[Samba] Problem getting Samba fully working

[Moe, John]

> -----Original Message-----
> From: Linda Walsh [mailto:samba at tlinx.org]
> Sent: Saturday, 25 June 2011 8:02 PM
> To: Moe, John
> Cc: Samba mailing list
> Subject: Re: Problem getting Samba fully working
> 
> Moe, John wrote:
> > Hello all,
> >
> > Relevant info up front: Gentoo PC, using 2.6.38 kernel and Samba
> 3.4.12.
> >
> > I'm trying to get a FreeRadius instance working for our Windows
> network.
> > To do so, I need a Linux box running Samba.  I've installed and
> > configured Kerberos, Samba and FreeRadius, and can get most things
to
> > work.  I can get a Kerberos key using kinit, and "sudo net ads
keytab
> > list" shows me tickets.  I can use things like "net ads user myuser
-
> U
> > myuser" to get info about my user account.  I can use "sudo wbinfo -
> t"
> > to show the secret trust is OK, and "sudo net ads testjoin" works as
> > well.  I can even log on to my switch using RADIUS authentication to
> my
> > AD account (using ntlm_auth).  So a lot of the pieces are working
> > correctly.
> 
> > [2011/06/21 07:12:21,  1]
> > rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu)
> >   cli_pipe_validate_current_pdu: RPC fault code
> > DCERPC_FAULT_ACCESS_DENIED received from host MYGC.my.domain.name!
> >
> 
> ----
> 	I am not sure the above messages are from your
> ssh...  And I know nothing about configuration with Free Radius or
> Kerberos, so your problems may be completely different from ones
> I've had but...
> 
> 
> 
> I take it you are running ssh on the Win7 workstation and trying to
> login to the linux samba server.
> 
> 
> if your username in the domain is 'user' (i.e. you are 'domain\user'),
> and your linux account is 'user',
> then on the ssh line, you might try
> 
> 'ssh user at linux-server'  instead of the "normal" 'ssh linux-server'
> 
> If that works, then your 'sshd' server on your linux server
> is probably receiving 'domain\user' as the username, (not just 'user')
> and doesn't know what to do with that.
> 
> 
> Theoretically should be resolvable via proper pam and config files
> (all the file ops map my 'domain\user' => 'user' on the PDC), but,
> a _*hack*_ I use (but would find a better solution in a production
> environment) is to create a 2nd /etc/passwd & /etc/shadow entry
> that dups my 'user' but has the username field changed to
> 'DOMAIN\user'.
> (getting the capitalization to agree with what the workstation think's
> it is, is important in this case; upper case is norm, so unless you've
> customized things in the win registry, shouldn't be a prob (not that I
> would have any knowledge of this, of course...)....
> 
> But I'd try to get 'winbind' config'ed with pam to map the username
> properly for a best fix (on my 'todo list') ... just hasn't
> been that important ...
> 
> Best short term:
> 
> specify the username with the hostname when using the 'ssh' (or scp,
> i.e. 'scp file user at remote:/tmp' ) ...
> 
> In any event, using kerberos/freeradius, there should be some way
> to make sure that a 'domain\user' is mapped to 'user' on a PDC...
> 
> Or it might be the 'ssh' client that "shouldn't" be prepending the
> windows domainname....  not sure.
> 
> But hopefully gives you some ideas where to look...
> 

Thanks for the reply.  Maybe I haven't made myself clear in the first
post.  I'm not asking for any help relating to FreeRadius; I just want
to get basic Samba working properly.  Share browsing via guest access
works, and I get a number of other successes from other tests, but I
can't seem to get login using AD username working, neither locally nor
via SSH.

To get integration with a native Windows 2003 AD domain, I was to
understand I needed Kerberos; was that wrong?  Maybe I've complicated
things a bit here.

As to the login problem: I'm using OpenSSH on Cygwin on my Win7 PC, and
it doesn't matter if I try:

ssh servername
ssh user at servername
ssh domain\user at servername
ssh 'user at my.domain.name'@servername

They all return the same things in /var/log/messages:

Jun 27 09:58:05 servername sshd[27461]: SSH: Server;Ltype:
Version;Remote: 10.73.24.60-18606;Protocol: 2.0;Client: OpenSSH_5.8
Jun 27 09:58:05 servername sshd[27461]: Invalid user
username at my.domain.name from 10.73.24.60
Jun 27 09:58:05 servername sshd[27463]: pam_tally2(sshd:auth):
pam_get_uid; no such user
Jun 27 09:58:08 servername sshd[27463]: pam_unix(sshd:auth): check pass;
user unknown
Jun 27 09:58:08 servername sshd[27463]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
mypcname.my.domain.name 
Jun 27 09:58:08 servername sshd[27463]: pam_winbind(sshd:auth): getting
password (0x00000090)
Jun 27 09:58:08 servername sshd[27463]: pam_winbind(sshd:auth):
pam_get_item returned a password
Jun 27 09:58:09 servername sshd[27461]: error: PAM: Authentication
failure for illegal user <username OR DOMAIN\\username OR
username at my.domain.name> from mypcname.my.domain.name
Jun 27 09:58:09 servername sshd[27461]: Failed keyboard-interactive/pam
for invalid user <username OR DOMAIN\\username OR
username at my.domain.name> from 10.73.24.60 port 18606 ssh2
Jun 27 09:58:09 servername sshd[27464]: pam_tally2(sshd:auth):
pam_get_uid; no such user

And the same two lines in /var/log/samba/log.wb-DOMAINNAME:

[2011/06/27 10:03:39,  1]
rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu)
  cli_pipe_validate_current_pdu: RPC fault code
DCERPC_FAULT_ACCESS_DENIED received from host MYGC.my.domain.name!

Logging in via console (as 'user', 'domain/user' and
'user at my.domain.name') gives the same output in the Samba log, and a
slightly different set of errors in /var/log/messages:

Jun 27 10:06:44 servername login[1707]: pam_tally2(login:auth):
pam_get_uid; no such user
Jun 27 10:06:47 servername login[1707]: pam_unix(login:auth): check
pass; user unknown
Jun 27 10:06:47 servername login[1707]: pam_unix(login:auth):
authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty2 ruser=
rhost= 
Jun 27 10:06:47 servername login[1707]: pam_winbind(login:auth): getting
password (0x00000090)
Jun 27 10:06:47 servername login[1707]: pam_winbind(login:auth):
pam_get_item returned a password
Jun 27 10:06:51 servername login[1707]: FAILED LOGIN (3) on '/dev/tty2'
FOR 'UNKNOWN', Authentication failure

Does this add any useful info?

John H. Moe
Network Support - Hatch IT
HATCH
Tel: +61 (7) 3166 7777
Direct: +61 (7) 3166 7684
Fax: +61 (7) 3368 3754
Mobile: +61 438 772 425
61 Petrie Terrace, Brisbane, Queensland Australia 4011
*****************************
NOTICE - This message from Hatch is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential or proprietary. 
Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. By communicating with us via e-mail, you accept such risks.  When addressed to our clients, any information, drawings, opinions or advice (collectively, "information") contained in this e-mail is subject to the terms and conditions expressed in the governing agreements.  Where no such agreement exists, the recipient shall neither rely upon nor disclose to others, such information without our written consent.  Unless otherwise agreed, we do not assume any liability with respect to the accuracy or completeness of the information set out in this e-mail.  If you have received this message in error, please notify us immediately by return e-mail and destroy and delete the message from your computer.