[Samba] pam_winbind fails to authenticate domain users on my debian wheezy domain member servers
rowlandpenny at googlemail.com
Wed Jan 8 03:41:54 MST 2014
On 07/01/14 23:05, Georg Vorlaufer wrote:
> So I tried all your suggestions but no success.
> Just to confirm I set up a new domain member using debian wheezy and
> the standard samba packages provided with the distro (I believe is 3.6.6)
> Login via ssh and a domain user works absolutely perfect with the
> smb.conf and pam settings as described in one of my previous posts.
> So that makes me come back to my original question: Are there known
> with the combination of samba4.1.3 pam-winbind (and debian wheezy) ?
> Thanks again
> 2014/1/3 Georg Vorlaufer <georg.vorlaufer at gmail.com
> <mailto:georg.vorlaufer at gmail.com>>
> Sorry for the misunderstanding. I try to login to one of my domain
> members via ssh using a domain user account (ssh login with root
> ist working ok). While this is working for an opensuse 13.1 domain
> member, it ist not for a debian wheezy domain member. Right now I
> am away from home, but I will try your suggestions as soon as I am
> Thank you for your effort. Greetings, Georg
> Am 03.01.2014 12:53 schrieb "Rowland Penny"
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>>:
> On 02/01/14 23:55, Georg Vorlaufer wrote:
>> Tried the template shell option with no change -- anyway my
>> ad user entries have loginshell and unixhomedirectory set.
>> I also would say that the tls options only affect the way one
>> can connect to the active directory domain controller via
>> Furthermore, these options are specified on the ad-dc and not
>> on the machine I try to ssh to.
>> 2014/1/3 Michael Wood <esiotrot at gmail.com
>> <mailto:esiotrot at gmail.com>>
>> On 02 Jan 2014 10:31 PM, "Rowland Penny"
>> <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>> wrote:
>> > On 02/01/14 19:54, Georg Vorlaufer wrote:
>> >> tls enabled = yes
>> >> tls keyfile = tls/raspberrypi.key
>> >> tls certfile = tls/raspberrypi.crt
>> >> tls cafile = tls/ca.crt
>> > If adding the line above doesn't work, comment out the
>> four lines above, I do not use tls and ssh works, so it
>> may be failing here.
>> > Rowland
>> The tls options should not interfere with SSH at all.
>> They allow connecting to Samba over LDAPS and I don't
>> think they have anything to do with Kerberos.
>> Michael Wood
> OK, I thought that you were trying to login into the samba4
> server and I do not have/use tls on the server, so I was
> offering this as a possible problem.
> So, just where are you trying to login into and where from, as
> I can also login into my LM 15 laptop from another machine via
Hi, just to say that I set up debian wheezy in a VM and then setup
sernet-samba as the OP did and I could not get winbind to work, I tried
everything that I could think of but to no avail. I then tried to
install sssd instead, but it would seem that if you are using the sernet
samba packages you cannot install sssd. So, at risk of upsetting Sernet,
I cannot recommend their packages at all until they stop naming them
sernet-*. But all is not lost, Ubuntu 14.04 will have sssd 1.11.3 and,
at the moment, Samba 4.0.13 and with a bit of luck will get Samba 4.1.3
(this is in Jessie now). so with 5 years of updates, this will make a
better platform than Debian Wheezy.
More information about the samba