[Samba] Problem getting Samba fully working

Dale Schroeder dale at BriannasSaladDressing.com
Wed Jun 29 12:15:49 MDT 2011 

On 06/28/2011 4:35 PM, Moe, John wrote:
> Sorry, it's been pointed out that the list strips attachments.  Here's my smb.conf, in case it helps someone.
A few options I've never used, but overall looks fairly standard.
> There are numerous howto's for this sort of thing all over the web, and trying to keep track of which bits are needed for a given setup is difficult.  Maybe in all my reading, I came away with some bad assumptions, and I need to check them.  Let's take FreeRadius out of the picture for the moment; I only mentioned it in case it was interfering/interacting with Samba.  Basically, I'm trying to get a virtual machine on my network, with a Gentoo Linux OS, to be able to allow logins based on AD accounts, so the other network admins can administer this server, and for ntlm_auth to return success or failure of a user's authentication request (which will be needed for step 2: FreeRadius).  I don't need shares, although it'd be handy so I can transfer files to and from the box.
>
> 1) To get this to work, I assumed from my reading I needed Kerberos.
I always have since that's the MS AD way.  I have never set the kerberos 
method option.  Don't know how that affects things.
> 2) I also assumed that "best practice" would be for this server to join the domain.
I agree.
> 3) I assumed that tdb was the correct backend for this setup, not LDAP.
That's relative to a particular preference or need.  I have multiple 
member servers and prefer to keep uid's and gid's in sync, so I use rid 
for the idmap.
> Can anyone speak to these assumptions?
Perhaps look at pam config again.  I have had default pam configs from 
Debian that would not work out of the box with winbind.  When that 
happened, I always reverted to something simple like the example given here:
(modify to suit Gentoo, of course)

http://www.enterprisenetworkingplanet.com/netos/article.php/3502441

If simple works, you can always add other options back until it breaks.

Dale
> -----------------------------------------------------------
>
> [global]
>    add user script = /usr/local/bin/addsambauser %u
>    client lanman auth = no
>    client ntlmv2 auth = yes
>    client use spnego = yes
>    disable netbios = yes
>    domain master = no
>    encrypt passwords = yes
>    idmap alloc backend = tdb
> #  Defaults to tdb
>    idmap backend = tdb
>    idmap gid = 10000 - 99999
>    idmap uid = 10000 - 99999
>    lanman auth = no
>    kerberos method = system keytab
>    netbios name = MYSERVERNAME
>    ntlm auth = yes
> #  Defaults to tdbsam
>    passdb backend = tdbsam
>    password server = mygc.my.domain.name, mygc2.my.domain.name
>    preferred master = no
>    realm = MY.DOMAIN.NAME
>    security = ads
>    server string = %h (Samba)
>    template homedir = /home/%D/%U
>    template shell = /bin/bash
>    use spnego = yes
>    winbind enum groups = yes
>    winbind enum users = yes
>    winbind expand groups = yes
>    winbind nested groups = yes
>    winbind refresh tickets = yes
>    winbind use default domain = yes
>    workgroup = NTDOMAINNAME
>
> [tmp]
>    comment = temporary files
>    path = /tmp
>    read only = yes
>
> -----------------------------------------------------------
> John H. Moe
> Network Support - Hatch IT
> HATCH
> Tel: +61 (7) 3166 7777
> Direct: +61 (7) 3166 7684
> Fax: +61 (7) 3368 3754
> Mobile: +61 438 772 425
> 61 Petrie Terrace, Brisbane, Queensland Australia 4011
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org [mailto:samba-
>> bounces at lists.samba.org] On Behalf Of Moe, John
>> Sent: Tuesday, 28 June 2011 7:26 AM
>> To: Samba mailing list
>> Subject: Re: [Samba] Problem getting Samba fully working
>>
>>> -----Original Message-----
>>> From: Dale Schroeder [mailto:dale at BriannasSaladDressing.com]
>>> Sent: Tuesday, 28 June 2011 4:42 AM
>>> To: Moe, John
>>> Cc: Samba mailing list
>>> Subject: Re: [Samba] Problem getting Samba fully working
>>>
>>> On 06/26/2011 7:14 PM, Moe, John wrote:
>>>>> -----Original Message-----
>>>>> From: Linda Walsh [mailto:samba at tlinx.org]
>>>>> Sent: Saturday, 25 June 2011 8:02 PM
>>>>> To: Moe, John
>>>>> Cc: Samba mailing list
>>>>> Subject: Re: Problem getting Samba fully working
>>>>>
>>>>> Moe, John wrote:
>>>>>> Hello all,
>>>>>>
>>>>>> Relevant info up front: Gentoo PC, using 2.6.38 kernel and Samba
>>>>> 3.4.12.
>>>>>> I'm trying to get a FreeRadius instance working for our Windows
>>>>> network.
>>>>>> To do so, I need a Linux box running Samba.  I've installed and
>>>>>> configured Kerberos, Samba and FreeRadius, and can get most
>> things
>>>> to
>>>>>> work.  I can get a Kerberos key using kinit, and "sudo net ads
>>>> keytab
>>>>>> list" shows me tickets.  I can use things like "net ads user
>> myuser
>>>> -
>>>>> U
>>>>>> myuser" to get info about my user account.  I can use "sudo
>> wbinfo
>>> -
>>>>> t"
>>>>>> to show the secret trust is OK, and "sudo net ads testjoin" works
>>> as
>>>>>> well.  I can even log on to my switch using RADIUS authentication
>>> to
>>>>> my
>>>>>> AD account (using ntlm_auth).  So a lot of the pieces are working
>>>>>> correctly.
>>>>>> [2011/06/21 07:12:21,  1]
>>>>>> rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu)
>>>>>>     cli_pipe_validate_current_pdu: RPC fault code
>>>>>> DCERPC_FAULT_ACCESS_DENIED received from host
>> MYGC.my.domain.name!
>>>>> ----
>>>>> 	I am not sure the above messages are from your ssh...  And I know
>>>>> nothing about configuration with Free Radius or Kerberos, so your
>>>>> problems may be completely different from ones I've had but...
>>>>>
>>>>>
>>>>>
>>>>> I take it you are running ssh on the Win7 workstation and trying
>> to
>>>>> login to the linux samba server.
>>>>>
>>>>>
>>>>> if your username in the domain is 'user' (i.e. you are
>>> 'domain\user'),
>>>>> and your linux account is 'user',
>>>>> then on the ssh line, you might try
>>>>>
>>>>> 'ssh user at linux-server'  instead of the "normal" 'ssh linux-
>> server'
>>>>> If that works, then your 'sshd' server on your linux server is
>>>>> probably receiving 'domain\user' as the username, (not just
>>> 'user')
>>>>> and doesn't know what to do with that.
>>>>>
>>>>>
>>>>> Theoretically should be resolvable via proper pam and config files
>>>>> (all the file ops map my 'domain\user' =>   'user' on the PDC),
>> but,
>>>>> a _*hack*_ I use (but would find a better solution in a production
>>>>> environment) is to create a 2nd /etc/passwd&   /etc/shadow entry
>>>>> that dups my 'user' but has the username field changed to
>>>>> 'DOMAIN\user'.
>>>>> (getting the capitalization to agree with what the workstation
>>> think's
>>>>> it is, is important in this case; upper case is norm, so unless
>>> you've
>>>>> customized things in the win registry, shouldn't be a prob (not
>> that
>>> I
>>>>> would have any knowledge of this, of course...)....
>>>>>
>>>>> But I'd try to get 'winbind' config'ed with pam to map the
>> username
>>>>> properly for a best fix (on my 'todo list') ... just hasn't been
>>>>> that important ...
>>>>>
>>>>> Best short term:
>>>>>
>>>>> specify the username with the hostname when using the 'ssh' (or
>> scp,
>>>>> i.e. 'scp file user at remote:/tmp' ) ...
>>>>>
>>>>> In any event, using kerberos/freeradius, there should be some way
>>>>> to make sure that a 'domain\user' is mapped to 'user' on a PDC...
>>>>>
>>>>> Or it might be the 'ssh' client that "shouldn't" be prepending the
>>>>> windows domainname....  not sure.
>>>>>
>>>>> But hopefully gives you some ideas where to look...
>>>>>
>>>> Thanks for the reply.  Maybe I haven't made myself clear in the
>> first
>>>> post.  I'm not asking for any help relating to FreeRadius; I just
>>> want
>>>> to get basic Samba working properly.  Share browsing via guest
>> access
>>>> works, and I get a number of other successes from other tests, but
>> I
>>>> can't seem to get login using AD username working, neither locally
>>> nor
>>>> via SSH.
>>>>
>>>> To get integration with a native Windows 2003 AD domain, I was to
>>>> understand I needed Kerberos; was that wrong?  Maybe I've
>> complicated
>>>> things a bit here.
>>>>
>>>> As to the login problem: I'm using OpenSSH on Cygwin on my Win7 PC,
>>> and
>>>> it doesn't matter if I try:
>>>>
>>>> ssh servername
>>>> ssh user at servername
>>>> ssh domain\user at servername
>>>> ssh 'user at my.domain.name'@servername
>>>>
>>>> They all return the same things in /var/log/messages:
>>>>
>>>> Jun 27 09:58:05 servername sshd[27461]: SSH: Server;Ltype:
>>>> Version;Remote: 10.73.24.60-18606;Protocol: 2.0;Client: OpenSSH_5.8
>>>> Jun 27 09:58:05 servername sshd[27461]: Invalid user
>>>> username at my.domain.name from 10.73.24.60 Jun 27 09:58:05 servername
>>>> sshd[27463]: pam_tally2(sshd:auth):
>>>> pam_get_uid; no such user
>>>> Jun 27 09:58:08 servername sshd[27463]: pam_unix(sshd:auth): check
>>> pass;
>>>> user unknown
>>>> Jun 27 09:58:08 servername sshd[27463]: pam_unix(sshd:auth):
>>>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
>>>> mypcname.my.domain.name Jun 27 09:58:08 servername sshd[27463]:
>>>> pam_winbind(sshd:auth):
>>> getting
>>>> password (0x00000090)
>>>> Jun 27 09:58:08 servername sshd[27463]: pam_winbind(sshd:auth):
>>>> pam_get_item returned a password
>>>> Jun 27 09:58:09 servername sshd[27461]: error: PAM: Authentication
>>>> failure for illegal user<username OR DOMAIN\\username OR
>>>> username at my.domain.name>   from mypcname.my.domain.name Jun 27
>>>> 09:58:09 servername sshd[27461]: Failed keyboard-
>>> interactive/pam
>>>> for invalid user<username OR DOMAIN\\username OR
>>>> username at my.domain.name>   from 10.73.24.60 port 18606 ssh2 Jun 27
>>>> 09:58:09 servername sshd[27464]: pam_tally2(sshd:auth):
>>>> pam_get_uid; no such user
>>>>
>>>> And the same two lines in /var/log/samba/log.wb-DOMAINNAME:
>>>>
>>>> [2011/06/27 10:03:39,  1]
>>>> rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu)
>>>>     cli_pipe_validate_current_pdu: RPC fault code
>>>> DCERPC_FAULT_ACCESS_DENIED received from host MYGC.my.domain.name!
>>>>
>>>> Logging in via console (as 'user', 'domain/user' and
>>>> 'user at my.domain.name') gives the same output in the Samba log, and
>> a
>>>> slightly different set of errors in /var/log/messages:
>>>>
>>>> Jun 27 10:06:44 servername login[1707]: pam_tally2(login:auth):
>>>> pam_get_uid; no such user
>>>> Jun 27 10:06:47 servername login[1707]: pam_unix(login:auth): check
>>>> pass; user unknown Jun 27 10:06:47 servername login[1707]:
>>>> pam_unix(login:auth):
>>>> authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty2
>>> ruser=
>>>> rhost=
>>>> Jun 27 10:06:47 servername login[1707]: pam_winbind(login:auth):
>>> getting
>>>> password (0x00000090)
>>>> Jun 27 10:06:47 servername login[1707]: pam_winbind(login:auth):
>>>> pam_get_item returned a password
>>>> Jun 27 10:06:51 servername login[1707]: FAILED LOGIN (3) on
>>> '/dev/tty2'
>>>> FOR 'UNKNOWN', Authentication failure
>>>>
>>>> Does this add any useful info?
>>>>
>>>> John H. Moe
>>>> Network Support - Hatch IT
>>>>
>>> What options have you set in pam?  Either in /etc/pam.d/sshd or
>>> /etc/pam.d/common-*, you can place something like the following
>>> (assuming Gentoo directory structure is like Debian):
>>>
>>> auth    sufficient    pam_winbind.so
>>> account    sufficient    pam_winbind.so
>>>
>>> If you have already done so, then does getent passwd, getent group or
>>> wbinfo -u, wbinfo -g return all of your AD users?
>>>
>>> If not, what do your winbind config options in smb.conf look like?
>>>
>>> Dale
>> In Gentoo it's slightly different, but the lines you are looking for
>> are in my /etc/pam.d/system-auth file, which is 'include'd in my sshd
>> and login files.  And in the logs above, you can see the lines from
>> pam_winbind saying they're getting the password, but nothing after
>> that.
>> I assumed that's because of the errors in the Samba logs (also above)?
>> But the point is that PAM does seem to be using winbind.
>>
>> Anyway, 'getent passwd'&  'getent group' both return the local files&
>> domain info, and 'wbinfo -u' and 'wbinfo -g' both return, if not all,
>> then quite a few of my domain users.  We've got a few thousand users,
>> so it'd be hard to check for them all.  FWIW, it's also returning users
>> in some of our trusted domains, not part of the same forest, as well;
>> I'm not sure if that's normal?
>>
>> Also, 'wbinfo --check-trust' returns OK and 'net ads testjoin' returns
>> OK, and there is a computer account for this server in my AD as well.
>>
>> My smb.conf is attached.  Thanks for your assistance.
>>
>> John H. Moe
>> Network Support - Hatch IT
>> HATCH
>> Tel: +61 (7) 3166 7777
>> Direct: +61 (7) 3166 7684
>> Fax: +61 (7) 3368 3754
>> Mobile: +61 438 772 425
>> 61 Petrie Terrace, Brisbane, Queensland Australia 4011
>>
>> *****************************
>> NOTICE - This message from Hatch is intended only for the use of the
>> individual or entity to which it is addressed and may contain
>> information which is privileged, confidential or proprietary.
>> Internet communications cannot be guaranteed to be secure or error-free
>> as information could be intercepted, corrupted, lost, arrive late or
>> contain viruses. By communicating with us via e-mail, you accept such
>> risks.  When addressed to our clients, any information, drawings,
>> opinions or advice (collectively, "information") contained in this e-
>> mail is subject to the terms and conditions expressed in the governing
>> agreements.  Where no such agreement exists, the recipient shall
>> neither rely upon nor disclose to others, such information without our
>> written consent.  Unless otherwise agreed, we do not assume any
>> liability with respect to the accuracy or completeness of the
>> information set out in this e-mail.  If you have received this message
>> in error, please notify us immediately by return e-mail and destroy and
>> delete the message from your computer.

More information about the samba mailing list