[Samba] winbind when machine account is not allowed to read users from ad
Stefan Heß
hess at isd.uni-stuttgart.de
Tue Dec 3 06:08:51 MST 2013
HI,
I want to use samba winbind (3.6.18 - Ubuntu) to login to a machine
using ads. The problem I have is that the ad server (win 2008) does not
grant read access to the user list for the machine account. Only each
user can read his own entry. Due to the privacy police this behaviour
can not be changed.
How do I tell winbind to use the user account to look up the user and
not use the machine account.
Kerberos is working fine: kinit user at DOAIN.NET gives a ticket.
Also ntlm_auth is also working:
ntlm_auth --username=USER -> NT_STATUS_OK: Success (0x0)
wbinfo -u only show local users and old (deprecated) domain users.
wbinfo -g works normal. (groups are readable by machine accounts)
For idmap we use the rid mechanism.
Has anybody a hint how to solve this issue?
smb.conf
[global]
workgroup = DOMAIN
realm = DOMAIN.NET
server string = %h
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = ...
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
template homedir = /home/%U
template shell = /bin/bash
winbind cache time = 3600
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind offline logon = Yes
idmap config DOMAIN:range = 10000-999999
idmap config DOMAIN:backend = rid
idmap config * : range = 2000-9999
idmap config * : backend = tdb
valid users = %U
/var/log/auth.log:
login[739]: pam_unix(login:auth): check pass; user unknown
login[739]: pam_unix(login:auth): authentication failure; logname=LOGIN
uid=0 euid=0 tty=/dev/tty2 ruser= rhost=
login[739]: pam_winbind(login:auth): [pamh: 0x190d460] ENTER:
pam_sm_authenticate (flags: 0x0000)
login[739]: pam_winbind(login:auth): getting password (0x00004389)
login[739]: pam_winbind(login:auth): pam_get_item returned a password
login[739]: pam_winbind(login:auth): Verify user 'USER'
login[739]: pam_winbind(login:auth): PAM config: krb5_ccache_type 'FILE'
login[739]: pam_winbind(login:auth): [pamh: 0x190d460] LEAVE:
pam_sm_authenticate returning 10 (PAM_USER_UNKNOWN)
login[739]: pam_krb5(login:auth): user ac111286 authenticated as
USER at DOMAIN.NET
login[739]: pam_unix(login:account): could not identify user (from
getpwnam(USER))
login[739]: Authentication failure
Thanks
Stefan
More information about the samba
mailing list