Re: [Samba] Problem getting Samba fully working
> -Original Message- > From: Dale Schroeder [mailto:d...@briannassaladdressing.com] > Sent: Thursday, 30 June 2011 4:16 AM > To: Moe, John > Cc: Samba mailing list > Subject: Re: [Samba] Problem getting Samba fully working > > Perhaps look at pam config again. I have had default pam configs from > Debian that would not work out of the box with winbind. When that > happened, I always reverted to something simple like the example given > here: > (modify to suit Gentoo, of course) > > http://www.enterprisenetworkingplanet.com/netos/article.php/3502441 > > If simple works, you can always add other options back until it breaks. > > Dale Ok, now this is irritating. I got back from four days leave, updated my system (which was autoconf, gtk-doc-am, grub, openrc and glib) and now, local and SSH logins both work with my AD account. So thankfully it works, but now I've no idea why. For the record, my PAM configs looked pretty much the same as what was in your link anyway, at least for the auth and account sections. I believe the other two (password and session) don't come in to play unless the login was successful anyway? I'm still trying to wrap my head around PAM... But for now, thanks for the assistance, and if I have further questions, I'll let you know. :-) John H. Moe Network Support - Hatch IT HATCH Tel: +61 (7) 3166 Direct: +61 (7) 3166 7684 Fax: +61 (7) 3368 3754 Mobile: +61 438 772 425 61 Petrie Terrace, Brisbane, Queensland Australia 4011 * NOTICE - This message from Hatch is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential or proprietary. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. By communicating with us via e-mail, you accept such risks. When addressed to our clients, any information, drawings, opinions or advice (collectively, "information") contained in this e-mail is subject to the terms and conditions expressed in the governing agreements. Where no such agreement exists, the recipient shall neither rely upon nor disclose to others, such information without our written consent. Unless otherwise agreed, we do not assume any liability with respect to the accuracy or completeness of the information set out in this e-mail. If you have received this message in error, please notify us immediately by return e-mail and destroy and delete the message from your computer. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem getting Samba fully working
Sorry, it's been pointed out that the list strips attachments. Here's my smb.conf, in case it helps someone. There are numerous howto's for this sort of thing all over the web, and trying to keep track of which bits are needed for a given setup is difficult. Maybe in all my reading, I came away with some bad assumptions, and I need to check them. Let's take FreeRadius out of the picture for the moment; I only mentioned it in case it was interfering/interacting with Samba. Basically, I'm trying to get a virtual machine on my network, with a Gentoo Linux OS, to be able to allow logins based on AD accounts, so the other network admins can administer this server, and for ntlm_auth to return success or failure of a user's authentication request (which will be needed for step 2: FreeRadius). I don't need shares, although it'd be handy so I can transfer files to and from the box. 1) To get this to work, I assumed from my reading I needed Kerberos. 2) I also assumed that "best practice" would be for this server to join the domain. 3) I assumed that tdb was the correct backend for this setup, not LDAP. Can anyone speak to these assumptions? --- [global] add user script = /usr/local/bin/addsambauser %u client lanman auth = no client ntlmv2 auth = yes client use spnego = yes disable netbios = yes domain master = no encrypt passwords = yes idmap alloc backend = tdb # Defaults to tdb idmap backend = tdb idmap gid = 1 - 9 idmap uid = 1 - 9 lanman auth = no kerberos method = system keytab netbios name = MYSERVERNAME ntlm auth = yes # Defaults to tdbsam passdb backend = tdbsam password server = mygc.my.domain.name, mygc2.my.domain.name preferred master = no realm = MY.DOMAIN.NAME security = ads server string = %h (Samba) template homedir = /home/%D/%U template shell = /bin/bash use spnego = yes winbind enum groups = yes winbind enum users = yes winbind expand groups = yes winbind nested groups = yes winbind refresh tickets = yes winbind use default domain = yes workgroup = NTDOMAINNAME [tmp] comment = temporary files path = /tmp read only = yes --- John H. Moe Network Support - Hatch IT HATCH Tel: +61 (7) 3166 Direct: +61 (7) 3166 7684 Fax: +61 (7) 3368 3754 Mobile: +61 438 772 425 61 Petrie Terrace, Brisbane, Queensland Australia 4011 > -Original Message- > From: samba-boun...@lists.samba.org [mailto:samba- > boun...@lists.samba.org] On Behalf Of Moe, John > Sent: Tuesday, 28 June 2011 7:26 AM > To: Samba mailing list > Subject: Re: [Samba] Problem getting Samba fully working > > > -Original Message- > > From: Dale Schroeder [mailto:d...@briannassaladdressing.com] > > Sent: Tuesday, 28 June 2011 4:42 AM > > To: Moe, John > > Cc: Samba mailing list > > Subject: Re: [Samba] Problem getting Samba fully working > > > > On 06/26/2011 7:14 PM, Moe, John wrote: > > >> -----Original Message- > > >> From: Linda Walsh [mailto:sa...@tlinx.org] > > >> Sent: Saturday, 25 June 2011 8:02 PM > > >> To: Moe, John > > >> Cc: Samba mailing list > > >> Subject: Re: Problem getting Samba fully working > > >> > > >> Moe, John wrote: > > >>> Hello all, > > >>> > > >>> Relevant info up front: Gentoo PC, using 2.6.38 kernel and Samba > > >> 3.4.12. > > >>> I'm trying to get a FreeRadius instance working for our Windows > > >> network. > > >>> To do so, I need a Linux box running Samba. I've installed and > > >>> configured Kerberos, Samba and FreeRadius, and can get most > things > > > to > > >>> work. I can get a Kerberos key using kinit, and "sudo net ads > > > keytab > > >>> list" shows me tickets. I can use things like "net ads user > myuser > > > - > > >> U > > >>> myuser" to get info about my user account. I can use "sudo > wbinfo > > - > > >> t" > > >>> to show the secret trust is OK, and "sudo net ads testjoin" works > > as > > >>> well. I can even log on to my switch using RADIUS authentication > > to > > >> my > > >>> AD account (using ntlm_auth). So a lot of the pieces are working > > >>> correctly. > > >>> [2011/06/21 07:12:21, 1] > > >>> rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu) > > >>>cli_pipe_validate_current_pdu: RPC fault code > > &g
Re: [Samba] Problem getting Samba fully working
> -Original Message- > From: Dale Schroeder [mailto:d...@briannassaladdressing.com] > Sent: Tuesday, 28 June 2011 4:42 AM > To: Moe, John > Cc: Samba mailing list > Subject: Re: [Samba] Problem getting Samba fully working > > On 06/26/2011 7:14 PM, Moe, John wrote: > >> -Original Message- > >> From: Linda Walsh [mailto:sa...@tlinx.org] > >> Sent: Saturday, 25 June 2011 8:02 PM > >> To: Moe, John > >> Cc: Samba mailing list > >> Subject: Re: Problem getting Samba fully working > >> > >> Moe, John wrote: > >>> Hello all, > >>> > >>> Relevant info up front: Gentoo PC, using 2.6.38 kernel and Samba > >> 3.4.12. > >>> I'm trying to get a FreeRadius instance working for our Windows > >> network. > >>> To do so, I need a Linux box running Samba. I've installed and > >>> configured Kerberos, Samba and FreeRadius, and can get most things > > to > >>> work. I can get a Kerberos key using kinit, and "sudo net ads > > keytab > >>> list" shows me tickets. I can use things like "net ads user myuser > > - > >> U > >>> myuser" to get info about my user account. I can use "sudo wbinfo > - > >> t" > >>> to show the secret trust is OK, and "sudo net ads testjoin" works > as > >>> well. I can even log on to my switch using RADIUS authentication > to > >> my > >>> AD account (using ntlm_auth). So a lot of the pieces are working > >>> correctly. > >>> [2011/06/21 07:12:21, 1] > >>> rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu) > >>>cli_pipe_validate_current_pdu: RPC fault code > >>> DCERPC_FAULT_ACCESS_DENIED received from host MYGC.my.domain.name! > >>> > >> > >>I am not sure the above messages are from your > >> ssh... And I know nothing about configuration with Free Radius or > >> Kerberos, so your problems may be completely different from ones > >> I've had but... > >> > >> > >> > >> I take it you are running ssh on the Win7 workstation and trying to > >> login to the linux samba server. > >> > >> > >> if your username in the domain is 'user' (i.e. you are > 'domain\user'), > >> and your linux account is 'user', > >> then on the ssh line, you might try > >> > >> 'ssh user@linux-server' instead of the "normal" 'ssh linux-server' > >> > >> If that works, then your 'sshd' server on your linux server > >> is probably receiving 'domain\user' as the username, (not just > 'user') > >> and doesn't know what to do with that. > >> > >> > >> Theoretically should be resolvable via proper pam and config files > >> (all the file ops map my 'domain\user' => 'user' on the PDC), but, > >> a _*hack*_ I use (but would find a better solution in a production > >> environment) is to create a 2nd /etc/passwd& /etc/shadow entry > >> that dups my 'user' but has the username field changed to > >> 'DOMAIN\user'. > >> (getting the capitalization to agree with what the workstation > think's > >> it is, is important in this case; upper case is norm, so unless > you've > >> customized things in the win registry, shouldn't be a prob (not that > I > >> would have any knowledge of this, of course...) > >> > >> But I'd try to get 'winbind' config'ed with pam to map the username > >> properly for a best fix (on my 'todo list') ... just hasn't > >> been that important ... > >> > >> Best short term: > >> > >> specify the username with the hostname when using the 'ssh' (or scp, > >> i.e. 'scp file user@remote:/tmp' ) ... > >> > >> In any event, using kerberos/freeradius, there should be some way > >> to make sure that a 'domain\user' is mapped to 'user' on a PDC... > >> > >> Or it might be the 'ssh' client that "shouldn't" be prepending the > >> windows domainname not sure. > >> > >> But hopefully gives you some ideas where to look... > >> > > Thanks for the reply. Maybe I haven't made myself clear in the first > > post. I'
Re: [Samba] Problem getting Samba fully working
> -Original Message- > From: Linda Walsh [mailto:sa...@tlinx.org] > Sent: Saturday, 25 June 2011 8:02 PM > To: Moe, John > Cc: Samba mailing list > Subject: Re: Problem getting Samba fully working > > Moe, John wrote: > > Hello all, > > > > Relevant info up front: Gentoo PC, using 2.6.38 kernel and Samba > 3.4.12. > > > > I'm trying to get a FreeRadius instance working for our Windows > network. > > To do so, I need a Linux box running Samba. I've installed and > > configured Kerberos, Samba and FreeRadius, and can get most things to > > work. I can get a Kerberos key using kinit, and "sudo net ads keytab > > list" shows me tickets. I can use things like "net ads user myuser - > U > > myuser" to get info about my user account. I can use "sudo wbinfo - > t" > > to show the secret trust is OK, and "sudo net ads testjoin" works as > > well. I can even log on to my switch using RADIUS authentication to > my > > AD account (using ntlm_auth). So a lot of the pieces are working > > correctly. > > > [2011/06/21 07:12:21, 1] > > rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu) > > cli_pipe_validate_current_pdu: RPC fault code > > DCERPC_FAULT_ACCESS_DENIED received from host MYGC.my.domain.name! > > > > > I am not sure the above messages are from your > ssh... And I know nothing about configuration with Free Radius or > Kerberos, so your problems may be completely different from ones > I've had but... > > > > I take it you are running ssh on the Win7 workstation and trying to > login to the linux samba server. > > > if your username in the domain is 'user' (i.e. you are 'domain\user'), > and your linux account is 'user', > then on the ssh line, you might try > > 'ssh user@linux-server' instead of the "normal" 'ssh linux-server' > > If that works, then your 'sshd' server on your linux server > is probably receiving 'domain\user' as the username, (not just 'user') > and doesn't know what to do with that. > > > Theoretically should be resolvable via proper pam and config files > (all the file ops map my 'domain\user' => 'user' on the PDC), but, > a _*hack*_ I use (but would find a better solution in a production > environment) is to create a 2nd /etc/passwd & /etc/shadow entry > that dups my 'user' but has the username field changed to > 'DOMAIN\user'. > (getting the capitalization to agree with what the workstation think's > it is, is important in this case; upper case is norm, so unless you've > customized things in the win registry, shouldn't be a prob (not that I > would have any knowledge of this, of course...) > > But I'd try to get 'winbind' config'ed with pam to map the username > properly for a best fix (on my 'todo list') ... just hasn't > been that important ... > > Best short term: > > specify the username with the hostname when using the 'ssh' (or scp, > i.e. 'scp file user@remote:/tmp' ) ... > > In any event, using kerberos/freeradius, there should be some way > to make sure that a 'domain\user' is mapped to 'user' on a PDC... > > Or it might be the 'ssh' client that "shouldn't" be prepending the > windows domainname not sure. > > But hopefully gives you some ideas where to look... > Thanks for the reply. Maybe I haven't made myself clear in the first post. I'm not asking for any help relating to FreeRadius; I just want to get basic Samba working properly. Share browsing via guest access works, and I get a number of other successes from other tests, but I can't seem to get login using AD username working, neither locally nor via SSH. To get integration with a native Windows 2003 AD domain, I was to understand I needed Kerberos; was that wrong? Maybe I've complicated things a bit here. As to the login problem: I'm using OpenSSH on Cygwin on my Win7 PC, and it doesn't matter if I try: ssh servername ssh user@servername ssh domain\user@servername ssh 'u...@my.domain.name'@servername They all return the same things in /var/log/messages: Jun 27 09:58:05 servername sshd[27461]: SSH: Server;Ltype: Version;Remote: 10.73.24.60-18606;Protocol: 2.0;Client: OpenSSH_5.8 Jun 27 09:58:05 servername sshd[27461]: Invalid user usern...@my.domain.name from 10.73.24.60 Jun 27 09:58:05 servername sshd[27463]: pam_tally2(sshd:auth): pam_get_uid; no such user Jun 27 09:58:08 servername sshd[27463]
[Samba] Problem getting Samba fully working
Hello all, Relevant info up front: Gentoo PC, using 2.6.38 kernel and Samba 3.4.12. I'm trying to get a FreeRadius instance working for our Windows network. To do so, I need a Linux box running Samba. I've installed and configured Kerberos, Samba and FreeRadius, and can get most things to work. I can get a Kerberos key using kinit, and "sudo net ads keytab list" shows me tickets. I can use things like "net ads user myuser -U myuser" to get info about my user account. I can use "sudo wbinfo -t" to show the secret trust is OK, and "sudo net ads testjoin" works as well. I can even log on to my switch using RADIUS authentication to my AD account (using ntlm_auth). So a lot of the pieces are working correctly. However, I cannot seem to be able to ssh into the box with a Windows account. The error I get is in log.wb-MYDOMAIN: [2011/06/21 07:07:29, 1] rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu) cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_ACCESS_DENIED received from host MYGC.my.domain.name! [2011/06/21 07:07:31, 1] rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu) cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_ACCESS_DENIED received from host MYGC.my.domain.name! [2011/06/21 07:10:01, 1] rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu) cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_ACCESS_DENIED received from host MYGC.my.domain.name! [2011/06/21 07:12:21, 1] rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu) cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_ACCESS_DENIED received from host MYGC.my.domain.name! These occur not only when I try to log on via SSH, but also when no-one is trying to log in, i.e., the system is doing it. Also, on my GC that is configured as the password server in smb.conf (and the admin_server and the kdc in krb5.conf), I keep getting errors that say: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: Source Workstation: Error Code: 0xC064 And yes, the middle two fields are empty. The reason I know it's my server is because these fill the log with up to 20 or so per second, and as soon as I turn off the server, it stops. I need to get SSH via Samba auth working so that our network admins can log on to the box using a non-local account and do management if needed. Can anyone suggest where to start looking? Any help would be appreciated. Thanks. John H. Moe Network Support - Hatch IT HATCH Tel: +61 (7) 3166 Direct: +61 (7) 3166 7684 Fax: +61 (7) 3368 3754 Mobile: +61 438 772 425 61 Petrie Terrace, Brisbane, Queensland Australia 4011 * NOTICE - This message from Hatch is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential or proprietary. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. By communicating with us via e-mail, you accept such risks. When addressed to our clients, any information, drawings, opinions or advice (collectively, "information") contained in this e-mail is subject to the terms and conditions expressed in the governing agreements. Where no such agreement exists, the recipient shall neither rely upon nor disclose to others, such information without our written consent. Unless otherwise agreed, we do not assume any liability with respect to the accuracy or completeness of the information set out in this e-mail. If you have received this message in error, please notify us immediately by return e-mail and destroy and delete the message from your computer. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
