[Samba] problem authenticating users to Active Directory after Ubuntu 12.04 -> 14.04 upgrade

Geoff Rowland growland at heavyhammer.com
Mon Apr 28 10:15:39 MDT 2014 

On 04/25/2014 02:58 PM, Rowland Penny wrote:
> On 25/04/14 19:49, Geoff Rowland wrote:
>>>> They do not have either set.  Is this a (new?) requirement?
>>>>
>>>> I edited my PAM files to match and still have the same result.
>>> One more question, do have libnss-winbind installed ??
>>>
>>> Rowland
>>>
>> yes, i have libnss-winbind installed as well.
> OK, this is basicaly what I did to install my fileserver:
>
> installed Ubuntu 14.04 with a fixed ipaddress and gave it a FQDN
>
> Once installed, stopped NetworkManager from starting dnsmasq and removed
> resolvconf, fully updated and then rebooted
>
> I then installed samba winbind libpam-winbind libnss-winbind krb5-user
> krb5-config ntp libpam-krb5
>
> Stopped all samba services
>
> Created a new smb.conf
>
> [global]
>       workgroup = DOMAIN
>       realm = DOMAIN.COM
>       server string = %h server (Samba)
>       security = ADS
>       map to guest = Bad User
>       username map = /etc/samba/smbusers
>       dedicated keytab file = /etc/krb5.keytab
>       kerberos method = secrets and keytab
>       client signing = if_required
>       printcap name = cups
>       local master = No
>       domain master = No
>       usershare allow guests = Yes
>       winbind enum users = Yes
>       winbind enum groups = Yes
>       winbind use default domain = Yes
>       winbind expand groups = 4
>       winbind nss info = rfc2307
>       winbind refresh tickets = Yes
>       winbind offline logon = Yes
>       winbind normalize names = Yes
>       idmap config DOMAIN:range = 10000-999999
>       idmap config DOMAIN:schema_mode = rfc2307
>       idmap config DOMAIN:backend = ad
>       idmap config *:range = 2000-9999
>       idmap config * : backend = tdb
>       map acl inherit = Yes
>       cups options = raw
>       store dos attributes = Yes
>       vfs objects = acl_xattr
>
> [homes]
>       comment = Home Directories
>       valid users = %S
>       create mask = 0700
>       directory mask = 0700
>       browseable = No
>
> [printers]
>       comment = All Printers
>       path = /var/spool/samba
>       create mask = 0700
>       printable = Yes
>       print ok = Yes
>       browseable = No
>
> [print$]
>       comment = Printer Drivers
>       path = /var/lib/samba/printers
>
> Create /etc/samba/smbusers
> !root = DOMAIN\Administrator DOMAIN\administrator
>
> sudo cp /etc/krb5.conf /etc/krb5.conf.orig
>
> Edited /etc/krb5.conf to match the following:
>
> [libdefaults]
>       default_realm = DOMAIN.COM
>           dns_lookup_realm = false
>           dns_lookup_kdc = true
>
> edit /etc/resolv.conf
>
> ensure it points to AD DC
>
> search domain.com
> domain domain.com
> nameserver 192.168.0.5 <--- this is the ip of my samba4 AD DC
>
> sudo rm -f /var/lib/samba/*.tdb
> sudo rm -f /var/cache/samba/*.tdb
>
> edit /etc/ntp.conf
>
> #------------------Start-----------------------------------
> driftfile /var/lib/ntp/ntp.drift
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable
> server 192.168.0.5
> restrict -4 default kod notrap nomodify nopeer noquery
> restrict -6 default kod notrap nomodify nopeer noquery
> restrict 127.0.0.1
> restrict ::1
> #disable auth
> #broadcastclient
> #----------------End----------------------------------------
>
> sudo service ntp restart
>
> sudo net ads join -U Administrator
> Enter Administrator's password:
> Using short domain name -- DOMAIN
> Joined 'MEMBER1' to dns domain 'domain.com'
>
> Add 'winbind' to the passwd & group lines in nsswitch.conf:
>
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd:         compat winbind
> group:          compat winbind
>
>
> sudo service smbd start
> sudo service nmbd start
> sudo service winbind start
>
> 'wbinfo -u' should display all domain users
> 'wbinfo -g' should display all domain groups
>
> 'getent passwd' should display all users, local & domain
>
> 'getent group' should display all groups, local & domain, only it
> doesn't (known bug), but 'getent group <domain groupname>' will display
> the domain group, (if it has a gidNumber).
>

I installed a fresh 14.04 box using your smb.conf and krb5.conf and am 
still having issues.  wbinfo -u returns domain users, wbinfo -g returns 
domain groups, getent passwd returns local users only - and there is a 
delay after displaying the last local user (like perhaps its trying to 
contact the domain).

when i try to log in as a domain user, i see this in the auth.log:
pam_krb5(lightdm:auth): user growland authenticated as growland at DOMAIN.COM
lightdm: gkr-pam: error looking up user information

this is a windows server 2008 server that it is authenticating against.  
Is there any way to see more information about this error?

More information about the samba mailing list