[Samba] Login From Domain

Rob Campbell robcampbell08105 at gmail.com
Mon Nov 14 18:25:52 UTC 2022 

I have tried to log in via ssh:

Nov 14 13:07:34 D02 sshd[5821]: Invalid user robcampbell from 10.0.0.11
port 44206
Nov 14 13:07:37 D02 sshd[5821]: pam_unix(sshd:auth): check pass; user
unknown
Nov 14 13:07:37 D02 sshd[5821]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.11
Nov 14 13:07:37 D02 sshd[5821]: pam_winbind(sshd:auth): getting password
(0x00000388)
Nov 14 13:07:37 D02 sshd[5821]: pam_winbind(sshd:auth): pam_get_item
returned a password
Nov 14 13:07:39 D02 sshd[5821]: Failed password for invalid user
robcampbell from 10.0.0.11 port 44206 ssh2
Nov 14 13:07:42 D02 sshd[5821]: pam_unix(sshd:auth): check pass; user
unknown
Nov 14 13:07:42 D02 sshd[5821]: pam_winbind(sshd:auth): getting password
(0x00000388)
Nov 14 13:07:42 D02 sshd[5821]: pam_winbind(sshd:auth): pam_get_item
returned a password
Nov 14 13:07:45 D02 sshd[5821]: Failed password for invalid user
robcampbell from 10.0.0.11 port 44206 ssh2
Nov 14 13:07:48 D02 sshd[5821]: pam_unix(sshd:auth): check pass; user
unknown
Nov 14 13:07:48 D02 sshd[5821]: pam_winbind(sshd:auth): getting password
(0x00000388)
Nov 14 13:07:48 D02 sshd[5821]: pam_winbind(sshd:auth): pam_get_item
returned a password
Nov 14 13:07:49 D02 sshd[5821]: Failed password for invalid user
robcampbell from 10.0.0.11 port 44206 ssh2
Nov 14 13:07:51 D02 sshd[5821]: Connection closed by invalid user
robcampbell 10.0.0.11 port 44206 [preauth]
Nov 14 13:07:51 D02 sshd[5821]: PAM 2 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.11

I tried loging in via console:

Nov 14 13:09:26 D02 login[5824]: pam_unix(login:auth): check pass; user
unknown
Nov 14 13:09:26 D02 login[5824]: pam_winbind(login:auth): getting password
(0x00000388)
Nov 14 13:09:26 D02 login[5824]: pam_winbind(login:auth): pam_get_item
returned a password
Nov 14 13:09:28 D02 login[5824]: FAILED LOGIN (3) on '/dev/tty2' FOR
'UNKNOWN', Authentication failure

I tried logging in via gnome gui:

Nov 14 13:10:25 D02 gdm-launch-environment]:
pam_unix(gdm-launch-environment:session): session opened for user
Debian-gdm(uid=117) by (uid=0)
Nov 14 13:10:25 D02 systemd-logind[602]: New session c7 of user Debian-gdm.
Nov 14 13:10:25 D02 systemd: pam_unix(systemd-user:session): session opened
for user Debian-gdm(uid=117) by (uid=0)
Nov 14 13:10:26 D02 gdm-launch-environment]:
pam_unix(gdm-launch-environment:session): session closed for user Debian-gdm
Nov 14 13:10:26 D02 systemd-logind[602]: Session c7 logged out. Waiting for
processes to exit.
Nov 14 13:10:26 D02 systemd-logind[602]: Removed session c7.
Nov 14 13:10:26 D02 gdm-launch-environment]:
pam_unix(gdm-launch-environment:session): session opened for user
Debian-gdm(uid=117) by (uid=0)
Nov 14 13:10:26 D02 systemd-logind[602]: New session c8 of user Debian-gdm.
Nov 14 13:10:26 D02 polkitd(authority=local): Registered Authentication
Agent for unix-session:c8 (system bus name :1.321 [/usr/bin/gnome-shell],
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale
en_US.UTF-8)
Nov 14 13:10:27 D02 realmd[6303]: Loaded settings from:
/usr/lib/realmd/realmd-defaults.conf /usr/lib/realmd/realmd-distro.conf
Nov 14 13:10:27 D02 realmd[6303]: holding daemon: startup
Nov 14 13:10:27 D02 realmd[6303]: starting service
Nov 14 13:10:27 D02 realmd[6303]: connected to bus
Nov 14 13:10:27 D02 realmd[6303]: GLib-GIO: _g_io_module_get_default: Found
default implementation local (GLocalVfs) for ‘gio-vfs’
Nov 14 13:10:27 D02 realmd[6303]: released daemon: startup
Nov 14 13:10:27 D02 realmd[6303]: claimed name on bus:
org.freedesktop.realmd
Nov 14 13:10:36 D02 gdm-password]: pam_unix(gdm-password:auth): check pass;
user unknown
Nov 14 13:10:36 D02 gdm-password]: pam_unix(gdm-password:auth):
authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Nov 14 13:10:36 D02 gdm-password]: pam_winbind(gdm-password:auth): getting
password (0x00000388)
Nov 14 13:10:36 D02 gdm-password]: pam_winbind(gdm-password:auth):
pam_get_item returned a password

Domain Member:
/etc/nsswitch.conf
passwd:         files winbind systemd
group:          files winbind systemd
shadow:         files
gshadow:        files

hosts:          files dns #mdns4_minimal [NOTFOUND=return] dns myhostname
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

$ cat /etc/security/pam_winbind.conf
[global]
krb5_auth = yes
krb5_ccache_type = FILE

$ cat /etc/samba/smb.conf
[global]
security = ADS
workgroup = HOME
realm = HOME.ROB-CAMPBELL.LAN

log file = /var/log/samba/%m.log
log level = 1
idmap config * : backend = autorid
idmap config * : range = 10000-9999999
idmap config * : rangesize = 200000

username map = /etc/samba/user.map

template shell = /bin/bash
template homedir = /home/%U

$ cat /etc/krb5.conf
[libdefaults]
default_realm = HOME.ROB-CAMPBELL.LAN
dns_lookup_realm = false
dns_lookup_kdc = true

#[realms]
# HOME.ROB-CAMPBELL.LAN = {
# kdc = home.rob-campbell.lan
# admin_server = DC01
# }


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.


On Mon, Nov 14, 2022 at 1:00 PM Rob Campbell <robcampbell08105 at gmail.com>
wrote:

>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> In all things, Be Intentional.
>
>
> On Mon, Nov 14, 2022 at 12:07 PM Michael Tokarev <mjt at tls.msk.ru> wrote:
>
>> 14.11.2022 19:52, Rob Campbell via samba wrote:
>>
>> >> It is done if you install libpam-winbind package, and if
>> >> you actually configured it.  The configuration utility is
>> >> invoked after libpam-winbind installation automatically.
>> >>
>> > I installed 'apt install libpam-winbind'.  It installed but the
>> > configuration utility didn't run.  This is a fresh install of Debian
>> 11.5.
>> > I did go through a similar config when installing the OS but I'm not
>> sure
>> > if it was the same since that package wasn't actually installed.
>>
>> In the libpam-winbind postinst script there's a single command:
>>
>>    pam-auth-update --package
>>
>> It's been there for quite some time, it is definitely present in
>> the bullseye version.
>>
>> Run it manually now (without the arguments), it will let you
>> to configure pam-winbind too.  Without this, auth wont work.
>>
>> I ran the config and checked all options, although the only one that
> wasn't checked was  "Create home directory on login", which I also did want.
>
> Besides, pam-winbind from Debian 11 can't be installed on a
>> system where you have samba bits from bullseye-backports, since
>> there will be a version conflict.  Or should be anyway - if
>> it is installable together with samba components of different
>> versions, it's a bug which I should fix.  Please give some
>> details here :)
>>
>> I did not receive any errors installing or configuring.
>
>> Thanks!
>>
>> /mjt
>>
>

More information about the samba mailing list