[Samba] Problem getting Samba fully working
Dale Schroeder
dale at BriannasSaladDressing.com
Mon Jun 27 12:41:50 MDT 2011
On 06/26/2011 7:14 PM, Moe, John wrote:
>> -----Original Message-----
>> From: Linda Walsh [mailto:samba at tlinx.org]
>> Sent: Saturday, 25 June 2011 8:02 PM
>> To: Moe, John
>> Cc: Samba mailing list
>> Subject: Re: Problem getting Samba fully working
>>
>> Moe, John wrote:
>>> Hello all,
>>>
>>> Relevant info up front: Gentoo PC, using 2.6.38 kernel and Samba
>> 3.4.12.
>>> I'm trying to get a FreeRadius instance working for our Windows
>> network.
>>> To do so, I need a Linux box running Samba. I've installed and
>>> configured Kerberos, Samba and FreeRadius, and can get most things
> to
>>> work. I can get a Kerberos key using kinit, and "sudo net ads
> keytab
>>> list" shows me tickets. I can use things like "net ads user myuser
> -
>> U
>>> myuser" to get info about my user account. I can use "sudo wbinfo -
>> t"
>>> to show the secret trust is OK, and "sudo net ads testjoin" works as
>>> well. I can even log on to my switch using RADIUS authentication to
>> my
>>> AD account (using ntlm_auth). So a lot of the pieces are working
>>> correctly.
>>> [2011/06/21 07:12:21, 1]
>>> rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu)
>>> cli_pipe_validate_current_pdu: RPC fault code
>>> DCERPC_FAULT_ACCESS_DENIED received from host MYGC.my.domain.name!
>>>
>> ----
>> I am not sure the above messages are from your
>> ssh... And I know nothing about configuration with Free Radius or
>> Kerberos, so your problems may be completely different from ones
>> I've had but...
>>
>>
>>
>> I take it you are running ssh on the Win7 workstation and trying to
>> login to the linux samba server.
>>
>>
>> if your username in the domain is 'user' (i.e. you are 'domain\user'),
>> and your linux account is 'user',
>> then on the ssh line, you might try
>>
>> 'ssh user at linux-server' instead of the "normal" 'ssh linux-server'
>>
>> If that works, then your 'sshd' server on your linux server
>> is probably receiving 'domain\user' as the username, (not just 'user')
>> and doesn't know what to do with that.
>>
>>
>> Theoretically should be resolvable via proper pam and config files
>> (all the file ops map my 'domain\user' => 'user' on the PDC), but,
>> a _*hack*_ I use (but would find a better solution in a production
>> environment) is to create a 2nd /etc/passwd& /etc/shadow entry
>> that dups my 'user' but has the username field changed to
>> 'DOMAIN\user'.
>> (getting the capitalization to agree with what the workstation think's
>> it is, is important in this case; upper case is norm, so unless you've
>> customized things in the win registry, shouldn't be a prob (not that I
>> would have any knowledge of this, of course...)....
>>
>> But I'd try to get 'winbind' config'ed with pam to map the username
>> properly for a best fix (on my 'todo list') ... just hasn't
>> been that important ...
>>
>> Best short term:
>>
>> specify the username with the hostname when using the 'ssh' (or scp,
>> i.e. 'scp file user at remote:/tmp' ) ...
>>
>> In any event, using kerberos/freeradius, there should be some way
>> to make sure that a 'domain\user' is mapped to 'user' on a PDC...
>>
>> Or it might be the 'ssh' client that "shouldn't" be prepending the
>> windows domainname.... not sure.
>>
>> But hopefully gives you some ideas where to look...
>>
> Thanks for the reply. Maybe I haven't made myself clear in the first
> post. I'm not asking for any help relating to FreeRadius; I just want
> to get basic Samba working properly. Share browsing via guest access
> works, and I get a number of other successes from other tests, but I
> can't seem to get login using AD username working, neither locally nor
> via SSH.
>
> To get integration with a native Windows 2003 AD domain, I was to
> understand I needed Kerberos; was that wrong? Maybe I've complicated
> things a bit here.
>
> As to the login problem: I'm using OpenSSH on Cygwin on my Win7 PC, and
> it doesn't matter if I try:
>
> ssh servername
> ssh user at servername
> ssh domain\user at servername
> ssh 'user at my.domain.name'@servername
>
> They all return the same things in /var/log/messages:
>
> Jun 27 09:58:05 servername sshd[27461]: SSH: Server;Ltype:
> Version;Remote: 10.73.24.60-18606;Protocol: 2.0;Client: OpenSSH_5.8
> Jun 27 09:58:05 servername sshd[27461]: Invalid user
> username at my.domain.name from 10.73.24.60
> Jun 27 09:58:05 servername sshd[27463]: pam_tally2(sshd:auth):
> pam_get_uid; no such user
> Jun 27 09:58:08 servername sshd[27463]: pam_unix(sshd:auth): check pass;
> user unknown
> Jun 27 09:58:08 servername sshd[27463]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
> mypcname.my.domain.name
> Jun 27 09:58:08 servername sshd[27463]: pam_winbind(sshd:auth): getting
> password (0x00000090)
> Jun 27 09:58:08 servername sshd[27463]: pam_winbind(sshd:auth):
> pam_get_item returned a password
> Jun 27 09:58:09 servername sshd[27461]: error: PAM: Authentication
> failure for illegal user<username OR DOMAIN\\username OR
> username at my.domain.name> from mypcname.my.domain.name
> Jun 27 09:58:09 servername sshd[27461]: Failed keyboard-interactive/pam
> for invalid user<username OR DOMAIN\\username OR
> username at my.domain.name> from 10.73.24.60 port 18606 ssh2
> Jun 27 09:58:09 servername sshd[27464]: pam_tally2(sshd:auth):
> pam_get_uid; no such user
>
> And the same two lines in /var/log/samba/log.wb-DOMAINNAME:
>
> [2011/06/27 10:03:39, 1]
> rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu)
> cli_pipe_validate_current_pdu: RPC fault code
> DCERPC_FAULT_ACCESS_DENIED received from host MYGC.my.domain.name!
>
> Logging in via console (as 'user', 'domain/user' and
> 'user at my.domain.name') gives the same output in the Samba log, and a
> slightly different set of errors in /var/log/messages:
>
> Jun 27 10:06:44 servername login[1707]: pam_tally2(login:auth):
> pam_get_uid; no such user
> Jun 27 10:06:47 servername login[1707]: pam_unix(login:auth): check
> pass; user unknown
> Jun 27 10:06:47 servername login[1707]: pam_unix(login:auth):
> authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty2 ruser=
> rhost=
> Jun 27 10:06:47 servername login[1707]: pam_winbind(login:auth): getting
> password (0x00000090)
> Jun 27 10:06:47 servername login[1707]: pam_winbind(login:auth):
> pam_get_item returned a password
> Jun 27 10:06:51 servername login[1707]: FAILED LOGIN (3) on '/dev/tty2'
> FOR 'UNKNOWN', Authentication failure
>
> Does this add any useful info?
>
> John H. Moe
> Network Support - Hatch IT
>
What options have you set in pam? Either in /etc/pam.d/sshd or
/etc/pam.d/common-*, you can place something like the following
(assuming Gentoo directory structure is like Debian):
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
If you have already done so, then does getent passwd, getent group or
wbinfo -u, wbinfo -g return all of your AD users?
If not, what do your winbind config options in smb.conf look like?
Dale
More information about the samba
mailing list