[Samba] Problem getting Samba fully working

Linda Walsh samba at tlinx.org
Sat Jun 25 04:01:51 MDT 2011

Moe, John wrote:
> Hello all,
> Relevant info up front: Gentoo PC, using 2.6.38 kernel and Samba 3.4.12.
> I'm trying to get a FreeRadius instance working for our Windows network.
> To do so, I need a Linux box running Samba.  I've installed and
> configured Kerberos, Samba and FreeRadius, and can get most things to
> work.  I can get a Kerberos key using kinit, and "sudo net ads keytab
> list" shows me tickets.  I can use things like "net ads user myuser -U
> myuser" to get info about my user account.  I can use "sudo wbinfo -t"
> to show the secret trust is OK, and "sudo net ads testjoin" works as
> well.  I can even log on to my switch using RADIUS authentication to my
> AD account (using ntlm_auth).  So a lot of the pieces are working
> correctly.

> [2011/06/21 07:12:21,  1]
> rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu)
>   cli_pipe_validate_current_pdu: RPC fault code
> DCERPC_FAULT_ACCESS_DENIED received from host MYGC.my.domain.name!

	I am not sure the above messages are from your
ssh...  And I know nothing about configuration with Free Radius or
Kerberos, so your problems may be completely different from ones
I've had but...

I take it you are running ssh on the Win7 workstation and trying to
login to the linux samba server.

if your username in the domain is 'user' (i.e. you are 'domain\user'),
and your linux account is 'user', 
then on the ssh line, you might try

'ssh user at linux-server'  instead of the "normal" 'ssh linux-server'

If that works, then your 'sshd' server on your linux server
is probably receiving 'domain\user' as the username, (not just 'user')
and doesn't know what to do with that.

Theoretically should be resolvable via proper pam and config files 
(all the file ops map my 'domain\user' => 'user' on the PDC), but, 
a _*hack*_ I use (but would find a better solution in a production
environment) is to create a 2nd /etc/passwd & /etc/shadow entry
that dups my 'user' but has the username field changed to 'DOMAIN\user'.
(getting the capitalization to agree with what the workstation think's 
it is, is important in this case; upper case is norm, so unless you've
customized things in the win registry, shouldn't be a prob (not that I
would have any knowledge of this, of course...)....

But I'd try to get 'winbind' config'ed with pam to map the username
properly for a best fix (on my 'todo list') ... just hasn't
been that important ...

Best short term:

specify the username with the hostname when using the 'ssh' (or scp, 
i.e. 'scp file user at remote:/tmp' ) ...

In any event, using kerberos/freeradius, there should be some way
to make sure that a 'domain\user' is mapped to 'user' on a PDC...

Or it might be the 'ssh' client that "shouldn't" be prepending the 
windows domainname....  not sure.

But hopefully gives you some ideas where to look...

More information about the samba mailing list