[Samba] login a Linux client to a Samba NT4 style domain

Pisch Tamás pischta at gmail.com
Fri Aug 24 06:33:59 UTC 2018 

Hi,

I would like to do what I mentioned in the subject
on an Ububtu 18.04. I tried it with the following steps:
https://lists.samba.org/archive/samba/2011-March/161372.html

My files on the client:
smb.conf
[global]
;Workstation Settings
workgroup = PM
netbios name = DS1223
server string = %h
security = domain
idmap backend = tdb
idmap uid = 15000-20000
idmap gid = 15000-20000
wins server = 1.2.3.4
winbind use default domain = yes
winbind enum groups = yes
winbind enum users = yes
password server = 1.2.3.4
template shell = /bin/bash
template homedir = /home/%D/%U
;Logging
log level = 2
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d

common-account:

account [success=2 default=ignore] pam_winbind.so
account [success=1 default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so

common-auth:

auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so use_first_pass
auth requisite pam_deny.so
auth optional pam_mount.so
auth required pam_permit.so

common-password:

# here are the per-package modules (the "Primary" block)
password [success=1 default=ignore] pam_unix.so obscure sha512
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_mount.so disable_interactive
password optional pam_gnome_keyring.so
# end of pam-auth-update config

common-session:

session required pam_unix.so nullok_secure
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session optional pam_mount.so
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_ck_connector.so nox11

pam_mount.conf.xml:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
<debug enable="0" />
<volume options="user=%(DOMAIN_USER),domain=PM" fstype="cifs" server="srv3"
path="Diak" mountpoint="/home/PM/%(DOMAIN_USER)/Diak"></volume>
<volume options="user=%(DOMAIN_USER),domain=PM" fstype="cifs" server="srv3"
path="%(DOMAIN_USER)" mountpoint="/home/PM/%(DOMAIN_USER)/H"></volume>
<path</sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>
<logout wait="0" hup="0" term="0" kill="0" />
<mkmountpoint enable="1" remove="true" />
</pam_mount>

net join runs correctly, but after reboot, I can login only with the local
account.
Portion from the auth.log:
Aug 23 14:06:01 localhost lightdm: pam_unix(lightdm:auth): check pass; user
unknown
Aug 23 14:06:01 localhost lightdm: pam_unix(lightdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Aug 23 14:06:01 localhost lightdm: pam_winbind(lightdm:auth): getting
password (0x00000010)
Aug 23 14:06:01 localhost lightdm: pam_winbind(lightdm:auth): pam_get_item
returned a password
Aug 23 14:06:01 localhost lightdm: pam_winbind(lightdm:auth): user
'torolni' granted access
Aug 23 14:06:01 localhost lightdm: gkr-pam: error looking up user
information
Aug 23 14:06:01 localhost lightdm: pam_unix(lightdm:account): could not
identify user (from getpwnam(torolni))
Aug 23 14:06:01 localhost lightdm: PAM unable to dlopen(pam_kwallet.so):
/lib/security/pam_kwallet.so: cannot open shared object file: No such file
or directory
Aug 23 14:06:01 localhost lightdm: PAM adding faulty module: pam_kwallet.so
Aug 23 14:06:01 localhost lightdm: PAM unable to dlopen(pam_kwallet5.so):
/lib/security/pam_kwallet5.so: cannot open shared object file: No such file
or directory
Aug 23 14:06:01 localhost lightdm: PAM adding faulty module: pam_kwallet5.so
Aug 23 14:52:29 localhost login[1371]: pam_unix(login:auth): check pass;
user unknown
Aug 23 14:52:29 localhost login[1371]: pam_unix(login:auth): authentication
failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Aug 23 14:52:29 localhost login[1371]: pam_winbind(login:auth): getting
password (0x00000010)
Aug 23 14:52:29 localhost login[1371]: pam_winbind(login:auth):
pam_get_item returned a password
Aug 23 14:52:29 localhost login[1371]: pam_winbind(login:auth): user
'torolni' granted access
Aug 23 14:52:29 localhost login[1371]: pam_unix(login:account): could not
identify user (from getpwnam(torolni))
Aug 23 14:52:29 localhost login[1371]: Authentication failure

Best regards,

Tamas.

More information about the samba mailing list