[Samba] problem authenticating users to Active Directory after Ubuntu 12.04 -> 14.04 upgrade

Rowland Penny rowlandpenny at googlemail.com
Fri Apr 25 12:46:32 MDT 2014


On 25/04/14 19:31, Geoff Rowland wrote:
>
> On 04/25/2014 02:11 PM, Rowland Penny wrote:
>> On 25/04/14 18:55, Geoff Rowland wrote:
>>> On 04/25/2014 01:40 PM, Rowland Penny wrote:
>>>> On 25/04/14 18:26, Geoff Rowland wrote:
>>>>> On 04/25/2014 01:21 PM, Rowland Penny wrote:
>>>>>> On 25/04/14 18:12, Geoff Rowland wrote:
>>>>>>> I had forgotten I changed my pam files to default...now I changed
>>>>>>> them
>>>>>>> back to what I had before so that winbind shows up before 
>>>>>>> pam_unix -
>>>>>>> and here is the output from auth.log:
>>>>>>>
>>>>>>> Apr 25 13:08:09 mycomputer lightdm: pam_winbind(lightdm:auth):
>>>>>>> getting
>>>>>>> password (0x00000000)
>>>>>>> Apr 25 13:08:15 mycomputer lightdm: pam_winbind(lightdm:auth): user
>>>>>>> 'growland' granted access
>>>>>>> Apr 25 13:08:15 mycomputer lightdm: pam_unix(lightdm:account): 
>>>>>>> could
>>>>>>> not identify user (from getpwnam(growland))
>>>>>>> Apr 25 13:08:15 mycomputer lightdm: PAM unable to
>>>>>>> dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open
>>>>>>> shared object file: No such file or directory
>>>>>>>
>>>>>>> Returns with invalid password (but I know the password is correct)
>>>>>>>
>>>>>>>
>>>>>>> On 04/25/2014 11:41 AM, steve wrote:
>>>>>>>> On Fri, 2014-04-25 at 11:27 -0400, Geoff Rowland wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>> not sure what else to try?
>>>>>>>> Look at the log at the time of the login.
>>>>>>>>
>>>>>>>> Unless 14.04 has changed radically, I'd:
>>>>>>>> tail -f /var/log/syslog
>>>>>>>>
>>>>>>>> Anything?
>>>>>>>> HTH
>>>>>>>> Steve
>>>>>>>>
>>>>>>>>
>>>>>> sigh, I will try again, does 'getent passwd' show your domain users
>>>>>> ???
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> getent passwd does not show my domain users...but it also does not
>>>>> show my domain users on my 12.04 box, which is working fine.
>>>>>
>>>>> wbinfo -u does show domain users.
>>>>>
>>>>> net ads testjoin says Join is OK
>>>>>
>>>>> klist shows ticket expires tomorrow
>>>>> (I do seem to have to kinit to get a new ticket every time i reboot
>>>>> the computer though?)
>>>> OK, last thing first, put this in smb.conf:
>>>>
>>>> winbind refresh tickets = Yes
>>>>
>>>> Reload your config: smbcontrol all reload-config
>>>>
>>>> Getent needs to show your domain users, do you have winbind in
>>>> /etc/nssswitch.conf :
>>>>
>>>> ......
>>>> passwd:         compat winbind
>>>> group:          compat winbind
>>>>
>>>> Do you have libpam-winbind & libpam-krb5 installed ?
>>>>
>>>> Rowland
>>>>
>>> yes, I have libpam-winbind + libpam-krb5 installed, as well as winbind
>>> in /etc/nsswitch.conf.
>>> I added the entry to smb.conf and performed the command (restarted the
>>> services as well, just to be sure), however I still have the same 
>>> issue.
>>>
>> OK, my fileserver is running 14.04 and users can connect to shares and
>> via ssh, these are my main PAM files:
>>
>> #
>> # /etc/pam.d/common-auth - authentication settings common to all 
>> services
>> #
>> # here are the per-package modules (the "Primary" block)
>> auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
>> auth    [success=2 default=ignore]      pam_unix.so nullok_secure
>> try_first_pass
>> auth    [success=1 default=ignore]      pam_winbind.so krb5_auth
>> krb5_ccache_type=FILE cached_login try_first_pass
>> # here's the fallback if no module succeeds
>> auth    requisite                       pam_deny.so
>> # prime the stack with a positive return value if there isn't one 
>> already;
>> # this avoids us returning an error just because nothing sets a 
>> success code
>> # since the modules above will each just jump around
>> auth    required                        pam_permit.so
>> # and here are more per-package modules (the "Additional" block)
>> auth    optional                        pam_cap.so
>> # end of pam-auth-update config
>>
>> #
>> # /etc/pam.d/common-account - authorization settings common to all 
>> services
>> #
>> # here are the per-package modules (the "Primary" block)
>> account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
>> account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
>> # here's the fallback if no module succeeds
>> account requisite                       pam_deny.so
>> # prime the stack with a positive return value if there isn't one 
>> already;
>> # this avoids us returning an error just because nothing sets a 
>> success code
>> # since the modules above will each just jump around
>> account required                        pam_permit.so
>> # and here are more per-package modules (the "Additional" block)
>> account required                        pam_krb5.so minimum_uid=1000
>> # end of pam-auth-update config
>>
>> #
>> # /etc/pam.d/common-password - password-related modules common to all
>> services
>> #
>> # here are the per-package modules (the "Primary" block)
>> password        [success=3 default=ignore]      pam_krb5.so 
>> minimum_uid=1000
>> password        [success=2 default=ignore]      pam_unix.so obscure
>> use_authtok try_first_pass sha512
>> password        [success=1 default=ignore]      pam_winbind.so
>> use_authtok try_first_pass
>> # here's the fallback if no module succeeds
>> password        requisite                       pam_deny.so
>> # prime the stack with a positive return value if there isn't one 
>> already;
>> # this avoids us returning an error just because nothing sets a 
>> success code
>> # since the modules above will each just jump around
>> password        required                        pam_permit.so
>> # and here are more per-package modules (the "Additional" block)
>> password        optional        pam_gnome_keyring.so
>> # end of pam-auth-update config
>>
>> #
>> # /etc/pam.d/common-session - session-related modules common to all 
>> services
>> #
>> # here are the per-package modules (the "Primary" block)
>> session [default=1]                     pam_permit.so
>> # here's the fallback if no module succeeds
>> session requisite                       pam_deny.so
>> # prime the stack with a positive return value if there isn't one 
>> already;
>> # this avoids us returning an error just because nothing sets a 
>> success code
>> # since the modules above will each just jump around
>> session required                        pam_permit.so
>> # The pam_umask module will set the umask according to the system 
>> default in
>> # /etc/login.defs and user settings, solving the problem of different
>> # umask settings with different shells, display managers, remote
>> sessions etc.
>> # See "man pam_umask".
>> session optional                        pam_umask.so
>> # and here are more per-package modules (the "Additional" block)
>> session optional                        pam_krb5.so minimum_uid=1000
>> session required        pam_unix.so
>> session optional                        pam_winbind.so
>> session optional        pam_systemd.so
>> session optional                        pam_ck_connector.so nox11
>> # end of pam-auth-update config
>> session required                        pam_mkhomedir.so skel=/etc/skel
>> umask=0022
>>
>> Do yours match the above ?? also do your AD users have uidNumber's &
>> gidNumber's
>>
>> Rowland
> They do not have either set.  Is this a (new?) requirement?
>
> I edited my PAM files to match and still have the same result.

One more question, do have libnss-winbind installed ??

Rowland



More information about the samba mailing list