[Samba] problems with authentication
Marcio Demetrio Bacci
marciobacci at gmail.com
Tue Aug 6 03:05:11 UTC 2019
Hi,
I have updated Samba 4.5.16 to version 4.10.6 and it is now working.
>Remove 'winbind' from the 'shadow' line in /etc/nsswitch.conf
OK.
>Have you given your users a uidNumber attribute containing a unique
number inside the range '100000-999999' ?
Is this done through the Unix attributes in RSAT and for each user?
>Have you also given 'Domain Users' a gidNumber attribute containing a
number inside the same range ?
Is this done for each custom group and for the "Domain Users" default group
too?
Will these changes affect user permissions on the Windows Server 2008 file
server too ?
Regards,
Márcio Bacci
Em seg, 5 de ago de 2019 às 04:00, Rowland penny via samba <
samba at lists.samba.org> escreveu:
> On 04/08/2019 23:18, Marcio Demetrio Bacci via samba wrote:
> > Hi,
> >
> > I set up a samba 4 in Debian 9.9 as a Domain member server, but
> > authentication is not working as follows:
> >
> > root at srv-proxy:/etc/samba# wbinfo -a marcio at EMPRESA.COM.BR
> > Enter marcio at EMPRESA.COM.BR's password:
> > plaintext password authentication succeeded
> > Enter marcio at EMPRESA.COM.BR's password:
> > challenge/response password authentication failed
> > wbcAuthenticateUserEx(+marcio at EMPRESA.COM.BR): error code was
> > NT_STATUS_WRONG_PASSWORD (0xc000006a)
> > error message was: Wrong Password
> > Could not authenticate user marcio at EMPRESA.COM.BR with
> challenge/response
> >
> > My password is correct!
> > #############################################
> > My DC are:
> > Primary: Samba 4 DC (Debian 9.9)
> > Secondary: Windows Server 2008
> >
> > Follows my configurations files:
> >
> > SMB.CONF
> >
> > [global]
> > netbios name = SRV-PROXY
> > workgroup = EMPRESA
> > security = ADS
> > realm = EMPRESA.COM.BR
> > encrypt passwords = yes
> >
> > idmap config *:backend = tdb
> > idmap config *:range = 3000-7999
> > idmap config EMPRESA:backend = ad
> > idmap config EMPRESA:schema_mode = rfc2307
> > idmap config EMPRESA:range = 100000-999999
> >
> > winbind nss info = rfc2307
> > winbind trusted domains only = no
> > winbind use default domain = yes
> > winbind enum users = yes
> > winbind enum groups = yes
> >
> > vfs objects = acl_xattr
> > map acl inherit = Yes
> > store dos attributes = Yes
> >
> > ##############################################
> >
> > NSSWITCH.CONF
> >
> > root at srv-proxy:/etc/samba# cat /etc/nsswitch.conf
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages installed,
> try:
> > # `info libc "Name Service Switch"' for information about this file.
> >
> > passwd: compat winbind
> > group: compat winbind
> > shadow: compat winbind
> > gshadow: files
> >
> > hosts: files dns
> > networks: files
> >
> > protocols: db files
> > services: db files
> > ethers: db files
> > rpc: db files
> >
> > netgroup: nis
> > ########################################################################
> >
> > root at srv-proxy:/etc# net ads join -Uadministrator
> > Enter marcio's password:
> > Using short domain name -- EMPRESA
> > Joined 'SRV-PROXY' to dns domain 'empresa.com.br'
> >
> > root at srv-proxy:/etc# net ads testjoin
> > Join is OK
> >
> >
> > root at srv-proxy:/etc/samba# kinit marcio
> > Password for marcio at EMPRESA.COM.BR:
> > root at srv-proxy:/etc/samba# klist -l
> > Principal name Cache name
> > -------------- ----------
> > marcio at EMPRESA.COM.BR FILE:/tmp/krb5cc_0
> >
> > #####################################################################
> >
> > The wbinfo -g and wbinfo -u commands are working properly.
> >
> >
> > Could anybody help me?
> >
> > Regards,
> >
> > Márcio Bacci
>
> Remove 'winbind' from the 'shadow' line in /etc/nsswitch.conf
>
> Have you given your users a uidNumber attribute containing a unique
> number inside the range '100000-999999' ?
>
> Have you also given 'Domain Users' a gidNumber attribute containing a
> number inside the same range ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list