[Samba] problem authenticating users to Active Directory after Ubuntu 12.04 -> 14.04 upgrade

Rowland Penny rowlandpenny at googlemail.com
Mon Apr 28 11:13:14 MDT 2014 

On 28/04/14 17:15, Geoff Rowland wrote:
>
> On 04/25/2014 02:58 PM, Rowland Penny wrote:
>> On 25/04/14 19:49, Geoff Rowland wrote:
>>>>> They do not have either set.  Is this a (new?) requirement?
>>>>>
>>>>> I edited my PAM files to match and still have the same result.
>>>> One more question, do have libnss-winbind installed ??
>>>>
>>>> Rowland
>>>>
>>> yes, i have libnss-winbind installed as well.
>> OK, this is basicaly what I did to install my fileserver:
>>
>> installed Ubuntu 14.04 with a fixed ipaddress and gave it a FQDN
>>
>> Once installed, stopped NetworkManager from starting dnsmasq and removed
>> resolvconf, fully updated and then rebooted
>>
>> I then installed samba winbind libpam-winbind libnss-winbind krb5-user
>> krb5-config ntp libpam-krb5
>>
>> Stopped all samba services
>>
>> Created a new smb.conf
>>
>> [global]
>>       workgroup = DOMAIN
>>       realm = DOMAIN.COM
>>       server string = %h server (Samba)
>>       security = ADS
>>       map to guest = Bad User
>>       username map = /etc/samba/smbusers
>>       dedicated keytab file = /etc/krb5.keytab
>>       kerberos method = secrets and keytab
>>       client signing = if_required
>>       printcap name = cups
>>       local master = No
>>       domain master = No
>>       usershare allow guests = Yes
>>       winbind enum users = Yes
>>       winbind enum groups = Yes
>>       winbind use default domain = Yes
>>       winbind expand groups = 4
>>       winbind nss info = rfc2307
>>       winbind refresh tickets = Yes
>>       winbind offline logon = Yes
>>       winbind normalize names = Yes
>>       idmap config DOMAIN:range = 10000-999999
>>       idmap config DOMAIN:schema_mode = rfc2307
>>       idmap config DOMAIN:backend = ad
>>       idmap config *:range = 2000-9999
>>       idmap config * : backend = tdb
>>       map acl inherit = Yes
>>       cups options = raw
>>       store dos attributes = Yes
>>       vfs objects = acl_xattr
>>
>> [homes]
>>       comment = Home Directories
>>       valid users = %S
>>       create mask = 0700
>>       directory mask = 0700
>>       browseable = No
>>
>> [printers]
>>       comment = All Printers
>>       path = /var/spool/samba
>>       create mask = 0700
>>       printable = Yes
>>       print ok = Yes
>>       browseable = No
>>
>> [print$]
>>       comment = Printer Drivers
>>       path = /var/lib/samba/printers
>>
>> Create /etc/samba/smbusers
>> !root = DOMAIN\Administrator DOMAIN\administrator
>>
>> sudo cp /etc/krb5.conf /etc/krb5.conf.orig
>>
>> Edited /etc/krb5.conf to match the following:
>>
>> [libdefaults]
>>       default_realm = DOMAIN.COM
>>           dns_lookup_realm = false
>>           dns_lookup_kdc = true
>>
>> edit /etc/resolv.conf
>>
>> ensure it points to AD DC
>>
>> search domain.com
>> domain domain.com
>> nameserver 192.168.0.5 <--- this is the ip of my samba4 AD DC
>>
>> sudo rm -f /var/lib/samba/*.tdb
>> sudo rm -f /var/cache/samba/*.tdb
>>
>> edit /etc/ntp.conf
>>
>> #------------------Start-----------------------------------
>> driftfile /var/lib/ntp/ntp.drift
>> statistics loopstats peerstats clockstats
>> filegen loopstats file loopstats type day enable
>> filegen peerstats file peerstats type day enable
>> filegen clockstats file clockstats type day enable
>> server 192.168.0.5
>> restrict -4 default kod notrap nomodify nopeer noquery
>> restrict -6 default kod notrap nomodify nopeer noquery
>> restrict 127.0.0.1
>> restrict ::1
>> #disable auth
>> #broadcastclient
>> #----------------End----------------------------------------
>>
>> sudo service ntp restart
>>
>> sudo net ads join -U Administrator
>> Enter Administrator's password:
>> Using short domain name -- DOMAIN
>> Joined 'MEMBER1' to dns domain 'domain.com'
>>
>> Add 'winbind' to the passwd & group lines in nsswitch.conf:
>>
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc-reference' and `info' packages 
>> installed, try:
>> # `info libc "Name Service Switch"' for information about this file.
>>
>> passwd:         compat winbind
>> group:          compat winbind
>>
>>
>> sudo service smbd start
>> sudo service nmbd start
>> sudo service winbind start
>>
>> 'wbinfo -u' should display all domain users
>> 'wbinfo -g' should display all domain groups
>>
>> 'getent passwd' should display all users, local & domain
>>
>> 'getent group' should display all groups, local & domain, only it
>> doesn't (known bug), but 'getent group <domain groupname>' will display
>> the domain group, (if it has a gidNumber).
>>
>
> I installed a fresh 14.04 box using your smb.conf and krb5.conf and am 
> still having issues.  wbinfo -u returns domain users, wbinfo -g 
> returns domain groups, getent passwd returns local users only - and 
> there is a delay after displaying the last local user (like perhaps 
> its trying to contact the domain).
>
> when i try to log in as a domain user, i see this in the auth.log:
> pam_krb5(lightdm:auth): user growland authenticated as 
> growland at DOMAIN.COM
> lightdm: gkr-pam: error looking up user information
>
> this is a windows server 2008 server that it is authenticating 
> against.  Is there any way to see more information about this error?
>
>

Hi, I can assure you that it does work, only thing I can think of (off 
the top of my head) , do your users have the required uidNumber's and 
gidNumber's ? if they don't, then  'getent passwd' will never work and 
'getent passwd' MUST show all the domain users.

Rowland

More information about the samba mailing list