[Samba] Problems logging in when authenticating against Active Directory

Mike Leone turgon at mike-leone.com
Sat Mar 27 20:24:02 MDT 2010 

Greetings! I am having a bit of an issue using Ubuntu 9.10 and AD 2003.

AD domain = dacrib.local
AD server = dim-2300.dacrib.local
IP = 10.0.0.60

Samba server = workhorse.dacrib.local
IP = 10.0.0.20

I joined the server to AD, and I can see all the domain users and groups 
when I do a "getent passwd" and "getent group". "wbinfo -u" lists all 
domain users, and "wbinfo -g" gives me all domain groups. AD shows the 
server as a member, and other domain computers can see and access the 
shares. Now, I want to able to login to the Linux server as a domain 
user, and have it authenticate against my AD.

I have my smb.conf set up so that I need to logon domain members as
"DACRIB+logonname". And when I go to do that, this happens:

I tried to log on as "DACRIB+administrator" at the physical console. I
was prompted twice for my password (dunno if that's because my password
has a "!" in it or not). Then it starts to login. I see the motd. I see
it say that it was trying to create a home directory for administrator
in "/home/DACRIB/administrator" - which is exactly what it should do.

Then I am immediately logged out, and returned to a new login prompt. No
other messages on the console, nothing.

auth.log says:

Mar 27 21:04:15 workhorse login[4213]: pam_unix(login:auth):
authentication failure; logname=turgon uid=0 euid=0
     tty=/dev/tty1 ruser= rhost=  user=DACRIB+administrator
Mar 27 21:04:15 workhorse login[4213]: pam_winbind(login:auth): getting
password (0x00000180)
Mar 27 21:04:21 workhorse login[4213]: pam_winbind(login:auth): user
'DACRIB+administrator' granted access
Mar 27 21:04:21 workhorse login[4213]: pam_unix(login:session): session
opened for user DACRIB+administrator by
                                                     turgon(uid=0)
Mar 27 21:04:21 workhorse login[4213]: pam_unix(login:session): session
closed for user DACRIB+administrator

Nothing in syslog or messages.

The home directory was created, as it should:

ls -la /home/DACRIB/
drwx------ 2 DACRIB+administrator DACRIB+domain users 4096 2010-03-27
21:04 administrator

ls -la /home/DACRIB/administrator/
drwx------ 2 DACRIB+administrator DACRIB+domain users 4096 2010-03-27
21:04 .
dr-xr-xr-x 4 root                 root                4096 2010-03-27
21:04 ..
-rw------- 1 DACRIB+administrator DACRIB+domain users  220 2010-03-27
21:04 .bash_logout
-rw------- 1 DACRIB+administrator DACRIB+domain users 3180 2010-03-27
21:04 .bashrc
-rw------- 1 DACRIB+administrator DACRIB+domain users  167 2010-03-27
21:04 examples.desktop
-rw------- 1 DACRIB+administrator DACRIB+domain users  675 2010-03-27
21:04 .profile

So I am confused as to why the domain accounts are immediately logged
out. NOTE: local users log in just fine.

Where to go next?

Here are the changes I've made to PAM.

$ cat /etc/pam.d/common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
account requisite                       pam_deny.so
account required                        pam_permit.so

$ cat /etc/pam.d/common-auth
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth 
krb5_ccache_type=FILE
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

$ cat /etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite   pam_deny.so
session required    pam_permit.so
session required    pam_unix.so
session required    pam_mkhomedir.so umask=0022 skel=/etc/skel

Thanks for any help.

More information about the samba mailing list