roemkea]@[WWW] with the new password interface
>> [2010/03/03 14:34:25, 3] auth/auth.c:check_ntlm_password(223)
>> check_ntlm_password: mapped user is: [NT_TECHNOLOGIE]\[roemkea]@[WWW]
>> [2010/03/03 14:34:25, 2] auth/auth.c:check_ntlm_password(318)
>> check_ntlm_password: Authentication for user [roemkea] -> [roemkea]
>> FAILED with error NT_STATUS_NO_SUCH_USER
>>
>> with localuser roemke:
>> NT_STATUS_ACCESS_DENIED
>> but in the Log-File
>> [2010/03/03 14:35:33, 3] auth/auth.c:check_ntlm_password(220)
>> check_ntlm_password: Checking password for unmapped user
>> [NT_TECHNOLOGIE]\[roemke]@[WWW] with the new password interface
>> [2010/03/03 14:35:33, 3] auth/auth.c:check_ntlm_password(223)
>> check_ntlm_password: mapped user is: [NT_TECHNOLOGIE]\[roemke]@[WWW]
>> [2010/03/03 14:35:33, 3] auth/auth.c:check_ntlm_password(269)
>> check_ntlm_password: winbind authentication for user [roemke] succeeded
>> [2010/03/03 14:35:33, 2] auth/auth.c:check_ntlm_password(308)
>> check_ntlm_password: authentication for user [roemke] -> [roemke] ->
>> [roemke] succeeded
>>
>> I found no hint.
>> It seems that for a local user winbind ask the ADS and get back that
>> the authentification is ok, but I don't get access.
>> For a non local user I get the Information that there is no such user.
>>
>> I don't understand what happens.
>>
>> Any help would be nice
>>
>> Karsten
>>
>
More information about the samba
mailing list