[Samba] Domain users cannot log on locally to DC
Roy Eastwood
spindles7 at gmail.com
Thu Nov 2 08:59:13 UTC 2017
Hi,
I have a samba 4.7.0 DC installed on a Debian Stretch machine. I
provisioned the domain with rfc2307 enabled and have set the Unix attributes
using Windows 7 RSAT/ADUC. I think I followed the WiKi pages correctly to
enable the pam_winbind module in PAM, and have allocated a gID to Domain
Users. After falling foul of the
https://bugzilla.samba.org/show_bug.cgi?id=13054 bug, entering net cache
flush gave the correct output for getent group and getent passwd test1.
Yet I still cannot log on locally to the DC, either on the console or via
ssh. Relevant config and log files are as follows:
/etc/smb.conf:
# Global parameters
[global]
netbios name = DC1
realm = MICROLYNX.CO.UK
workgroup = MICROLYNX
dns forwarder = 192.168.2.1
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
allow dns updates = nonsecure
wins support = no
local master = yes
domain master = yes
preferred master = yes
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
printing = cups
printcap name = cups
load printers = yes
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
# Use settings from AD for login shell and home directory -
doesn't work so use the next two lines
template shell = /bin/bash
template homedir = /srv/users/%U
log file = /var/log/samba/log.%m
log level = 1
[netlogon]
path = /srv/samba/sysvol/microlynx.co.uk/scripts
read only = No
[sysvol]
path = /srv/samba/sysvol
read only = No
[users]
path = /srv/users
read only = No
/etc/pam.d/common-account - following lines added:
# add pam_winbind to allow domain users to log in locally
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/common-auth - following lines added:
# add pam_winbind to allow domain users to log in locally
auth sufficient pam_winbind.so use_first_pass
/etc/pam.d/common-password - following lines added:
# add pam_winbind to allow domain users to log in locally
password sufficient pam_winbind.so use_authtok
excerpt from /var/log/auth.log: (with debug added to line: auth sufficient
pam_winbind.so use_first_pass in /etc/pam.d/common-auth)
Nov 1 22:53:58 dc1 sshd[5788]: pam_winbind(sshd:auth): [pamh: 0x81d72698]
ENTER: pam_sm_authenticate (flags: 0x0001)
Nov 1 22:53:58 dc1 sshd[5788]: pam_winbind(sshd:auth): getting password
(0x00000011)
Nov 1 22:53:58 dc1 sshd[5788]: pam_winbind(sshd:auth): Could not retrieve
user's password
Nov 1 22:53:58 dc1 sshd[5788]: pam_winbind(sshd:auth): [pamh: 0x81d72698]
LEAVE: pam_sm_authenticate returning 20 (PAM_AUTHTOK_ERR)
Nov 1 22:53:58 dc1 sshd[5788]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.240 user=test1
Nov 1 22:54:00 dc1 sshd[5788]: Failed password for test1 from 192.168.2.240
port 50348 ssh2
Nov 1 22:54:04 dc1 sshd[5788]: Connection closed by 192.168.2.240 port
50348 [preauth]
Output of getent passwd test1
root at dc1:~# getent passwd test1
MICROLYNX\test1:*:10000:10000:Test One User:/srv/users/test1:/bin/bash
Output of getent group Domain Users
root at dc1:~# getent group "Domain Users"
MICROLYNX\domain users:x:10000:
Output of: # ls -l /lib/i386-linux-gnu/security/pam_winbind.so
lrwxrwxrwx 1 root root 44 Nov 1 18:04
/lib/i386-linux-gnu/security/pam_winbind.so ->
/usr/local/samba/lib/security/pam_winbind.so
What am I missing? Any help appreciated,
Thanks,
Roy
More information about the samba
mailing list