[Samba] CentOS Samba as Domain Member

Rowland Penny rowlandpenny at googlemail.com
Fri Feb 14 11:01:08 MST 2014 

On 14/02/14 17:41, Bjoern.Becker at easycash.de wrote:
> I was happy to early. Now, I got exactly the same problem, but I didn't change anything.
>
> Is it possible that my winbind cache get destroyed somehow?
>
> testparm -vv -s  | grep winbind
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Loaded services file OK.
> 'winbind separator = +' might cause problems with group membership.
> Server role: ROLE_DOMAIN_MEMBER
> 	winbind separator = +
> 	winbind cache time = 300
> 	winbind reconnect delay = 30
> 	winbind max clients = 200
> 	winbind enum users = Yes
> 	winbind enum groups = Yes
> 	winbind use default domain = Yes
> 	winbind trusted domains only = No
> 	winbind nested groups = Yes
> 	winbind expand groups = 4
> 	winbind nss info = rfc2307
> 	winbind refresh tickets = Yes
> 	winbind offline logon = No
> 	winbind normalize names = Yes
> 	winbind rpc only = No
> 	winbind max domain connections = 1
>
> Mit freundlichen Grüßen / Best regards
> Björn
>
>
> -----Ursprüngliche Nachricht-----
> Von: Becker, Björn
> Gesendet: Freitag, 14. Februar 2014 17:47
> An: Becker, Björn; rowlandpenny at googlemail.com; samba at lists.samba.org
> Betreff: AW: [Samba] CentOS Samba as Domain Member
>
> Uhhh, it's solved. I had to clear the winbind cache for sure:
>
> /etc/init.d/winbind stop
> rm /var/lib/samba/winbindd_*tdb
> /etc/init.d/winbind start
>
> Mit freundlichen Grüßen / Best regards
> Björn
>
>
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Becker, Björn
> Gesendet: Freitag, 14. Februar 2014 16:36
> An: rowlandpenny at googlemail.com; samba at lists.samba.org
> Betreff: Re: [Samba] CentOS Samba as Domain Member
>
>> You are welcome, but be aware that without the RFC2307 attributes you could have different id numbers on different samba servers.
> Thanks! These configuration are for workstation's only, I guess this will not become a problem there..hopefully :).
>
> I now run into the next problem while try to login with a domain user against sshd. I receive this error messages:
>
> Feb 14 16:27:33 PC3370CO sshd[18555]: Invalid user bb from Feb 14 16:27:33 PC3370CO sshd[18556]: input_userauth_request: invalid user bb Feb 14 16:27:37 PC3370CO sshd[18555]: pam_unix(sshd:auth): check pass; user unknown Feb 14 16:27:37 PC3370CO sshd[18555]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc3214ub Feb 14 16:27:38 PC3370CO sshd[18555]: pam_succeed_if(sshd:auth): error retrieving information about user bb Feb 14 16:27:40 PC3370CO sshd[18555]: Failed password for invalid user bb port 39674 ssh2
>
> My nsswitch.conf:
>
> passwd:     files winbind
> shadow:     files
> group:      files winbind
>
> And this is my pam config:
>
> cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_fprintd.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_winbind.so use_first_pass
> auth        required      pam_deny.so
>
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3 type=
> password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
> password    sufficient    pam_winbind.so use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
> session     required      pam_unix.so
>
>
> I don't understand why the domain user is invalid. With getent passwd I can see my user.
>
>
> Mit freundlichen Grüßen / Best regards
> Björn
>
>
> -----Ursprüngliche Nachricht-----
> Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
> Gesendet: Freitag, 14. Februar 2014 15:03
> An: Becker, Björn; samba at lists.samba.org
> Betreff: Re: AW: AW: [Samba] CentOS Samba as Domain Member
>
> On 14/02/14 13:41, Bjoern.Becker at easycash.de wrote:
>> On 14/02/14 12:38, Bjoern.Becker at easycash.de wrote:
>>> Hi,
>>>
>>> yes, I installed it via yum. But the links under /lib were not available:
>>>
>>> rpm -qa | grep samba
>>> samba-winbind-clients-3.6.9-167.el6_5.x86_64
>>> samba-3.6.9-167.el6_5.x86_64
>>> samba4-libs-4.0.0-60.el6_5.rc4.x86_64
>>> samba-client-3.6.9-167.el6_5.x86_64
>>> samba-winbind-3.6.9-167.el6_5.x86_64
>>> samba-common-3.6.9-167.el6_5.x86_64
>>>
>>> Wondering a bit about samba4-libs....
>>>> Did samba4-libs get installed automatically ?
>> I would like to say yes, but I can't reproduce it. I got a really clean install and just install some basic packages. Puppet ensured that "samba" is present.
>> I uninstall all and clean it up to reinstall it through puppet again and now The samba4-libs aren't installed....
> Strange, but you dont need samba4-libs anyway.
>
>>> I connecting against a active directory.
>>>
>>> # smb.conf
>>> #======================= Global Settings
>>> =====================================
>>> 	
>>> [global]
>>> 	
>>> 	workgroup = DOM_RAT
>>> 	server string = Samba Server Version %M
>>>            security = ADS
>>> 	realm = DOM.DE
>>>            workgroup = DOM_RAT
>>> 	winbind separator = +
>>> 	winbind enum users = yes
>>> 	winbind enum groups = yes
>>> 	template homedir = /home/%D/%U
>>> 	template shell = /bin/bash
>>> 	client use spnego = yes
>>> 	client ntlmv2 auth = yes
>>> 	encrypt passwords = yes
>>> 	winbind use default domain = yes
>>> 	restrict anonymous = 2
>>> 	domain master = no
>>> 	local master = no
>>> 	preferred master = no
>>> 	os level = 0
>>> 	winbind offline logon = no
>>>> OK, you need to add something like this:
>>>>           kerberos method = secrets and keytab
>>>>           winbind expand groups = 4
>>>>           winbind nss info = rfc2307
>>>>           winbind refresh tickets = Yes
>>>>           winbind normalize names = Yes
>>>>           idmap config DOM_RAT:schema_mode = rfc2307
>>>>           idmap config DOM_RAT:range = 500-40000
>>>>           idmap config DOM_RAT:backend = ad
>>>>           idmap config *:range = 70001-80000
>>>>            idmap config *:backend = tdb Then restart samba, this will
>>>> rely on the RFC2307 uidNumber & gidNumber attributes being available in AD, if not change 'idmap config DOM_RAT:backend = ad' to ' idmap config DOM_RAT:backend = rid'
>> Yay! That's it. With backend = rid it works finaly!
>>
>> Thank you very much!
> You are welcome, but be aware that without the RFC2307 attributes you could have different id numbers on different samba servers.
>
> Rowland
>>>> Also have you added 'winbind' to the passwd & group lines in /etc/nsswitch.conf ?
>> Yes.
>>
>> Rowland
>>
>>> Mit freundlichen Grüßen / Best regards Björn
>>>
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
>>> Gesendet: Freitag, 14. Februar 2014 13:34
>>> An: Becker, Björn; samba at lists.samba.org
>>> Betreff: Re: [Samba] CentOS Samba as Domain Member
>>>
>>> On 14/02/14 11:54, Bjoern.Becker at easycash.de wrote:
>>>> Hello,
>>>>
>>>> I use CentOS 6.5 and smbd 3.6.9-167.el6_5.
>>>>
>>>> I can successfully execute wbinfo -u and wbinfo -g, but getent passwd doesn't work.
>>>>
>>>> nsswitch.conf
>>>> passwd:     files winbind
>>>> shadow:     files
>>>> group:      files winbind
>>>>
>>>> I read in samba manual I have to link libnss_winbind.so to /lib, I did that but it doesn't work anyway:
>>>>
>>>> ls -ltr /lib/lib*
>>>> lrwxrwxrwx. 1 root root 28 14. Feb 12:34 /lib/libnss_winbind.so ->
>>>> /usr/lib64/libnss_winbind.so lrwxrwxrwx. 1 root root 26 14. Feb
>>>> 12:38 /lib/libnss_files.so -> /usr/lib64/libnss_files.so lrwxrwxrwx.
>>>> 1 root root 26 14. Feb 12:40 /lib/libnss_winbind.so.2 ->
>>>> /lib64/libnss_winbind.so.2
>>>>
>>>> Can anyone help me out?
>>>>
>>>> Thanks!
>>>>
>>>> Mit freundlichen Grüßen / Best regards Björn
>>>>
>>>>
>>> I take it that you are running the machine as I client and installed
>>> samba 3.6.9 via yum? If so then you shouldn't have to create the
>>> links, yum should have done it for you.
>>>
>>> What is the client connecting to ? and could you please post the
>>> smb.conf from this client.
>>>
>>> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
Is winbind crashing? what does 'ps ax | grep winbind' show?

Rowland

More information about the samba mailing list