[Samba] Windows pre-requisites for login with winbind?

A. James Lewis james at fsck.co.uk
Wed Aug 23 13:27:01 UTC 2017


I have to confess here, that on trying again, to get the error... I restarted everything to ensure there were no errant messages, and now installing libpam-krb5 does not cause a problem... the users are assigned a kerberos ticket when logging in which is nice too... 

I must thank you and Rowland both, since I have learned a lot about how Kerberos works in this process, and debugged some issues that would probably have bitten me in future.

However, my original problem remains!... 

That problem is more clearly defined now, "Some users do not show up with 'getent passwd username', while most do."

Those users can authenticate with Kerberos, and they are listed by wbinfo... but cannot log in, since they don't have a "password file entry".

What I need to find out is how it is that some users can authenticate, and are listed by wbinfo... BUT do not get mapped into what would be the password map.

Could it be that one side or the other is not supporting 32 bit UID's... how would I tell?... can I query what the output of IDMAP would be with something like wbinfo, rather than getent passwd... so that I can see if there is an issue here?

How to go about debugging the IDMAP!?.

James


August 23, 2017 7:39 AM, "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> Hai, 
> 
> Wel at least you did find something. 
> This gets my attention.
> 
>> I have tried installing libpam-krb5, and it adds the
>> following line to common-,auth,passwd,account and session:-
>> 
>> auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
>> 
>> However, with that configuration, no users can log in (could
>> this be because the AD server had no RFC2307 unix
>> extensions)... so I have removed the package, and now I'm
>> back to the situation where only the 3 most recent users
>> cannot log in.
>> 
>> Note that the users who can't log in, can authenticate with kinit!
> 
> This is strange, if you install the libpam-krb5, you should still be able to login.
> What you can try here is run pam-auth-update
> Only enable unix winbind ( and if installed kerberos ) and if really needed mkhomedir.
> 
> Now add Rowland comment :
>> Well, yes you probably have, that comes from the libpam-winbind package,
>> you just need the 'glue' that comes from the libpam-krb5 package.
> 
> pam-auth-update does this.
> 
> And what kind of messages are you seeing in auth.log when you tried the krb5 option and users where
> not able to login.
> Any messages there?
> And windows event id's ?
> 
> Greetz,
> 
> Louis
> 
>> -----Oorspronkelijk bericht-----
>> Van: A. James Lewis [mailto:james at fsck.co.uk]
>> Verzonden: dinsdag 22 augustus 2017 16:59
>> Aan: L.P.H. van Belle; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Windows pre-requisites for login with winbind?
>> 
>> August 22, 2017 2:32 PM, "L.P.H. van Belle via samba"
>> <samba at lists.samba.org> wrote:
>> 
>> You did not look right it should be there.
>> 
>> # aptitude search libpam-krb5
>> p libpam-krb5
>> - PAM module for MIT Kerberos
>> 
>> p libpam-krb5:i386
>> - PAM module for MIT Kerberos
>> 
>> Not installed.
>> 
>> https://packages.ubuntu.com/zesty/libpam-krb5
>> https://packages.ubuntu.com/artful/libpam-krb5
>> 
>> Check this folder to see if "winbind unix krb5" is there.
>> ls /usr/share/pam-configs
>> 
>> # ls /usr/share/pam-configs
>> capability gnome-keyring mkhomedir systemd unix winbind
>> 
>> And run pam-auth-update --force to update the files.
>> ! Note, krb5 has by default set : minium_uid=1000
>> 
>> I have tried installing libpam-krb5, and it adds the
>> following line to common-,auth,passwd,account and session:-
>> 
>> auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
>> 
>> However, with that configuration, no users can log in (could
>> this be because the AD server had no RFC2307 unix
>> extensions)... so I have removed the package, and now I'm
>> back to the situation where only the 3 most recent users
>> cannot log in.
>> 
>> Note that the users who can't log in, can authenticate with kinit!
>> 
>> Greetz,
>> 
>> Louis
>> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens A.
>> James Lewis via samba
>> Verzonden: dinsdag 22 augustus 2017 15:02
>> Aan: Rowland Penny; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Windows pre-requisites for login
>> with winbind?
>> 
>> I have krb5-config krb5-user, but not libpam-krb5... I'm
>> slightly fuzzy about how this works, but I thought the
>> interaction with kerberos was implemented via winbind, so I
>> wasn't expecting this package to be installed... certainly
>> there is no dependency that has pulled it in.
>> 
>> James
>> 
>> August 22, 2017 1:15 PM, "Rowland Penny via samba"
>> <samba at lists.samba.org> wrote:
>> 
>> On Tue, 22 Aug 2017 12:01:20 +0000
>> "A. James Lewis via samba" <samba at lists.samba.org> wrote:
>> 
>> Indeed!... you are correct... this does appear to be the kerberos
>> issue uncovered by Rowlands pointing out that I should not
>> need to be
>> manually defining "kdc =", in my krb5.conf.... so with
>> that resolved,
>> I'm hoping we can also find the cause of my original problem.
>> 
>> Incidentally, this was my solution to upgrading Samba on my 17.04
>> test server, I think moving to 17.10 will ultimately have
>> to be the
>> solution, but this let me carry on debugging this problem quickly.
>> 
>> apt-get remove libnss-winbind libpam-winbind samba winbind apt-get
>> autoremove cd /etc/apt/ sed -i "s,zesty,artful,g" sources.list
>> apt-get install samba libnss-winbind libpam-winbind winbind sed -i
>> "s,artful,zesty,g" sources.list apt-get update apt-get dist-upgrade
>> 
>> James
>> 
>> Do you also have the following packages installed:
>> 
>> libpam-krb5 krb5-config krb5-user
>> 
>> Rowland
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>> 
>> --
>> A. James Lewis (james at fsck.co.uk)
>> "Engineering does not require science. Science helps a lot
>> but people
>> built perfectly good brick walls long before they knew why
>> cement works."
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>> 
>> --
>> A. James Lewis (james at fsck.co.uk)
>> "Engineering does not require science. Science helps a lot but people
>> built perfectly good brick walls long before they knew why
>> cement works."
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."



More information about the samba mailing list