[Samba] login a Linux client to a Samba NT4 style domain

Rowland Penny rpenny at samba.org
Fri Aug 24 07:39:55 UTC 2018 

On Fri, 24 Aug 2018 08:33:59 +0200
Pisch Tamás via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> I would like to do what I mentioned in the subject
> on an Ububtu 18.04. I tried it with the following steps:
> https://lists.samba.org/archive/samba/2011-March/161372.html
> 
> My files on the client:
> smb.conf
> [global]
> ;Workstation Settings
> workgroup = PM
> netbios name = DS1223
> server string = %h
> security = domain
> idmap backend = tdb
> idmap uid = 15000-20000
> idmap gid = 15000-20000
> wins server = 1.2.3.4
> winbind use default domain = yes
> winbind enum groups = yes
> winbind enum users = yes
> password server = 1.2.3.4
> template shell = /bin/bash
> template homedir = /home/%D/%U
> ;Logging
> log level = 2
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> 
> common-account:
> 
> account [success=2 default=ignore] pam_winbind.so
> account [success=1 default=ignore] pam_unix.so
> account requisite pam_deny.so
> account required pam_permit.so
> 
> common-auth:
> 
> auth [success=2 default=ignore] pam_unix.so nullok_secure
> auth [success=1 default=ignore] pam_winbind.so use_first_pass
> auth requisite pam_deny.so
> auth optional pam_mount.so
> auth required pam_permit.so
> 
> common-password:
> 
> # here are the per-package modules (the "Primary" block)
> password [success=1 default=ignore] pam_unix.so obscure sha512
> # here's the fallback if no module succeeds
> password requisite pam_deny.so
> # prime the stack with a positive return value if there isn't one
> already; # this avoids us returning an error just because nothing
> sets a success code # since the modules above will each just jump
> around password required pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> password optional pam_mount.so disable_interactive
> password optional pam_gnome_keyring.so
> # end of pam-auth-update config
> 
> common-session:
> 
> session required pam_unix.so nullok_secure
> session required pam_mkhomedir.so skel=/etc/skel umask=0022
> session optional pam_mount.so
> session [default=1] pam_permit.so
> session requisite pam_deny.so
> session required pam_permit.so
> session optional pam_ck_connector.so nox11
> 
> pam_mount.conf.xml:
> <?xml version="1.0" encoding="utf-8" ?>
> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
> <pam_mount>
> <debug enable="0" />
> <volume options="user=%(DOMAIN_USER),domain=PM" fstype="cifs"
> server="srv3" path="Diak"
> mountpoint="/home/PM/%(DOMAIN_USER)/Diak"></volume> <volume
> options="user=%(DOMAIN_USER),domain=PM" fstype="cifs" server="srv3"
> path="%(DOMAIN_USER)"
> mountpoint="/home/PM/%(DOMAIN_USER)/H"></volume>
> <path</sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>
> <logout wait="0" hup="0" term="0" kill="0" /> <mkmountpoint
> enable="1" remove="true" /> </pam_mount>
> 
> net join runs correctly, but after reboot, I can login only with the
> local account.
> Portion from the auth.log:
> Aug 23 14:06:01 localhost lightdm: pam_unix(lightdm:auth): check
> pass; user unknown
> Aug 23 14:06:01 localhost lightdm: pam_unix(lightdm:auth):
> authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
> Aug 23 14:06:01 localhost lightdm: pam_winbind(lightdm:auth): getting
> password (0x00000010)
> Aug 23 14:06:01 localhost lightdm: pam_winbind(lightdm:auth):
> pam_get_item returned a password
> Aug 23 14:06:01 localhost lightdm: pam_winbind(lightdm:auth): user
> 'torolni' granted access
> Aug 23 14:06:01 localhost lightdm: gkr-pam: error looking up user
> information
> Aug 23 14:06:01 localhost lightdm: pam_unix(lightdm:account): could
> not identify user (from getpwnam(torolni))
> Aug 23 14:06:01 localhost lightdm: PAM unable to
> dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open
> shared object file: No such file or directory
> Aug 23 14:06:01 localhost lightdm: PAM adding faulty module:
> pam_kwallet.so Aug 23 14:06:01 localhost lightdm: PAM unable to
> dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open
> shared object file: No such file or directory
> Aug 23 14:06:01 localhost lightdm: PAM adding faulty module:
> pam_kwallet5.so Aug 23 14:52:29 localhost login[1371]:
> pam_unix(login:auth): check pass; user unknown
> Aug 23 14:52:29 localhost login[1371]: pam_unix(login:auth):
> authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1
> ruser= rhost= Aug 23 14:52:29 localhost login[1371]:
> pam_winbind(login:auth): getting password (0x00000010)
> Aug 23 14:52:29 localhost login[1371]: pam_winbind(login:auth):
> pam_get_item returned a password
> Aug 23 14:52:29 localhost login[1371]: pam_winbind(login:auth): user
> 'torolni' granted access
> Aug 23 14:52:29 localhost login[1371]: pam_unix(login:account): could
> not identify user (from getpwnam(torolni))
> Aug 23 14:52:29 localhost login[1371]: Authentication failure
> 
> Best regards,
> 
> Tamas.

I recently set up a test PDC (which worked okay) and then set up a test
Unix client and joined it to the test PDC, this again joined okay. From
there on it was just downhill, no matter what settings I tried in
smb.conf on the Unix client, I couldn't get it to work. Testing the
join with 'net' said the join was okay, but wbinfo claimed it couldn't
find the PDC. I spent a day trying to get it to work and finally gave
up.

My gut feeling is that something got changed in the work to get AD
working better and now Unix nt4-style clients don't work any more.

I have no idea why they don't work and have no real compunction to try
and find out why, mainly because Microsoft seems to be trying to
remove all traces of nt4-style domain code from their OS.

All I can suggest is that you upgrade to AD, this definitely works ;-)

Rowland

More information about the samba mailing list