[Samba] Samba 3.5.6 pam problems
Andrew Lyon
andrew.lyon at gmail.com
Wed Oct 20 05:46:27 MDT 2010
Hi,
I've setup Samba 3.5.6 as a member server in a 2003R2 domain with a
single dc, idmapping is by rfc2307 with a tdb backend for builtin
accounts etc, I can list users and groups using wbinfo and I can
create shares and access them from the windows server, files and
folders owned by ad users show the correct user and group names so
mapping appears to be working, I can su to ad accounts but I am unable
to ssh into the system as a AD user.
Relevant config files:
cat /etc/samba/smb.conf
[global]
debug hires timestamp = yes
workgroup = SAMBATEST
security = ADS
winbind use default domain = true
realm = SAMBATEST.LOCAL
server string = Samba file and print server
log level = 3
max log size = 4192
printcap name = cups
idmap config SAMBATEST : backend = ad
idmap config SAMBATEST : range = 10000-10020
idmap config SAMBATEST : schema_mode = rfc2307
idmap config SAMBATEST : default = yes
idmap backend = tdb
idmap uid = 10100-10110
idmap gid = 10100-10110
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind refresh tickets = Yes
winbind normalize names = Yes
winbind nested groups = Yes
client ntlmv2 auth = yes
encrypt passwords = yes
password server = w2k3r2svr.sambatest.local
template shell = /bin/bash
[homes]
comment = Home Directories
read only = No
[printers]
comment = All Printers
guest ok = Yes
printable = Yes
browseable = No
available = No
cat /etc/pam.d/sshd
auth include system-remote-login
account include system-remote-login
password include system-remote-login
session include system-remote-login
cat /etc/pam.d/system-remote-login
auth include system-login
account include system-login
password include system-login
session include system-login
cat /etc/pam.d/system-login
auth required pam_tally.so onerr=succeed
auth required pam_shells.so
auth required pam_nologin.so
auth include system-auth
account required pam_access.so
account required pam_nologin.so
account include system-auth
account required pam_tally.so onerr=succeed
password include system-auth
session required pam_env.so
session optional pam_lastlog.so
session include system-auth
session optional pam_ck_connector.so nox11
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so
file /etc/pam.d/system-auth
/etc/pam.d/system-auth: symbolic link to `system-auth-winbind'
cat /etc/pam.d/system-auth-winbind
#%PAM-1.0
# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/files/3.5/system-auth-winbind.pam,v
1.1 2010/03/01 16:19:54 patrick Exp $
auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so
account sufficient pam_winbind.so
account sufficient pam_unix.so
password required pam_cracklib.so retry=3
password sufficient pam_unix.so nullok use_authtok md5 shadow
password required pam_deny.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_limits.so
session sufficient pam_unix.so
Trust is ok:
wbinfo -t
checking the trust secret for domain SAMBATEST via RPC calls succeeded
I can authenticate the user using kerberos
kinit testuser
Password for testuser at SAMBATEST.LOCAL:
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser at SAMBATEST.LOCAL
Valid starting Expires Service principal
10/20/10 12:28:11 10/20/10 19:08:11 krbtgt/SAMBATEST.LOCAL at SAMBATEST.LOCAL
And with wbinfo:
wbinfo -a testuser%abcABC123
plaintext password authentication failed
Could not authenticate user testuser%abcABC123 with plaintext password
challenge/response password authentication succeeded
When authenticating with wbinfo the following events are logged to log.winbindd
[2010/10/20 12:39:25.902284, 3]
winbindd/winbindd_misc.c:352(winbindd_interface_version)
[ 2329]: request interface version
[2010/10/20 12:39:25.902435, 3]
winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
[ 2329]: request location of privileged pipe
[2010/10/20 12:39:25.902626, 3] winbindd/winbindd_pam.c:818(winbindd_pam_auth)
[ 2329]: pam auth testuser
[2010/10/20 12:39:25.911435, 3]
winbindd/winbindd_misc.c:352(winbindd_interface_version)
[ 2329]: request interface version
[2010/10/20 12:39:25.911533, 3] winbindd/winbindd_misc.c:340(winbindd_info)
[ 2329]: request misc info
[2010/10/20 12:39:25.911628, 3]
winbindd/winbindd_misc.c:373(winbindd_netbios_name)
[ 2329]: request netbios name
[2010/10/20 12:39:25.911724, 3]
winbindd/winbindd_misc.c:362(winbindd_domain_name)
[ 2329]: request domain name
[2010/10/20 12:39:25.911816, 3]
winbindd/winbindd_misc.c:244(winbindd_domain_info)
[ 2329]: domain_info [SAMBATEST]
[2010/10/20 12:39:25.912161, 3]
winbindd/winbindd_pam.c:1768(winbindd_pam_auth_crap)
[ 2329]: pam auth crap domain: [SAMBATEST] user: testuser
But when I try to ssh into the samba server as testuser the
authentication fails, the winbindd log entries are:
[2010/10/20 12:41:39.712313, 3]
winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
getpwnam testuser
[2010/10/20 12:41:41.208210, 3]
winbindd/winbindd_misc.c:352(winbindd_interface_version)
[ 6462]: request interface version
[2010/10/20 12:41:41.208378, 3]
winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
[ 6462]: request location of privileged pipe
[2010/10/20 12:41:41.208596, 3]
winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
getpwnam testuser
[2010/10/20 12:41:41.209050, 3]
winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
getpwnam testuser
[2010/10/20 12:41:55.790569, 3]
winbindd/winbindd_misc.c:352(winbindd_interface_version)
[ 6889]: request interface version
[2010/10/20 12:41:55.790795, 3]
winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
[ 6889]: request location of privileged pipe
[2010/10/20 12:41:55.791038, 3]
winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
getpwnam testuser
[2010/10/20 12:41:55.795625, 3]
winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
getgroups testuser
[2010/10/20 12:41:55.798148, 3]
winbindd/winbindd_misc.c:352(winbindd_interface_version)
[ 6891]: request interface version
[2010/10/20 12:41:55.798304, 3]
winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
[ 6891]: request location of privileged pipe
[2010/10/20 12:41:55.798580, 3]
winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
getpwnam testuser
[2010/10/20 12:41:55.799019, 3]
winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
getpwnam testuser
[2010/10/20 12:41:57.789992, 3]
winbindd/winbindd_misc.c:352(winbindd_interface_version)
[ 6891]: request interface version
[2010/10/20 12:41:57.790115, 3]
winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
[ 6891]: request location of privileged pipe
[2010/10/20 12:41:57.790277, 3] winbindd/winbindd_pam.c:818(winbindd_pam_auth)
[ 6891]: pam auth testuser
[2010/10/20 12:41:57.807080, 3]
winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
getpwnam testuser
[2010/10/20 12:41:59.716477, 3]
winbindd/winbindd_misc.c:352(winbindd_interface_version)
[ 7019]: request interface version
[2010/10/20 12:41:59.716632, 3]
winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
[ 7019]: request location of privileged pipe
[2010/10/20 12:41:59.716828, 3]
winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
getpwnam testuser
[2010/10/20 12:41:59.717221, 3]
winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
getpwnam testuser
log.wb-SAMBATEST (the name of the windows dc) logs the following errors:
[2010/10/20 12:43:15.749729, 3]
winbindd/winbindd_pam.c:1466(winbindd_dual_pam_auth)
[ 2769]: dual pam auth SAMBATEST+testuser
[2010/10/20 12:43:15.750852, 2]
winbindd/winbindd_pam.c:1722(winbindd_dual_pam_auth)
Plain-text authentication for user SAMBATEST\testuser returned
NT_STATUS_NO_SUCH_USER (PAM: 10)
I've tried using ssh -l testuser and ssh -l SAMBATEST+testuser, it
makes no difference to the result or the log entries.
getent passwd/group returns only local users, perhaps a clue as to
what is wrong?
Any suggestions would be appreciated, I've been trying to get this
working for quite a while but I seem to have hit a wall.
Andy
More information about the samba
mailing list