[Samba] Samba4 Winbind on DC Authentication problem
steve at steve-ss.com
Wed Dec 4 01:09:43 MST 2013
On Tue, 2013-12-03 at 18:43 -0500, Ron García-Vidal wrote:
> So, I've finally gotten around to installing a Samba4 AD DC. I've
> joined a Win7 and Ubuntu machine to the domain so far, and all works
> perfectly. Great job guys, it's nice to see this functionality working
> solidly on Samba!
> The problem is coming in on the actual DC host. My Ubuntu laptop is
> running winbindd 3.6.18, and as I said, all went flawlessly. The DC
> host is running Debian Wheezy (7.2) and I installed Samba 4.1.2 from the
> source tarball.
> I have followed the guide here:
> Including symlinking the libnss_winbind.so and pam_winbind.so to their
> proper locations. wbinfo -u/g and getent passwd/group are working fine,
> as is the id command. Here are the problems:
> 1) getent passwd/group are returning DOMAIN+username, even though I have
> specified winbind use default domain = yes in smb.conf. Not a huge
> deal, but it would be neater to see just username in single-domain
If you want only user without the DOMAIN\ bit then nss-ldapd and sssd
give exactly that. winbind use default domain doesn't work on the DC
here either unless you use the default separator '\'
> 2) I have specified rid backend, but the UID mapping is still showing as
> the default algorithm. I had changed it to rid after I had already done
> a getent passwd using the defaults. Is this just a matter of clearing
> the mappings so it can re-assign them? I did try deleting the mapping
> for 1 user via ldbedit, but it came back with the same number
> afterward. The rid mapping is working as expected on the Ubuntu/Samba
> 3/6/18 machine.
> (On a side note, what is the current best-practice for consistent UID
> mapping, since my google hunting seems to indicate rid isn't the best?)
Consistent uid:gid is one of the most important issues and is the
subject of many posts and problems on this list. If you read through the
archives you'll see a very strong move to recommend that you store
rfc2307 in AD and not in a separate database. If you then pull the
attributes you can be certain tat they are consistent since they can
only be read from a single database. Introduce a second db based on the
rid and you are asking for trouble. If the attributes are in AD then
they will even survive replication if, say a DC fails.
> 3) Most importantly, I'm getting authentication failures when logging
> into the machine. I can log on as userx with password xyz from my
> Ubuntu box, and I can access the server and all its shares from my
> windows box, so I know the user is authenticating properly with that
> password. If, as root, I su - userx it works fine, and the id and
> whoami commands work as expected (with the DOMAIN portion appearing, of
> But if I try to login, both as userx and DOMAIN+userx, I get
> "Authentication failure" in auth.log. I get the same error when trying
> to log in via ssh.
> I am only assuming pam_winbind is working properly, and the
> account/session portions are behaving correctly, it's the auth that
> seems to be the problem.
> Any ideas?
This looks like a pam problem. Have you added winbind to pam? If so,
where is it? Can you post your stack? Especially common-auth
> Thanks again for the great work to the Samba team!
> Riomar Group <http://www.riomargroup.com>*Ron García-Vidal | President |
> Riomar Group (A NYC & NYS Certified MBE)*
> 1315 Prospect Ave., First Floor | Brooklyn, NY 11218
> 2655 Le Jeune Road, Suite 915 | Coral Gables, FL 33134
> (347) 746-6276 | www.riomargroup.com <http://www.riomargroup.com>
> ron at riomargroup.com <mailto:ron at riomargroup.com>
More information about the samba