[Samba] CentOS Samba as Domain Member
Bjoern.Becker at easycash.de
Bjoern.Becker at easycash.de
Tue Feb 25 09:39:42 MST 2014
Hello,
I'm not able to solve this issue. But I was able to isolate the problem.
I can login with an Active Directory User when I execute wbinfo -u and getent passwd. Directly after that the login with a AD users runs with success:
Feb 25 17:21:34 PC3369CO sshd[3144]: pam_krb5[3144]: authentication succeeds for 'adminbb' (adminbb at DOM.DE)
Feb 25 17:21:38 PC3369CO sshd[3144]: pam_winbind(sshd:account): user 'adminbb' granted access
Feb 25 17:21:38 PC3369CO sshd[3144]: Accepted password for adminbb from 10.128.37.62 port 32808 ssh2
Feb 25 17:21:40 PC3369CO sshd[3144]: pam_unix(sshd:session): session opened for user adminbb by (uid=0)
Feb 25 17:21:47 PC3369CO sshd[3160]: Received disconnect from 10.128.37.62: 11: disconnected by user
Feb 25 17:21:47 PC3369CO sshd[3144]: pam_unix(sshd:session): session closed for user adminbb
When I reboot the system and try to login with the AD user without typing "wbinfo -u" and "getent passwd" the login fails:
Feb 25 17:23:55 PC3369CO sshd[2828]: Invalid user adminbb from 10.128.37.62
Feb 25 17:23:55 PC3369CO sshd[2829]: input_userauth_request: invalid user adminbb
Feb 25 17:24:00 PC3369CO sshd[2828]: pam_unix(sshd:auth): check pass; user unknown
Feb 25 17:24:00 PC3369CO sshd[2828]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc3214ub.dom.de
Feb 25 17:24:01 PC3369CO sshd[2828]: pam_succeed_if(sshd:auth): error retrieving information about user adminbb
Feb 25 17:24:02 PC3369CO sshd[2828]: Failed password for invalid user adminbb from 10.128.37.62 port 32990 ssh2
So the problem imho seems to be related to the cache. After boot the system the winbind cache seems to be empty and my AD user isn't found.
After executing wbinfo the winbind cache got my AD user and I can login without any problem.
Is that somehow normal behaviour or could that due to some misconfiguration?
smb.conf
[global]
workgroup = DOM_RAT
server string = Samba Server Version %M
security = ADS
realm = DOM.DE
workgroup = DOM_RAT
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
winbind offline logon = no
kerberos method = secrets and keytab
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind normalize names = Yes
idmap config DOM_RAT:schema_mode = rfc2307
idmap config DOM_RAT:range = 500-40000
idmap config DOM_RAT:backend = rid
idmap config *:range = 70001-80000
idmap config *:backend = tdb
# testparm -s -vv | grep winbind
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
winbind separator = +
winbind cache time = 300
winbind reconnect delay = 30
winbind max clients = 200
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind trusted domains only = No
winbind nested groups = Yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = No
winbind normalize names = Yes
winbind rpc only = No
winbind max domain connections = 1
Mit freundlichen Grüßen / Best regards
Björn
>-----Ursprüngliche Nachricht-----
>Von: samba-bounces at lists.samba.org [mailto:samba-
>bounces at lists.samba.org] Im Auftrag von Becker, Björn
>Gesendet: Freitag, 14. Februar 2014 19:32
>An: rowlandpenny at googlemail.com; samba at lists.samba.org
>Betreff: Re: [Samba] CentOS Samba as Domain Member
>
>On 14/02/14 17:41, Bjoern.Becker at easycash.de wrote:
>> I was happy to early. Now, I got exactly the same problem, but I
>didn't change anything.
>>
>> Is it possible that my winbind cache get destroyed somehow?
>>
>> testparm -vv -s | grep winbind
>> Load smb config files from /etc/samba/smb.conf
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>> (16384) Loaded services file OK.
>> 'winbind separator = +' might cause problems with group membership.
>> Server role: ROLE_DOMAIN_MEMBER
>> winbind separator = +
>> winbind cache time = 300
>> winbind reconnect delay = 30
>> winbind max clients = 200
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind trusted domains only = No
>> winbind nested groups = Yes
>> winbind expand groups = 4
>> winbind nss info = rfc2307
>> winbind refresh tickets = Yes
>> winbind offline logon = No
>> winbind normalize names = Yes
>> winbind rpc only = No
>> winbind max domain connections = 1
>>
>> Mit freundlichen Grüßen / Best regards Björn
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Becker, Björn
>> Gesendet: Freitag, 14. Februar 2014 17:47
>> An: Becker, Björn; rowlandpenny at googlemail.com; samba at lists.samba.org
>> Betreff: AW: [Samba] CentOS Samba as Domain Member
>>
>> Uhhh, it's solved. I had to clear the winbind cache for sure:
>>
>> /etc/init.d/winbind stop
>> rm /var/lib/samba/winbindd_*tdb
>> /etc/init.d/winbind start
>>
>> Mit freundlichen Grüßen / Best regards Björn
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: samba-bounces at lists.samba.org [mailto:samba-
>bounces at lists.samba.org] Im Auftrag von Becker, Björn
>> Gesendet: Freitag, 14. Februar 2014 16:36
>> An: rowlandpenny at googlemail.com; samba at lists.samba.org
>> Betreff: Re: [Samba] CentOS Samba as Domain Member
>>
>>> You are welcome, but be aware that without the RFC2307 attributes you
>could have different id numbers on different samba servers.
>> Thanks! These configuration are for workstation's only, I guess this
>will not become a problem there..hopefully :).
>>
>> I now run into the next problem while try to login with a domain user
>against sshd. I receive this error messages:
>>
>> Feb 14 16:27:33 PC3370CO sshd[18555]: Invalid user bb from Feb 14
>16:27:33 PC3370CO sshd[18556]: input_userauth_request: invalid user bb
>Feb 14 16:27:37 PC3370CO sshd[18555]: pam_unix(sshd:auth): check pass;
>user unknown Feb 14 16:27:37 PC3370CO sshd[18555]: pam_unix(sshd:auth):
>authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>rhost=pc3214ub Feb 14 16:27:38 PC3370CO sshd[18555]:
>pam_succeed_if(sshd:auth): error retrieving information about user bb
>Feb 14 16:27:40 PC3370CO sshd[18555]: Failed password for invalid user
>bb port 39674 ssh2
>>
>> My nsswitch.conf:
>>
>> passwd: files winbind
>> shadow: files
>> group: files winbind
>>
>> And this is my pam config:
>>
>> cat /etc/pam.d/system-auth
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth required pam_env.so
>> auth sufficient pam_fprintd.so
>> auth sufficient pam_unix.so nullok try_first_pass
>> auth requisite pam_succeed_if.so uid >= 500 quiet
>> auth sufficient pam_winbind.so use_first_pass
>> auth required pam_deny.so
>>
>> account required pam_unix.so broken_shadow
>> account sufficient pam_localuser.so
>> account sufficient pam_succeed_if.so uid < 500 quiet
>> account [default=bad success=ok user_unknown=ignore]
>pam_winbind.so
>> account required pam_permit.so
>>
>> password requisite pam_cracklib.so try_first_pass retry=3 type=
>> password sufficient pam_unix.so sha512 shadow nullok
>try_first_pass use_authtok
>> password sufficient pam_winbind.so use_authtok
>> password required pam_deny.so
>>
>> session optional pam_keyinit.so revoke
>> session required pam_limits.so
>> session [success=1 default=ignore] pam_succeed_if.so service in
>crond quiet use_uid
>> session required pam_unix.so
>>
>>
>> I don't understand why the domain user is invalid. With getent passwd
>I can see my user.
>>
>>
>> Mit freundlichen Grüßen / Best regards
>> Björn
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
>> Gesendet: Freitag, 14. Februar 2014 15:03
>> An: Becker, Björn; samba at lists.samba.org
>> Betreff: Re: AW: AW: [Samba] CentOS Samba as Domain Member
>>
>> On 14/02/14 13:41, Bjoern.Becker at easycash.de wrote:
>>> On 14/02/14 12:38, Bjoern.Becker at easycash.de wrote:
>>>> Hi,
>>>>
>>>> yes, I installed it via yum. But the links under /lib were not
>available:
>>>>
>>>> rpm -qa | grep samba
>>>> samba-winbind-clients-3.6.9-167.el6_5.x86_64
>>>> samba-3.6.9-167.el6_5.x86_64
>>>> samba4-libs-4.0.0-60.el6_5.rc4.x86_64
>>>> samba-client-3.6.9-167.el6_5.x86_64
>>>> samba-winbind-3.6.9-167.el6_5.x86_64
>>>> samba-common-3.6.9-167.el6_5.x86_64
>>>>
>>>> Wondering a bit about samba4-libs....
>>>>> Did samba4-libs get installed automatically ?
>>> I would like to say yes, but I can't reproduce it. I got a really
>clean install and just install some basic packages. Puppet ensured that
>"samba" is present.
>>> I uninstall all and clean it up to reinstall it through puppet again
>and now The samba4-libs aren't installed....
>> Strange, but you dont need samba4-libs anyway.
>>
>>>> I connecting against a active directory.
>>>>
>>>> # smb.conf
>>>> #======================= Global Settings
>>>> =====================================
>>>>
>>>> [global]
>>>>
>>>> workgroup = DOM_RAT
>>>> server string = Samba Server Version %M
>>>> security = ADS
>>>> realm = DOM.DE
>>>> workgroup = DOM_RAT
>>>> winbind separator = +
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>> template homedir = /home/%D/%U
>>>> template shell = /bin/bash
>>>> client use spnego = yes
>>>> client ntlmv2 auth = yes
>>>> encrypt passwords = yes
>>>> winbind use default domain = yes
>>>> restrict anonymous = 2
>>>> domain master = no
>>>> local master = no
>>>> preferred master = no
>>>> os level = 0
>>>> winbind offline logon = no
>>>>> OK, you need to add something like this:
>>>>> kerberos method = secrets and keytab
>>>>> winbind expand groups = 4
>>>>> winbind nss info = rfc2307
>>>>> winbind refresh tickets = Yes
>>>>> winbind normalize names = Yes
>>>>> idmap config DOM_RAT:schema_mode = rfc2307
>>>>> idmap config DOM_RAT:range = 500-40000
>>>>> idmap config DOM_RAT:backend = ad
>>>>> idmap config *:range = 70001-80000
>>>>> idmap config *:backend = tdb Then restart samba, this
>will
>>>>> rely on the RFC2307 uidNumber & gidNumber attributes being
>available in AD, if not change 'idmap config DOM_RAT:backend = ad' to '
>idmap config DOM_RAT:backend = rid'
>>> Yay! That's it. With backend = rid it works finaly!
>>>
>>> Thank you very much!
>> You are welcome, but be aware that without the RFC2307 attributes you
>could have different id numbers on different samba servers.
>>
>> Rowland
>>>>> Also have you added 'winbind' to the passwd & group lines in
>/etc/nsswitch.conf ?
>>> Yes.
>>>
>>> Rowland
>>>
>>>> Mit freundlichen Grüßen / Best regards Björn
>>>>
>>>>
>>>> -----Ursprüngliche Nachricht-----
>>>> Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
>>>> Gesendet: Freitag, 14. Februar 2014 13:34
>>>> An: Becker, Björn; samba at lists.samba.org
>>>> Betreff: Re: [Samba] CentOS Samba as Domain Member
>>>>
>>>> On 14/02/14 11:54, Bjoern.Becker at easycash.de wrote:
>>>>> Hello,
>>>>>
>>>>> I use CentOS 6.5 and smbd 3.6.9-167.el6_5.
>>>>>
>>>>> I can successfully execute wbinfo -u and wbinfo -g, but getent
>passwd doesn't work.
>>>>>
>>>>> nsswitch.conf
>>>>> passwd: files winbind
>>>>> shadow: files
>>>>> group: files winbind
>>>>>
>>>>> I read in samba manual I have to link libnss_winbind.so to /lib, I
>did that but it doesn't work anyway:
>>>>>
>>>>> ls -ltr /lib/lib*
>>>>> lrwxrwxrwx. 1 root root 28 14. Feb 12:34 /lib/libnss_winbind.so ->
>>>>> /usr/lib64/libnss_winbind.so lrwxrwxrwx. 1 root root 26 14. Feb
>>>>> 12:38 /lib/libnss_files.so -> /usr/lib64/libnss_files.so
>lrwxrwxrwx.
>>>>> 1 root root 26 14. Feb 12:40 /lib/libnss_winbind.so.2 ->
>>>>> /lib64/libnss_winbind.so.2
>>>>>
>>>>> Can anyone help me out?
>>>>>
>>>>> Thanks!
>>>>>
>>>>> Mit freundlichen Grüßen / Best regards Björn
>>>>>
>>>>>
>>>> I take it that you are running the machine as I client and installed
>>>> samba 3.6.9 via yum? If so then you shouldn't have to create the
>>>> links, yum should have done it for you.
>>>>
>>>> What is the client connecting to ? and could you please post the
>>>> smb.conf from this client.
>>>>
>>>> Rowland
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>> Is winbind crashing? what does 'ps ax | grep winbind' show?
>
>> Rowland
>
>No, it's not crashing:
>
>ps ax | grep winbind
> 3275 ? Ss 0:00 winbindd
> 3277 ? S 0:00 winbindd
> 3285 pts/0 S+ 0:00 grep winbind
>
>The weird thing is,
>- I start the computer
>- /etc/init.d/smb start
>- /etc/init.d/winbind start
>- wbinfo -u ( just to check )
>- Then I can login with a ad user
>- /etc/init.d/smb restart
>- /etc/init.d/winbind restart
>- and I can't login with a ad user anymore
>
>So it seems to work just sometimes...
>
>I turn the log level on 5 now and log.winbindd says now:
>
>[2014/02/14 19:28:08.394564, 3]
>winbindd/winbindd_misc.c:384(winbindd_interface_version)
> [ 3330]: request interface version
>[2014/02/14 19:28:08.394777, 3]
>winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
> [ 3330]: request location of privileged pipe
>[2014/02/14 19:28:08.395098, 3]
>winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> getpwnam adminbb
>[2014/02/14 19:28:08.913693, 5]
>libads/ldap_utils.c:80(ads_do_search_retry_internal)
> Search for (uid=adminbb) in <dc=EASYCASH,dc=DE> gave 0 replies
>[2014/02/14 19:28:08.913779, 5]
>winbindd/winbindd_cache.c:1264(resolve_alias_to_username)
> resolve_alias_to_username: backend query returned
>NT_STATUS_OBJECT_NAME_NOT_FOUND
>[2014/02/14 19:28:08.913886, 5]
>winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
> Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
>^C
>
>
>Björn
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list