[Samba] problem authenticating users to Active Directory after Ubuntu 12.04 -> 14.04 upgrade
Geoff Rowland
growland at heavyhammer.com
Mon Apr 28 10:15:39 MDT 2014
On 04/25/2014 02:58 PM, Rowland Penny wrote:
> On 25/04/14 19:49, Geoff Rowland wrote:
>>>> They do not have either set. Is this a (new?) requirement?
>>>>
>>>> I edited my PAM files to match and still have the same result.
>>> One more question, do have libnss-winbind installed ??
>>>
>>> Rowland
>>>
>> yes, i have libnss-winbind installed as well.
> OK, this is basicaly what I did to install my fileserver:
>
> installed Ubuntu 14.04 with a fixed ipaddress and gave it a FQDN
>
> Once installed, stopped NetworkManager from starting dnsmasq and removed
> resolvconf, fully updated and then rebooted
>
> I then installed samba winbind libpam-winbind libnss-winbind krb5-user
> krb5-config ntp libpam-krb5
>
> Stopped all samba services
>
> Created a new smb.conf
>
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.COM
> server string = %h server (Samba)
> security = ADS
> map to guest = Bad User
> username map = /etc/samba/smbusers
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> client signing = if_required
> printcap name = cups
> local master = No
> domain master = No
> usershare allow guests = Yes
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind expand groups = 4
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind offline logon = Yes
> winbind normalize names = Yes
> idmap config DOMAIN:range = 10000-999999
> idmap config DOMAIN:schema_mode = rfc2307
> idmap config DOMAIN:backend = ad
> idmap config *:range = 2000-9999
> idmap config * : backend = tdb
> map acl inherit = Yes
> cups options = raw
> store dos attributes = Yes
> vfs objects = acl_xattr
>
> [homes]
> comment = Home Directories
> valid users = %S
> create mask = 0700
> directory mask = 0700
> browseable = No
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> create mask = 0700
> printable = Yes
> print ok = Yes
> browseable = No
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
>
> Create /etc/samba/smbusers
> !root = DOMAIN\Administrator DOMAIN\administrator
>
> sudo cp /etc/krb5.conf /etc/krb5.conf.orig
>
> Edited /etc/krb5.conf to match the following:
>
> [libdefaults]
> default_realm = DOMAIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> edit /etc/resolv.conf
>
> ensure it points to AD DC
>
> search domain.com
> domain domain.com
> nameserver 192.168.0.5 <--- this is the ip of my samba4 AD DC
>
> sudo rm -f /var/lib/samba/*.tdb
> sudo rm -f /var/cache/samba/*.tdb
>
> edit /etc/ntp.conf
>
> #------------------Start-----------------------------------
> driftfile /var/lib/ntp/ntp.drift
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable
> server 192.168.0.5
> restrict -4 default kod notrap nomodify nopeer noquery
> restrict -6 default kod notrap nomodify nopeer noquery
> restrict 127.0.0.1
> restrict ::1
> #disable auth
> #broadcastclient
> #----------------End----------------------------------------
>
> sudo service ntp restart
>
> sudo net ads join -U Administrator
> Enter Administrator's password:
> Using short domain name -- DOMAIN
> Joined 'MEMBER1' to dns domain 'domain.com'
>
> Add 'winbind' to the passwd & group lines in nsswitch.conf:
>
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: compat winbind
> group: compat winbind
>
>
> sudo service smbd start
> sudo service nmbd start
> sudo service winbind start
>
> 'wbinfo -u' should display all domain users
> 'wbinfo -g' should display all domain groups
>
> 'getent passwd' should display all users, local & domain
>
> 'getent group' should display all groups, local & domain, only it
> doesn't (known bug), but 'getent group <domain groupname>' will display
> the domain group, (if it has a gidNumber).
>
I installed a fresh 14.04 box using your smb.conf and krb5.conf and am
still having issues. wbinfo -u returns domain users, wbinfo -g returns
domain groups, getent passwd returns local users only - and there is a
delay after displaying the last local user (like perhaps its trying to
contact the domain).
when i try to log in as a domain user, i see this in the auth.log:
pam_krb5(lightdm:auth): user growland authenticated as growland at DOMAIN.COM
lightdm: gkr-pam: error looking up user information
this is a windows server 2008 server that it is authenticating against.
Is there any way to see more information about this error?
More information about the samba
mailing list