[Samba] Samba4 Winbind on DC Authentication problem

steve steve at steve-ss.com
Wed Dec 4 01:09:43 MST 2013

On Tue, 2013-12-03 at 18:43 -0500, Ron García-Vidal wrote:
> So, I've finally gotten around to installing a Samba4 AD DC.  I've 
> joined a Win7 and Ubuntu machine to the domain so far, and all works 
> perfectly.  Great job guys, it's nice to see this functionality working 
> solidly on Samba!
> The problem is coming in on the actual DC host.  My Ubuntu laptop is 
> running winbindd 3.6.18, and as I said, all went flawlessly.  The DC 
> host is running Debian Wheezy (7.2) and I installed Samba 4.1.2 from the 
> source tarball.
> I have followed the guide here:
> https://wiki.samba.org/index.php/Samba4/Winbind
> Including symlinking the libnss_winbind.so and pam_winbind.so to their 
> proper locations.  wbinfo -u/g and getent passwd/group are working fine, 
> as is the id command.  Here are the problems:
> 1) getent passwd/group are returning DOMAIN+username, even though I have 
> specified winbind use default domain = yes in smb.conf.  Not a huge 
> deal, but it would be neater to see just username in single-domain 
> environments.
If you want only user without the DOMAIN\ bit then nss-ldapd and sssd
give exactly that. winbind use default domain doesn't work on the DC
here either unless you use the default separator '\'
> 2) I have specified rid backend, but the UID mapping is still showing as 
> the default algorithm.  I had changed it to rid after I had already done 
> a getent passwd using the defaults.  Is this just a matter of clearing 
> the mappings so it can re-assign them?  I did try deleting the mapping 
> for 1 user via ldbedit, but it came back with the same number 
> afterward.  The rid mapping is working as expected on the Ubuntu/Samba 
> 3/6/18 machine.
>   (On a side note, what is the current best-practice for consistent UID 
> mapping, since my google hunting seems to indicate rid isn't the best?)

Consistent uid:gid is one of the most important issues and is the
subject of many posts and problems on this list. If you read through the
archives you'll see a very strong move to recommend that you store
rfc2307 in AD and not in a separate database. If you then pull the
attributes you can be certain tat they are consistent since they can
only be read from a single database. Introduce a second db based on the
rid and you are asking for trouble. If the attributes are in AD then
they will even survive replication if, say a DC fails.
> 3) Most importantly, I'm getting authentication failures when logging 
> into the machine.  I can log on as userx with password xyz from my 
> Ubuntu box, and I can access the server and all its shares from my 
> windows box, so I know the user is authenticating properly with that 
> password.  If, as root, I su - userx it works fine, and the id and 
> whoami commands work as expected (with the DOMAIN portion appearing, of 
> course).
> But if I try to login, both as userx and DOMAIN+userx, I get 
> "Authentication failure" in auth.log.  I get the same error when trying 
> to log in via ssh.
> I am only assuming pam_winbind is working properly, and the 
> account/session portions are behaving correctly, it's the auth that 
> seems to be the problem.
> Any ideas?
This looks like a pam problem. Have you added winbind to pam? If so,
where is it? Can you post your stack? Especially common-auth

> Thanks again for the great work to the Samba team!
> -Ron
> -- 
> Riomar Group <http://www.riomargroup.com>*Ron García-Vidal | President | 
> Riomar Group (A NYC & NYS Certified MBE)*
> 1315 Prospect Ave., First Floor | Brooklyn, NY 11218
> 2655 Le Jeune Road, Suite 915 | Coral Gables, FL 33134
> (347) 746-6276 | www.riomargroup.com <http://www.riomargroup.com>
> ron at riomargroup.com <mailto:ron at riomargroup.com>

More information about the samba mailing list