[Samba] Samba4 Winbind on DC Authentication problem

Ron García-Vidal ron at riomargroup.com
Tue Dec 3 16:43:28 MST 2013 

So, I've finally gotten around to installing a Samba4 AD DC.  I've 
joined a Win7 and Ubuntu machine to the domain so far, and all works 
perfectly.  Great job guys, it's nice to see this functionality working 
solidly on Samba!

The problem is coming in on the actual DC host.  My Ubuntu laptop is 
running winbindd 3.6.18, and as I said, all went flawlessly.  The DC 
host is running Debian Wheezy (7.2) and I installed Samba 4.1.2 from the 
source tarball.

I have followed the guide here:
https://wiki.samba.org/index.php/Samba4/Winbind

Including symlinking the libnss_winbind.so and pam_winbind.so to their 
proper locations.  wbinfo -u/g and getent passwd/group are working fine, 
as is the id command.  Here are the problems:

1) getent passwd/group are returning DOMAIN+username, even though I have 
specified winbind use default domain = yes in smb.conf.  Not a huge 
deal, but it would be neater to see just username in single-domain 
environments.

2) I have specified rid backend, but the UID mapping is still showing as 
the default algorithm.  I had changed it to rid after I had already done 
a getent passwd using the defaults.  Is this just a matter of clearing 
the mappings so it can re-assign them?  I did try deleting the mapping 
for 1 user via ldbedit, but it came back with the same number 
afterward.  The rid mapping is working as expected on the Ubuntu/Samba 
3/6/18 machine.

  (On a side note, what is the current best-practice for consistent UID 
mapping, since my google hunting seems to indicate rid isn't the best?)

3) Most importantly, I'm getting authentication failures when logging 
into the machine.  I can log on as userx with password xyz from my 
Ubuntu box, and I can access the server and all its shares from my 
windows box, so I know the user is authenticating properly with that 
password.  If, as root, I su - userx it works fine, and the id and 
whoami commands work as expected (with the DOMAIN portion appearing, of 
course).

But if I try to login, both as userx and DOMAIN+userx, I get 
"Authentication failure" in auth.log.  I get the same error when trying 
to log in via ssh.

I am only assuming pam_winbind is working properly, and the 
account/session portions are behaving correctly, it's the auth that 
seems to be the problem.

Any ideas?

Thanks again for the great work to the Samba team!

-Ron



-- 

Riomar Group <http://www.riomargroup.com>*Ron García-Vidal | President | 
Riomar Group (A NYC & NYS Certified MBE)*
1315 Prospect Ave., First Floor | Brooklyn, NY 11218
2655 Le Jeune Road, Suite 915 | Coral Gables, FL 33134
(347) 746-6276 | www.riomargroup.com <http://www.riomargroup.com>
ron at riomargroup.com <mailto:ron at riomargroup.com>

More information about the samba mailing list