[Samba] problem authenticating users to Active Directory after Ubuntu 12.04 -> 14.04 upgrade
Rowland Penny
rowlandpenny at googlemail.com
Mon Apr 28 11:13:14 MDT 2014
On 28/04/14 17:15, Geoff Rowland wrote:
>
> On 04/25/2014 02:58 PM, Rowland Penny wrote:
>> On 25/04/14 19:49, Geoff Rowland wrote:
>>>>> They do not have either set. Is this a (new?) requirement?
>>>>>
>>>>> I edited my PAM files to match and still have the same result.
>>>> One more question, do have libnss-winbind installed ??
>>>>
>>>> Rowland
>>>>
>>> yes, i have libnss-winbind installed as well.
>> OK, this is basicaly what I did to install my fileserver:
>>
>> installed Ubuntu 14.04 with a fixed ipaddress and gave it a FQDN
>>
>> Once installed, stopped NetworkManager from starting dnsmasq and removed
>> resolvconf, fully updated and then rebooted
>>
>> I then installed samba winbind libpam-winbind libnss-winbind krb5-user
>> krb5-config ntp libpam-krb5
>>
>> Stopped all samba services
>>
>> Created a new smb.conf
>>
>> [global]
>> workgroup = DOMAIN
>> realm = DOMAIN.COM
>> server string = %h server (Samba)
>> security = ADS
>> map to guest = Bad User
>> username map = /etc/samba/smbusers
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> client signing = if_required
>> printcap name = cups
>> local master = No
>> domain master = No
>> usershare allow guests = Yes
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind expand groups = 4
>> winbind nss info = rfc2307
>> winbind refresh tickets = Yes
>> winbind offline logon = Yes
>> winbind normalize names = Yes
>> idmap config DOMAIN:range = 10000-999999
>> idmap config DOMAIN:schema_mode = rfc2307
>> idmap config DOMAIN:backend = ad
>> idmap config *:range = 2000-9999
>> idmap config * : backend = tdb
>> map acl inherit = Yes
>> cups options = raw
>> store dos attributes = Yes
>> vfs objects = acl_xattr
>>
>> [homes]
>> comment = Home Directories
>> valid users = %S
>> create mask = 0700
>> directory mask = 0700
>> browseable = No
>>
>> [printers]
>> comment = All Printers
>> path = /var/spool/samba
>> create mask = 0700
>> printable = Yes
>> print ok = Yes
>> browseable = No
>>
>> [print$]
>> comment = Printer Drivers
>> path = /var/lib/samba/printers
>>
>> Create /etc/samba/smbusers
>> !root = DOMAIN\Administrator DOMAIN\administrator
>>
>> sudo cp /etc/krb5.conf /etc/krb5.conf.orig
>>
>> Edited /etc/krb5.conf to match the following:
>>
>> [libdefaults]
>> default_realm = DOMAIN.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> edit /etc/resolv.conf
>>
>> ensure it points to AD DC
>>
>> search domain.com
>> domain domain.com
>> nameserver 192.168.0.5 <--- this is the ip of my samba4 AD DC
>>
>> sudo rm -f /var/lib/samba/*.tdb
>> sudo rm -f /var/cache/samba/*.tdb
>>
>> edit /etc/ntp.conf
>>
>> #------------------Start-----------------------------------
>> driftfile /var/lib/ntp/ntp.drift
>> statistics loopstats peerstats clockstats
>> filegen loopstats file loopstats type day enable
>> filegen peerstats file peerstats type day enable
>> filegen clockstats file clockstats type day enable
>> server 192.168.0.5
>> restrict -4 default kod notrap nomodify nopeer noquery
>> restrict -6 default kod notrap nomodify nopeer noquery
>> restrict 127.0.0.1
>> restrict ::1
>> #disable auth
>> #broadcastclient
>> #----------------End----------------------------------------
>>
>> sudo service ntp restart
>>
>> sudo net ads join -U Administrator
>> Enter Administrator's password:
>> Using short domain name -- DOMAIN
>> Joined 'MEMBER1' to dns domain 'domain.com'
>>
>> Add 'winbind' to the passwd & group lines in nsswitch.conf:
>>
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc-reference' and `info' packages
>> installed, try:
>> # `info libc "Name Service Switch"' for information about this file.
>>
>> passwd: compat winbind
>> group: compat winbind
>>
>>
>> sudo service smbd start
>> sudo service nmbd start
>> sudo service winbind start
>>
>> 'wbinfo -u' should display all domain users
>> 'wbinfo -g' should display all domain groups
>>
>> 'getent passwd' should display all users, local & domain
>>
>> 'getent group' should display all groups, local & domain, only it
>> doesn't (known bug), but 'getent group <domain groupname>' will display
>> the domain group, (if it has a gidNumber).
>>
>
> I installed a fresh 14.04 box using your smb.conf and krb5.conf and am
> still having issues. wbinfo -u returns domain users, wbinfo -g
> returns domain groups, getent passwd returns local users only - and
> there is a delay after displaying the last local user (like perhaps
> its trying to contact the domain).
>
> when i try to log in as a domain user, i see this in the auth.log:
> pam_krb5(lightdm:auth): user growland authenticated as
> growland at DOMAIN.COM
> lightdm: gkr-pam: error looking up user information
>
> this is a windows server 2008 server that it is authenticating
> against. Is there any way to see more information about this error?
>
>
Hi, I can assure you that it does work, only thing I can think of (off
the top of my head) , do your users have the required uidNumber's and
gidNumber's ? if they don't, then 'getent passwd' will never work and
'getent passwd' MUST show all the domain users.
Rowland
More information about the samba
mailing list