Hello,
I've been trying for a couple of weeks now to get Samba to authenticate via Winbind to
an NT domain. I've scoured Google and the mailing lists to no avail. I've tried
various configurations that I've found during my searches, but none of them have
worked for me.
I need to be able to authenticate users, that do not have an account on the Linux box,
against the NT domain, and automatically create a home directory for them. This is
the purpose of Winbind (except the home directory part, which pam_mkhomedir is
supposed to do), as I understand it. Something between winbind and pam is failing
since the connecting user gets authenticated as guest rather than an actual user.
My current configuration is RedHat 7.3 and Samba 2.2.5. My most current samba
installation is an RPM generated via the makerpms.sh script in the packaging/RedHat
folder of the 2.2.5 samba distribution.
I've added the following compilation flags in the samba2.spec file: This is my latest
attempt, since nothing else seemed to work.
--with-ssl \
--with-sslinc=/usr/include/openssl \
--with-ssllib=/usr/lib/ssl \
--with-acl-support \
--with-winbind \
--with-winbind-auth-challenge \
'getent passwd' and 'getent group' work properly so I think winbind works, too. I
think the problem lies somewhere with pam, but I'm not a pam guru by any stretch of
the imagination.
The problem is one I've seen discussed a couple of times, but have not seen any kind
of resolution. The next few lines are from the log file of the client attempting to
connect to the server with an account called ilchtest.
[2002/10/08 15:00:50, 3] lib/util_sock.c:open_socket_out(845)
Connecting to 10.226.XXX.XXX at port 139
[2002/10/08 15:00:50, 3] smbd/reply.c:reply_sesssetup_and_X(1045)
No such user ilchtest [CHICAGO] - using guest account
The following is the last line of what 'winbindd -d5 -i' spits out when I start it
from the root prompt:
tdb(unknown): tdb_brlock failed (fd=10) at offset 4 rw_type=1 lck_type=13
<--------Not sure if this points to a problem???
The following is what 'winbindd -d5 -i' spits out when the client trys to connect:
rpc_read: num_read = 4, read offset: 0, to read: 4
000018 samr_io_r_close_hnd
0018 data1: 00000000
001c data2: 00000000
0020 data3: 0000
0022 data4: 0000
0024 data5: 00 00 00 00 00 00 00 00
002c status: NT_STATUS_OK
[23826]: sid to gid S-1-5-21-178404139-331375567-1660491571-2273
[23826]: gid to sid 10000
[23826]: gid to sid 10001
[23826]: getgroups ftp <-------Guest account was nobody and I changed it to ftp.
Here is my /etc/nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind
#hosts: db files nisplus nis dns
hosts: files winbind dns
Here is my /etc/pam.d/system-auth
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pa
ss
auth required /lib/security/pam_deny.so
account sufficient /lib/secutiry/pam_winbind.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shado
w
password required /lib/security/pam_deny.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0
022
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
Here is my /etc/samba/smb.conf:
[global]
workgroup = CHICAGO
netbios name = SILCHRS03
server string =
security = DOMAIN
encrypt passwords = Yes
password server = *
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
large readwrite = Yes
name resolve order = host wins bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
preferred master = False
local master = No
domain master = False
dns proxy = No
wins server = 172.30.XXX.XXX
winbind uid = 10000-50000
winbind gid = 10000-50000
template shell = /bin/bash
guest account = ftp
invalid users = root bin daemon adm sync shutdown halt mail news uucp operator
gopher
printer admin = +PrinterAdmins
nt acl support = No
printing = cups
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
I really want this to work, so any help is appreciated.
Please include my e-mail address in any replies.
Thank you!
Sven
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
