[Samba] Problem getting Samba fully working
Moe, John
jmoe at hatch.com.au
Tue Jun 28 15:35:54 MDT 2011
Sorry, it's been pointed out that the list strips attachments. Here's my smb.conf, in case it helps someone.
There are numerous howto's for this sort of thing all over the web, and trying to keep track of which bits are needed for a given setup is difficult. Maybe in all my reading, I came away with some bad assumptions, and I need to check them. Let's take FreeRadius out of the picture for the moment; I only mentioned it in case it was interfering/interacting with Samba. Basically, I'm trying to get a virtual machine on my network, with a Gentoo Linux OS, to be able to allow logins based on AD accounts, so the other network admins can administer this server, and for ntlm_auth to return success or failure of a user's authentication request (which will be needed for step 2: FreeRadius). I don't need shares, although it'd be handy so I can transfer files to and from the box.
1) To get this to work, I assumed from my reading I needed Kerberos.
2) I also assumed that "best practice" would be for this server to join the domain.
3) I assumed that tdb was the correct backend for this setup, not LDAP.
Can anyone speak to these assumptions?
-----------------------------------------------------------
[global]
add user script = /usr/local/bin/addsambauser %u
client lanman auth = no
client ntlmv2 auth = yes
client use spnego = yes
disable netbios = yes
domain master = no
encrypt passwords = yes
idmap alloc backend = tdb
# Defaults to tdb
idmap backend = tdb
idmap gid = 10000 - 99999
idmap uid = 10000 - 99999
lanman auth = no
kerberos method = system keytab
netbios name = MYSERVERNAME
ntlm auth = yes
# Defaults to tdbsam
passdb backend = tdbsam
password server = mygc.my.domain.name, mygc2.my.domain.name
preferred master = no
realm = MY.DOMAIN.NAME
security = ads
server string = %h (Samba)
template homedir = /home/%D/%U
template shell = /bin/bash
use spnego = yes
winbind enum groups = yes
winbind enum users = yes
winbind expand groups = yes
winbind nested groups = yes
winbind refresh tickets = yes
winbind use default domain = yes
workgroup = NTDOMAINNAME
[tmp]
comment = temporary files
path = /tmp
read only = yes
-----------------------------------------------------------
John H. Moe
Network Support - Hatch IT
HATCH
Tel: +61 (7) 3166 7777
Direct: +61 (7) 3166 7684
Fax: +61 (7) 3368 3754
Mobile: +61 438 772 425
61 Petrie Terrace, Brisbane, Queensland Australia 4011
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-
> bounces at lists.samba.org] On Behalf Of Moe, John
> Sent: Tuesday, 28 June 2011 7:26 AM
> To: Samba mailing list
> Subject: Re: [Samba] Problem getting Samba fully working
>
> > -----Original Message-----
> > From: Dale Schroeder [mailto:dale at BriannasSaladDressing.com]
> > Sent: Tuesday, 28 June 2011 4:42 AM
> > To: Moe, John
> > Cc: Samba mailing list
> > Subject: Re: [Samba] Problem getting Samba fully working
> >
> > On 06/26/2011 7:14 PM, Moe, John wrote:
> > >> -----Original Message-----
> > >> From: Linda Walsh [mailto:samba at tlinx.org]
> > >> Sent: Saturday, 25 June 2011 8:02 PM
> > >> To: Moe, John
> > >> Cc: Samba mailing list
> > >> Subject: Re: Problem getting Samba fully working
> > >>
> > >> Moe, John wrote:
> > >>> Hello all,
> > >>>
> > >>> Relevant info up front: Gentoo PC, using 2.6.38 kernel and Samba
> > >> 3.4.12.
> > >>> I'm trying to get a FreeRadius instance working for our Windows
> > >> network.
> > >>> To do so, I need a Linux box running Samba. I've installed and
> > >>> configured Kerberos, Samba and FreeRadius, and can get most
> things
> > > to
> > >>> work. I can get a Kerberos key using kinit, and "sudo net ads
> > > keytab
> > >>> list" shows me tickets. I can use things like "net ads user
> myuser
> > > -
> > >> U
> > >>> myuser" to get info about my user account. I can use "sudo
> wbinfo
> > -
> > >> t"
> > >>> to show the secret trust is OK, and "sudo net ads testjoin" works
> > as
> > >>> well. I can even log on to my switch using RADIUS authentication
> > to
> > >> my
> > >>> AD account (using ntlm_auth). So a lot of the pieces are working
> > >>> correctly.
> > >>> [2011/06/21 07:12:21, 1]
> > >>> rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu)
> > >>> cli_pipe_validate_current_pdu: RPC fault code
> > >>> DCERPC_FAULT_ACCESS_DENIED received from host
> MYGC.my.domain.name!
> > >>>
> > >> ----
> > >> I am not sure the above messages are from your ssh... And I know
> > >> nothing about configuration with Free Radius or Kerberos, so your
> > >> problems may be completely different from ones I've had but...
> > >>
> > >>
> > >>
> > >> I take it you are running ssh on the Win7 workstation and trying
> to
> > >> login to the linux samba server.
> > >>
> > >>
> > >> if your username in the domain is 'user' (i.e. you are
> > 'domain\user'),
> > >> and your linux account is 'user',
> > >> then on the ssh line, you might try
> > >>
> > >> 'ssh user at linux-server' instead of the "normal" 'ssh linux-
> server'
> > >>
> > >> If that works, then your 'sshd' server on your linux server is
> > >> probably receiving 'domain\user' as the username, (not just
> > 'user')
> > >> and doesn't know what to do with that.
> > >>
> > >>
> > >> Theoretically should be resolvable via proper pam and config files
> > >> (all the file ops map my 'domain\user' => 'user' on the PDC),
> but,
> > >> a _*hack*_ I use (but would find a better solution in a production
> > >> environment) is to create a 2nd /etc/passwd& /etc/shadow entry
> > >> that dups my 'user' but has the username field changed to
> > >> 'DOMAIN\user'.
> > >> (getting the capitalization to agree with what the workstation
> > think's
> > >> it is, is important in this case; upper case is norm, so unless
> > you've
> > >> customized things in the win registry, shouldn't be a prob (not
> that
> > I
> > >> would have any knowledge of this, of course...)....
> > >>
> > >> But I'd try to get 'winbind' config'ed with pam to map the
> username
> > >> properly for a best fix (on my 'todo list') ... just hasn't been
> > >> that important ...
> > >>
> > >> Best short term:
> > >>
> > >> specify the username with the hostname when using the 'ssh' (or
> scp,
> > >> i.e. 'scp file user at remote:/tmp' ) ...
> > >>
> > >> In any event, using kerberos/freeradius, there should be some way
> > >> to make sure that a 'domain\user' is mapped to 'user' on a PDC...
> > >>
> > >> Or it might be the 'ssh' client that "shouldn't" be prepending the
> > >> windows domainname.... not sure.
> > >>
> > >> But hopefully gives you some ideas where to look...
> > >>
> > > Thanks for the reply. Maybe I haven't made myself clear in the
> first
> > > post. I'm not asking for any help relating to FreeRadius; I just
> > want
> > > to get basic Samba working properly. Share browsing via guest
> access
> > > works, and I get a number of other successes from other tests, but
> I
> > > can't seem to get login using AD username working, neither locally
> > nor
> > > via SSH.
> > >
> > > To get integration with a native Windows 2003 AD domain, I was to
> > > understand I needed Kerberos; was that wrong? Maybe I've
> complicated
> > > things a bit here.
> > >
> > > As to the login problem: I'm using OpenSSH on Cygwin on my Win7 PC,
> > and
> > > it doesn't matter if I try:
> > >
> > > ssh servername
> > > ssh user at servername
> > > ssh domain\user at servername
> > > ssh 'user at my.domain.name'@servername
> > >
> > > They all return the same things in /var/log/messages:
> > >
> > > Jun 27 09:58:05 servername sshd[27461]: SSH: Server;Ltype:
> > > Version;Remote: 10.73.24.60-18606;Protocol: 2.0;Client: OpenSSH_5.8
> > > Jun 27 09:58:05 servername sshd[27461]: Invalid user
> > > username at my.domain.name from 10.73.24.60 Jun 27 09:58:05 servername
> > > sshd[27463]: pam_tally2(sshd:auth):
> > > pam_get_uid; no such user
> > > Jun 27 09:58:08 servername sshd[27463]: pam_unix(sshd:auth): check
> > pass;
> > > user unknown
> > > Jun 27 09:58:08 servername sshd[27463]: pam_unix(sshd:auth):
> > > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
> > > mypcname.my.domain.name Jun 27 09:58:08 servername sshd[27463]:
> > > pam_winbind(sshd:auth):
> > getting
> > > password (0x00000090)
> > > Jun 27 09:58:08 servername sshd[27463]: pam_winbind(sshd:auth):
> > > pam_get_item returned a password
> > > Jun 27 09:58:09 servername sshd[27461]: error: PAM: Authentication
> > > failure for illegal user<username OR DOMAIN\\username OR
> > > username at my.domain.name> from mypcname.my.domain.name Jun 27
> > > 09:58:09 servername sshd[27461]: Failed keyboard-
> > interactive/pam
> > > for invalid user<username OR DOMAIN\\username OR
> > > username at my.domain.name> from 10.73.24.60 port 18606 ssh2 Jun 27
> > > 09:58:09 servername sshd[27464]: pam_tally2(sshd:auth):
> > > pam_get_uid; no such user
> > >
> > > And the same two lines in /var/log/samba/log.wb-DOMAINNAME:
> > >
> > > [2011/06/27 10:03:39, 1]
> > > rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu)
> > > cli_pipe_validate_current_pdu: RPC fault code
> > > DCERPC_FAULT_ACCESS_DENIED received from host MYGC.my.domain.name!
> > >
> > > Logging in via console (as 'user', 'domain/user' and
> > > 'user at my.domain.name') gives the same output in the Samba log, and
> a
> > > slightly different set of errors in /var/log/messages:
> > >
> > > Jun 27 10:06:44 servername login[1707]: pam_tally2(login:auth):
> > > pam_get_uid; no such user
> > > Jun 27 10:06:47 servername login[1707]: pam_unix(login:auth): check
> > > pass; user unknown Jun 27 10:06:47 servername login[1707]:
> > > pam_unix(login:auth):
> > > authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty2
> > ruser=
> > > rhost=
> > > Jun 27 10:06:47 servername login[1707]: pam_winbind(login:auth):
> > getting
> > > password (0x00000090)
> > > Jun 27 10:06:47 servername login[1707]: pam_winbind(login:auth):
> > > pam_get_item returned a password
> > > Jun 27 10:06:51 servername login[1707]: FAILED LOGIN (3) on
> > '/dev/tty2'
> > > FOR 'UNKNOWN', Authentication failure
> > >
> > > Does this add any useful info?
> > >
> > > John H. Moe
> > > Network Support - Hatch IT
> > >
> >
> > What options have you set in pam? Either in /etc/pam.d/sshd or
> > /etc/pam.d/common-*, you can place something like the following
> > (assuming Gentoo directory structure is like Debian):
> >
> > auth sufficient pam_winbind.so
> > account sufficient pam_winbind.so
> >
> > If you have already done so, then does getent passwd, getent group or
> > wbinfo -u, wbinfo -g return all of your AD users?
> >
> > If not, what do your winbind config options in smb.conf look like?
> >
> > Dale
>
> In Gentoo it's slightly different, but the lines you are looking for
> are in my /etc/pam.d/system-auth file, which is 'include'd in my sshd
> and login files. And in the logs above, you can see the lines from
> pam_winbind saying they're getting the password, but nothing after
> that.
> I assumed that's because of the errors in the Samba logs (also above)?
> But the point is that PAM does seem to be using winbind.
>
> Anyway, 'getent passwd' & 'getent group' both return the local files &
> domain info, and 'wbinfo -u' and 'wbinfo -g' both return, if not all,
> then quite a few of my domain users. We've got a few thousand users,
> so it'd be hard to check for them all. FWIW, it's also returning users
> in some of our trusted domains, not part of the same forest, as well;
> I'm not sure if that's normal?
>
> Also, 'wbinfo --check-trust' returns OK and 'net ads testjoin' returns
> OK, and there is a computer account for this server in my AD as well.
>
> My smb.conf is attached. Thanks for your assistance.
>
> John H. Moe
> Network Support - Hatch IT
> HATCH
> Tel: +61 (7) 3166 7777
> Direct: +61 (7) 3166 7684
> Fax: +61 (7) 3368 3754
> Mobile: +61 438 772 425
> 61 Petrie Terrace, Brisbane, Queensland Australia 4011
>
> *****************************
> NOTICE - This message from Hatch is intended only for the use of the
> individual or entity to which it is addressed and may contain
> information which is privileged, confidential or proprietary.
> Internet communications cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, arrive late or
> contain viruses. By communicating with us via e-mail, you accept such
> risks. When addressed to our clients, any information, drawings,
> opinions or advice (collectively, "information") contained in this e-
> mail is subject to the terms and conditions expressed in the governing
> agreements. Where no such agreement exists, the recipient shall
> neither rely upon nor disclose to others, such information without our
> written consent. Unless otherwise agreed, we do not assume any
> liability with respect to the accuracy or completeness of the
> information set out in this e-mail. If you have received this message
> in error, please notify us immediately by return e-mail and destroy and
> delete the message from your computer.
More information about the samba
mailing list