[Samba] CentOS Samba as Domain Member

Bjoern.Becker at easycash.de Bjoern.Becker at easycash.de
Fri Feb 14 09:47:19 MST 2014 

Uhhh, it's solved. I had to clear the winbind cache for sure:

/etc/init.d/winbind stop
rm /var/lib/samba/winbindd_*tdb
/etc/init.d/winbind start

Mit freundlichen Grüßen / Best regards
Björn 


-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Becker, Björn
Gesendet: Freitag, 14. Februar 2014 16:36
An: rowlandpenny at googlemail.com; samba at lists.samba.org
Betreff: Re: [Samba] CentOS Samba as Domain Member

> You are welcome, but be aware that without the RFC2307 attributes you could have different id numbers on different samba servers.

Thanks! These configuration are for workstation's only, I guess this will not become a problem there..hopefully :). 

I now run into the next problem while try to login with a domain user against sshd. I receive this error messages: 

Feb 14 16:27:33 PC3370CO sshd[18555]: Invalid user bb from Feb 14 16:27:33 PC3370CO sshd[18556]: input_userauth_request: invalid user bb Feb 14 16:27:37 PC3370CO sshd[18555]: pam_unix(sshd:auth): check pass; user unknown Feb 14 16:27:37 PC3370CO sshd[18555]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc3214ub Feb 14 16:27:38 PC3370CO sshd[18555]: pam_succeed_if(sshd:auth): error retrieving information about user bb Feb 14 16:27:40 PC3370CO sshd[18555]: Failed password for invalid user bb port 39674 ssh2

My nsswitch.conf:

passwd:     files winbind
shadow:     files 
group:      files winbind

And this is my pam config:

cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so


I don't understand why the domain user is invalid. With getent passwd I can see my user.


Mit freundlichen Grüßen / Best regards
Björn 


-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
Gesendet: Freitag, 14. Februar 2014 15:03
An: Becker, Björn; samba at lists.samba.org
Betreff: Re: AW: AW: [Samba] CentOS Samba as Domain Member

On 14/02/14 13:41, Bjoern.Becker at easycash.de wrote:
> On 14/02/14 12:38, Bjoern.Becker at easycash.de wrote:
>> Hi,
>>
>> yes, I installed it via yum. But the links under /lib were not available:
>>
>> rpm -qa | grep samba
>> samba-winbind-clients-3.6.9-167.el6_5.x86_64
>> samba-3.6.9-167.el6_5.x86_64
>> samba4-libs-4.0.0-60.el6_5.rc4.x86_64
>> samba-client-3.6.9-167.el6_5.x86_64
>> samba-winbind-3.6.9-167.el6_5.x86_64
>> samba-common-3.6.9-167.el6_5.x86_64
>>
>> Wondering a bit about samba4-libs....
>>> Did samba4-libs get installed automatically ?
> I would like to say yes, but I can't reproduce it. I got a really clean install and just install some basic packages. Puppet ensured that "samba" is present.
> I uninstall all and clean it up to reinstall it through puppet again and now The samba4-libs aren't installed....

Strange, but you dont need samba4-libs anyway.

>
>> I connecting against a active directory.
>>
>> # smb.conf
>> #======================= Global Settings 
>> =====================================
>> 	
>> [global]
>> 	
>> 	workgroup = DOM_RAT
>> 	server string = Samba Server Version %M
>>           security = ADS
>> 	realm = DOM.DE
>>           workgroup = DOM_RAT
>> 	winbind separator = +
>> 	winbind enum users = yes
>> 	winbind enum groups = yes
>> 	template homedir = /home/%D/%U
>> 	template shell = /bin/bash
>> 	client use spnego = yes
>> 	client ntlmv2 auth = yes
>> 	encrypt passwords = yes
>> 	winbind use default domain = yes
>> 	restrict anonymous = 2
>> 	domain master = no
>> 	local master = no
>> 	preferred master = no
>> 	os level = 0
>> 	winbind offline logon = no
>>> OK, you need to add something like this:
>>>          kerberos method = secrets and keytab
>>>          winbind expand groups = 4
>>>          winbind nss info = rfc2307
>>>          winbind refresh tickets = Yes
>>>          winbind normalize names = Yes
>>>          idmap config DOM_RAT:schema_mode = rfc2307
>>>          idmap config DOM_RAT:range = 500-40000
>>>          idmap config DOM_RAT:backend = ad
>>>          idmap config *:range = 70001-80000
>>>           idmap config *:backend = tdb Then restart samba, this will 
>>> rely on the RFC2307 uidNumber & gidNumber attributes being available in AD, if not change 'idmap config DOM_RAT:backend = ad' to ' idmap config DOM_RAT:backend = rid'
> Yay! That's it. With backend = rid it works finaly!
>
> Thank you very much!

You are welcome, but be aware that without the RFC2307 attributes you could have different id numbers on different samba servers.

Rowland
>
>>> Also have you added 'winbind' to the passwd & group lines in /etc/nsswitch.conf ?
> Yes.
>
> Rowland
>
>> Mit freundlichen Grüßen / Best regards Björn
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
>> Gesendet: Freitag, 14. Februar 2014 13:34
>> An: Becker, Björn; samba at lists.samba.org
>> Betreff: Re: [Samba] CentOS Samba as Domain Member
>>
>> On 14/02/14 11:54, Bjoern.Becker at easycash.de wrote:
>>> Hello,
>>>
>>> I use CentOS 6.5 and smbd 3.6.9-167.el6_5.
>>>
>>> I can successfully execute wbinfo -u and wbinfo -g, but getent passwd doesn't work.
>>>
>>> nsswitch.conf
>>> passwd:     files winbind
>>> shadow:     files
>>> group:      files winbind
>>>
>>> I read in samba manual I have to link libnss_winbind.so to /lib, I did that but it doesn't work anyway:
>>>
>>> ls -ltr /lib/lib*
>>> lrwxrwxrwx. 1 root root 28 14. Feb 12:34 /lib/libnss_winbind.so -> 
>>> /usr/lib64/libnss_winbind.so lrwxrwxrwx. 1 root root 26 14. Feb
>>> 12:38 /lib/libnss_files.so -> /usr/lib64/libnss_files.so lrwxrwxrwx. 
>>> 1 root root 26 14. Feb 12:40 /lib/libnss_winbind.so.2 ->
>>> /lib64/libnss_winbind.so.2
>>>
>>> Can anyone help me out?
>>>
>>> Thanks!
>>>
>>> Mit freundlichen Grüßen / Best regards Björn
>>>
>>>
>> I take it that you are running the machine as I client and installed 
>> samba 3.6.9 via yum? If so then you shouldn't have to create the 
>> links, yum should have done it for you.
>>
>> What is the client connecting to ? and could you please post the 
>> smb.conf from this client.
>>
>> Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list