Hi Gregorcy, Here's what I sent along to Masao. I didn't cc the list either :-( So here it comes now. Hope it may be useful.
On Thu, Jan 21, 2010 at 12:05 PM, Masao Garcia <mas...@fshac.com> wrote: > John, > > Yes, with my config, I can see all the domain users and groups with both > wbinfo and getent. I can log in via SSH and also from an LTSP terminal (I > had to chown the test user's home directory because the user IDs didn't > match from the old system) but when it comes to password changes, it just > won't work. Did you have a legacy /var/lib/samba/winbindd_idmap.tdb lying around from a previous active directory membership? If this computer had a windows user called jdoe whos uid->sid mapping was stored in that account, and you rejoined AD later on, you might cause yourself problems when trying to change the "new" jdoe's passwd (e.g. his unix uid would be mapped to a different windows SID as I understand it). I am a bit fuzzy on this, others could be of more help. I get around this because I use a static rid mapping (e.g. idmap backend = rid:VANGUARD=10000-200000) so that I can scale AD accross servers and uid->sid mappings stay consistent. > > I tried changing my pam.d config files with your settings and I can't SSH in > with AD accounts. wbinfo and getent still works. Here's what my ssh entry in /etc/pam.d looks like (note the entry for winbind) auth required pam_env.so # [1] auth required pam_env.so envfile=/etc/default/locale auth sufficient /lib/security/pam_winbind.so @include common-auth account required pam_nologin.so account sufficient /lib/security/pam_winbind.so @include common-account @include common-session session optional pam_motd.so # [1] session optional pam_mail.so standard noenv # [1] session required pam_limits.so @include common-password > > I use krb5 because according to the guide, Kerberos and Winbind are required > for authentication and session information when interfacing with AD. I believe you need krb5 to join AD but you don't need entries in pam.d/common-* unless you are trying to refresh kerberos tickets for various domain services. Again, others would know more. I messed around with automatically refreshing users kerberos tickets, but I couldn't get it working well, so users just have to present credentials when they want to get a windows share for example. I really should revisit this. :-) > > Can I ask what version of Samba you're running and what your domain > functional level is? winbind 3.0.28a-1ubuntu4.9 samba-common 3.0.28a-1ubuntu4.9 Our functional level is "windows 2003" > Did you install the Unix services on the DCs? No I decided I didn't want to mess with the DC's in any way. > tried both with and without the Unix services and I get the same errors > about the users not being in /etc/passwd in both cases. It's got to be a > pam.d or nsswitch configuration problem, but I can't find any answers on > Google. Somehow I have to tell the client to look for the users in AD when > changing passwords, but from my understanding that's handled by > nsswitch.conf, which looks right. I think you are on the right track. Have you tried turning up the verbosity on the logging? You can do that in the smb.conf file and then try your transaction and check for messages in /var/log/samba Here's a little blurb from O'reilly http://oreilly.com/catalog/samba/chapter/book/ch09_01.html > > Anyway, I just got word from management that I need to raise the domain and > forest functional levels to 2008R2, and from what I've read, you need Samba > 3.2 for AD authentication to work right in that environment so now I'm > messing with Ubuntu 9.10. I appreciate your help. I'll let you know how > things turn out in the new environment. I'll be interested to hear what you find out. I'm planning on migrating to Lucid (the next LTS) sometime in the next 6 months, and I would guess Karmic (9.10) and Lucid will be very similar with regards to winbind and samba. Btw, as an aside, I found out as long as I am only joining my servers to AD and not actually hosting shares via samba on my Linux server, I only need the winbind package on LTSP. Winbind installs a minimal subset of the samba packages and doesn't run the samba daemon. Good luck! John On Mon, Jan 25, 2010 at 2:02 PM, gregorcy <brian.grego...@utah.edu> wrote: > whoops should have also sent to list. > > Hi Masao, > > Hey if you figure out how to get it too work will you post it to the list. I > have also been trying for a bit to get > passwd to work. > > --Brian > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba