[Samba] winbind when machine account is not allowed to read users from ad

Stefan Heß hess at isd.uni-stuttgart.de
Tue Dec 3 06:08:51 MST 2013


I want to use samba winbind (3.6.18 - Ubuntu) to login to a machine
using ads. The problem I have is that the ad server (win 2008) does not
grant read access to the user list for the machine account. Only each
user can read his own entry. Due to the privacy police this behaviour
can not be changed.
How do I tell winbind to use the user account to look up the user and
not use the machine account.
Kerberos is working fine: kinit user at DOAIN.NET gives a ticket.
Also ntlm_auth is also working:
ntlm_auth --username=USER -> NT_STATUS_OK: Success (0x0)

wbinfo -u only show local users and old (deprecated) domain users.
wbinfo -g works normal. (groups are readable by machine accounts)

For idmap we use the rid mechanism.

Has anybody a hint how to solve this issue?

        workgroup = DOMAIN
        realm = DOMAIN.NET
        server string = %h
        security = ADS
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = ...
        unix password sync = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        dns proxy = No
        usershare allow guests = Yes
        panic action = /usr/share/samba/panic-action %d
        template homedir = /home/%U
        template shell = /bin/bash
        winbind cache time = 3600
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind refresh tickets = Yes
        winbind offline logon = Yes
        idmap config DOMAIN:range = 10000-999999
        idmap config DOMAIN:backend = rid
        idmap config * : range = 2000-9999
        idmap config * : backend = tdb
        valid users = %U


login[739]: pam_unix(login:auth): check pass; user unknown
login[739]: pam_unix(login:auth): authentication failure; logname=LOGIN
uid=0 euid=0 tty=/dev/tty2 ruser= rhost=
login[739]: pam_winbind(login:auth): [pamh: 0x190d460] ENTER:
pam_sm_authenticate (flags: 0x0000)
login[739]: pam_winbind(login:auth): getting password (0x00004389)
login[739]: pam_winbind(login:auth): pam_get_item returned a password
login[739]: pam_winbind(login:auth): Verify user 'USER'
login[739]: pam_winbind(login:auth): PAM config: krb5_ccache_type 'FILE'
login[739]: pam_winbind(login:auth): [pamh: 0x190d460] LEAVE:
pam_sm_authenticate returning 10 (PAM_USER_UNKNOWN)
login[739]: pam_krb5(login:auth): user ac111286 authenticated as
login[739]: pam_unix(login:account): could not identify user (from
login[739]: Authentication failure 


More information about the samba mailing list