[Samba] Problem with pam_winbind using 'su'

lists at zxt10d.de lists at zxt10d.de
Thu Apr 28 09:06:58 UTC 2022 

Sure! :)

# Global parameters
[global]
         ldap admin dn = CN=%ADMINACCOUNT%,OU=Admin 
Accounts,OU=Accounts,OU=_AFP,OU=_%UNIVERSITY% Systeme,DC=%UNIVERSITY%,DC=de
         ldap debug level = 4
         ldap group suffix = OU=Groups,OU=AFP,OU=%UNIVERSITY% 
Users,dc=%UNIVERSITY%,dc=de
         ldap machine suffix = OU=Computers,OU=_AFP,OU=_%UNIVERSITY% 
Systeme,DC=%UNIVERSITY%,DC=de
         ldap suffix = DC=%UNIVERSITY%,DC=DE
         ldap user suffix = ou=Users,ou=AFP,ou=%UNIVERSITY% 
Users,dc=%UNIVERSITY%,dc=de
         log file = /var/log/samba/log.%m
         logging = file
         log level = 1 auth_audit:3@/var/log/samba/samba_auth_audit.log
         max log size = 1000
         realm = %UNIVERSITY%
         security = ADS
         server role = member server
         username map = /etc/samba/user.map
         workgroup = %UNIVERSITY%
         idmap config * : range = 10000-9999999
         idmap config * : backend = autorid

vfs objects = acl_xattr
map acl inherit = yes

load printers = no
printing = bsd
printcap name = /dev/null

Thanks!
Torsten


Am 28.04.2022 um 09:55 schrieb Rowland Penny via samba:
> On Thu, 2022-04-28 at 09:10 +0200, lists--- via samba wrote:
>> Dear list,
>>
>> I installed a AD-Member Server, and now I would like to enable two
>> users
>> with local accounts to do a 'su' to AD-accounts - but that fails,
>> the
>> session is closed immediatly.
>>
>> /var/log/auth.log
>> Apr 28 08:43:12 afpfp1 su: pam_krb5(su:auth): authentication
>> failure;
>> logname=%ADNAME%\%USERNAME% uid=1000 euid=0 tty=pts/1
>> ruser=%LOCALUSER%
>> rhost=
>> Apr 28 08:43:12 afpfp1 su: pam_unix(su:auth): authentication
>> failure;
>> logname=%LOCALUSER% uid=1000 euid=0 tty=pts/1 ruser=%LOCALUSER%
>> rhost=
>> user=%ADNAME%\%USERNAME%
>> Apr 28 08:43:12 afpfp1 su: pam_winbind(su:auth): getting password
>> (0x00000388)
>> Apr 28 08:43:12 afpfp1 su: pam_winbind(su:auth): pam_get_item
>> returned a
>> password
>> Apr 28 08:43:12 afpfp1 su: pam_winbind(su:auth): user
>> '%ADNAME%\%USERNAME%' granted access
>> Apr 28 08:43:12 afpfp1 su: (to %ADNAME%\%USERNAME%) %LOCALUSER% on
>> pts/1
>> Apr 28 08:43:12 afpfp1 su: pam_unix(su:session): session opened for
>> user
>> %ADNAME%\%USERNAME%(uid=130224) by %LOCALUSER%(uid=1000)
>> Apr 28 08:43:12 afpfp1 su: pam_unix(su:session): session closed for
>> user
>> %ADNAME%\%USERNAME%
>>
>> Does anybody has a hint for me?
>>
>> Cheers,
>> Torsten
> 
> Can you post your smb.conf from the computer you are running 'su' on. I
> think I know what is happening, but I need to see the smb.conf to
> confirm this.
> 
> Rowland
> 
> 
>

More information about the samba mailing list