[Samba] Problem with Active Directory authentication

Rowland penny rpenny at samba.org
Fri Jun 10 17:54:18 UTC 2016 

On 10/06/16 17:49, Kaplan, Andrew H. wrote:
> Hello --
>
> I removed the ldap and sssd packages from the server, and I am trying 
> to get winbind to work on the system.
>
> The configuration of the /etc/samba/smb.conf file's global section is 
> the following:
>
> [global]
>
> ## Browsing/Identification ###
>
> # Change this to the workgroup/NT-domain name your Samba server will 
> part of
>    security = ads
>    realm = <domain name>
>    workgroup = <domain>
>    idmap uid = 10000-20000
>    idmap gid = 10000-20000
>    winbind enum users = yes
>    winbind enum groups = yes
>    template homedir =  /home/%D/%U
>    template shell = /bin/bash
>    client use spnego = yes
>    client ntlmv2 auth =yes
>    encrypt passwords = yes
>    winbind use default domain = yes
>    restrict anonymous = 2
>
> While that of the /etc/nsswitch.conf file reads as follows:
>
> passwd:         compat  winbind
> group:          compat  winbind
> shadow:         compat
>
> hosts:  files dns
> ...
>
> The /etc/krb5.conf file has the domain name in capital letters for the 
> default_realm entry in capital letters.
>
> I was able to join the server with the domain.
>
> When I ran the getent <username>@<DOMAINNAME> command, the output was 
> the following:
>
> <DOMAINNAME>\<username>:*:10000:10005:<lastname>, 
> <firstname>.:/home/<DOMAIN>/<username>:/bin/false
>
> I attempted to log into the system via ssh using the following command 
> syntax:
>
> ssh -l <username>@<DOMAINNAME> <server fqdn>
>
> The connection was made, but it was immediately closed. I am guessing 
> the /bin/false shell could be what is causing the problem.
>
> The auth.log file also had the following entries:
>
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=microknoppix.mgh.harvard.edu user=ahk at PARTNERS.ORG
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): 
> getting password (0x00000388)
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): 
> pam_get_item returned a password
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): 
> user '<DOMAINNAME>\<username>' granted access
> Jun 10 12:44:00 <samba server> sshd[13560]: Accepted password for 
> <username>@<DOMAINNAME> from <ip address> port 54879 ssh2
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session): 
> session opened for user <DOMAINNAME>\<username> by (uid=0)
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_systemd(sshd:session): 
> Failed to create session: No such file or directory
> Jun 10 12:44:00 <samba server> sshd[13560]: 
> pam_mkhomedir(sshd:session): unknown option: umask
> Jun 10 12:44:00 <samba server> sshd[13560]: 
> pam_mkhomedir(sshd:session): unknown option: 0022
> Jun 10 12:44:00 <samba server> sshd[13608]: Received disconnect from 
> <ip address>: disconnected by user
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session): 
> session closed for user <DOMAINNAME>\<username>
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:setcred): 
> user '<DOMAINNAME>\<username>' OK
>
> The pam-auth-update command indicated the following were enabled:
>
> Unix authentication
> Winbind NT/Active Directory authentication
> Register user sessions in the systemd control group hierarchy
> Inheritable Capabilities Management
>
>

Try looking here for info on how to set up a domain member:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

I know it works, because it is based on my smb.conf

I also have this line in smb.conf: 'winbind use default domain = yes'
This means I don't have to use the domain name, when I ssh into the DC, 
I just do this:

rowland at debnet:~$ ssh rowland at dc1
rowland at dc1's password:
Linux dc1 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-1 (2016-03-06) x86_64

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jun 10 18:44:25 2016 from debnet.samdom.example.com

I have never been able to login using the users UPN, I have a feeling 
the code to do this, just isn't there.

Rowland

More information about the samba mailing list