[Samba] Problems logging in when authenticating against Active Directory
Mike Leone
turgon at mike-leone.com
Sat Mar 27 20:24:02 MDT 2010
Greetings! I am having a bit of an issue using Ubuntu 9.10 and AD 2003.
AD domain = dacrib.local
AD server = dim-2300.dacrib.local
IP = 10.0.0.60
Samba server = workhorse.dacrib.local
IP = 10.0.0.20
I joined the server to AD, and I can see all the domain users and groups
when I do a "getent passwd" and "getent group". "wbinfo -u" lists all
domain users, and "wbinfo -g" gives me all domain groups. AD shows the
server as a member, and other domain computers can see and access the
shares. Now, I want to able to login to the Linux server as a domain
user, and have it authenticate against my AD.
I have my smb.conf set up so that I need to logon domain members as
"DACRIB+logonname". And when I go to do that, this happens:
I tried to log on as "DACRIB+administrator" at the physical console. I
was prompted twice for my password (dunno if that's because my password
has a "!" in it or not). Then it starts to login. I see the motd. I see
it say that it was trying to create a home directory for administrator
in "/home/DACRIB/administrator" - which is exactly what it should do.
Then I am immediately logged out, and returned to a new login prompt. No
other messages on the console, nothing.
auth.log says:
Mar 27 21:04:15 workhorse login[4213]: pam_unix(login:auth):
authentication failure; logname=turgon uid=0 euid=0
tty=/dev/tty1 ruser= rhost= user=DACRIB+administrator
Mar 27 21:04:15 workhorse login[4213]: pam_winbind(login:auth): getting
password (0x00000180)
Mar 27 21:04:21 workhorse login[4213]: pam_winbind(login:auth): user
'DACRIB+administrator' granted access
Mar 27 21:04:21 workhorse login[4213]: pam_unix(login:session): session
opened for user DACRIB+administrator by
turgon(uid=0)
Mar 27 21:04:21 workhorse login[4213]: pam_unix(login:session): session
closed for user DACRIB+administrator
Nothing in syslog or messages.
The home directory was created, as it should:
ls -la /home/DACRIB/
drwx------ 2 DACRIB+administrator DACRIB+domain users 4096 2010-03-27
21:04 administrator
ls -la /home/DACRIB/administrator/
drwx------ 2 DACRIB+administrator DACRIB+domain users 4096 2010-03-27
21:04 .
dr-xr-xr-x 4 root root 4096 2010-03-27
21:04 ..
-rw------- 1 DACRIB+administrator DACRIB+domain users 220 2010-03-27
21:04 .bash_logout
-rw------- 1 DACRIB+administrator DACRIB+domain users 3180 2010-03-27
21:04 .bashrc
-rw------- 1 DACRIB+administrator DACRIB+domain users 167 2010-03-27
21:04 examples.desktop
-rw------- 1 DACRIB+administrator DACRIB+domain users 675 2010-03-27
21:04 .profile
So I am confused as to why the domain accounts are immediately logged
out. NOTE: local users log in just fine.
Where to go next?
Here are the changes I've made to PAM.
$ cat /etc/pam.d/common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
account requisite pam_deny.so
account required pam_permit.so
$ cat /etc/pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE
auth requisite pam_deny.so
auth required pam_permit.so
$ cat /etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
Thanks for any help.
More information about the samba
mailing list