Re: [Samba] Samba/ADS Question
Any further word on this for me? tnx. On 10/11/07, Chris Nighswonger <[EMAIL PROTECTED]> wrote: > On 10/11/07, simo <[EMAIL PROTECTED]> wrote: > > Are you using pam_winbindd to log in? > > I think so... (I'm very new to samba and have been following docs and > tutorials...) > > Here is the output of a grep through the pam.d files: > > [EMAIL PROTECTED] cnighswonger]# grep -E pam_winbind.so /etc/pam.d/* > /etc/pam.d/system-auth:authsufficientpam_winbind.so use_first_pass > /etc/pam.d/system-auth:account [default=bad success=ok > user_unknown=ignore] pam_winbind.so > /etc/pam.d/system-auth:passwordsufficientpam_winbind.so use_authtok > /etc/pam.d/system-auth-ac:authsufficientpam_winbind.so > use_first_pass > /etc/pam.d/system-auth-ac:account [default=bad success=ok > user_unknown=ignore] pam_winbind.so > /etc/pam.d/system-auth-ac:passwordsufficientpam_winbind.so use_authtok > > > If so you can configure /etc/security/pam_winbind.conf to use krb5_auth > > = yes and krb5_ccache_type = FILE, this would store your kerberos > > credentials so that libsmbclient should be able to pick them up when > > browsing servers and use them. > > I uncommented these two lines in pam_winbind.conf and then restarted > nmbd, smbd, and winbindd. After loggin back in, I am still prompted > when browsing to windows shares. > > Maybe I am not really using pam_winbindd after all? > > Thanks for the help. > > Regards, > Chris > -- Chris Nighswonger Network & Systems Director Foundations Bible College & Seminary www.foundations.edu www.fbcradio.org [EMAIL PROTECTED] V:910-892-8761 C:919-820-5473 - NOTICE: The information contained in this electronic mail message is intended only for the use of the intended recipient, and may also be protected by the Electronic Communications Privacy Act, 18 USC Sections 2510-2521. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please reply to the sender, and delete the original message. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/ADS Question
On 10/11/07, simo <[EMAIL PROTECTED]> wrote: > Are you using pam_winbindd to log in? I think so... (I'm very new to samba and have been following docs and tutorials...) Here is the output of a grep through the pam.d files: [EMAIL PROTECTED] cnighswonger]# grep -E pam_winbind.so /etc/pam.d/* /etc/pam.d/system-auth:authsufficientpam_winbind.so use_first_pass /etc/pam.d/system-auth:account [default=bad success=ok user_unknown=ignore] pam_winbind.so /etc/pam.d/system-auth:passwordsufficientpam_winbind.so use_authtok /etc/pam.d/system-auth-ac:authsufficientpam_winbind.so use_first_pass /etc/pam.d/system-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_winbind.so /etc/pam.d/system-auth-ac:passwordsufficientpam_winbind.so use_authtok > If so you can configure /etc/security/pam_winbind.conf to use krb5_auth > = yes and krb5_ccache_type = FILE, this would store your kerberos > credentials so that libsmbclient should be able to pick them up when > browsing servers and use them. I uncommented these two lines in pam_winbind.conf and then restarted nmbd, smbd, and winbindd. After loggin back in, I am still prompted when browsing to windows shares. Maybe I am not really using pam_winbindd after all? Thanks for the help. Regards, Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/ADS Question
On Thu, 2007-10-11 at 11:59 -0400, Chris Nighswonger wrote: > I have successfully joined a Fedora7 client to a W2K AD domain. > Everything thus far works as it should. All of my ADS members can log > onto the machine, etc. However, when using Nautilus to browse the > network, Windows shares are visible, but the user is always prompted > for authentication regardless of the permissioning on the the windows > share. It appears that samba is using the guest account to attempt the > access. I cannot seem to get Google to turn up anything significant on > this one. Any help is appreciated. Are you using pam_winbindd to log in? If so you can configure /etc/security/pam_winbind.conf to use krb5_auth = yes and krb5_ccache_type = FILE, this would store your kerberos credentials so that libsmbclient should be able to pick them up when browsing servers and use them. Simo. -- Simo Sorce Samba Team GPL Compliance Officer <[EMAIL PROTECTED]> Senior Software Engineer at Red Hat Inc. <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba/ADS Question
I have successfully joined a Fedora7 client to a W2K AD domain. Everything thus far works as it should. All of my ADS members can log onto the machine, etc. However, when using Nautilus to browse the network, Windows shares are visible, but the user is always prompted for authentication regardless of the permissioning on the the windows share. It appears that samba is using the guest account to attempt the access. I cannot seem to get Google to turn up anything significant on this one. Any help is appreciated. Regards, Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS question
I had this issue and learned that it was a misunderstanding of mine that once i added the samba server to the domain and enabled winbind that it would authenticate all my ADS users without intervention. However, upon further investication I found that only users that had an account with the same name on the samba server would be authenticated to the share. To make a long story short, you need to do so more configuration with winbind allowing it to do the following, get domain user information, communicate with PDC for authentication and use PAM for something or the other. Just look up the winbind section in the samba reference guide and you will see what I'm speaking of. Good luck - Original Message - From: "Michael Wray" <[EMAIL PROTECTED]> To: Sent: Wednesday, March 09, 2005 4:04 PM Subject: Re: [Samba] ADS question > On Wednesday 09 March 2005 8:56 am, Marcus Franke wrote: > > Hi, > > > > > [public] > > > comment = Backup Verzeichnis > > > path = /mnt/backup > > > admin users = DOMAIN+Administrator, root > > > valid users = DOMAIN+Administrator, root > > > > > > The administrator of my Windows domain now should be able > > > to access the "public" share. But when I try to access the > > > box I am asked for a username and a password. > > > > > > I found, that getent passwd and group does not list the > > > domain users and groups, just my local users and groups > > > > > > >from /etc/passwd and /etc/groups. > > > > After some more searching, I tuned the loglevel up to 10 and > > found these entries in winbindd.log: > > > > [2005/03/09 15:37:00, 0] > > libsmb/cliconnect.c:cli_session_setup_spnego(764) > > Kinit failed: Preauthentication failed > > [2005/03/09 15:38:12, 1] > > nsswitch/winbindd_group.c:winbindd_getgroups(1032) > > user 'marcus' does not exist > > [2005/03/09 15:38:28, 1] > > nsswitch/winbindd_group.c:winbindd_getgroups(1032) > > user 'root' does not exist > > [2005/03/09 15:40:00, 1] > > nsswitch/winbindd_group.c:winbindd_getgroups(1032) > > user 'root' does not exist > > [2005/03/09 15:42:00, 0] > > libsmb/cliconnect.c:cli_session_setup_spnego(764) > > Kinit failed: Preauthentication failed > > > > kinit failed? > > > > I can use wbinfo -[sgu] even from the local user "marcus" > > and get positive info from it, why not when invoked from > > the server? > > > > I can mail the smbd log for the machine I am trying to connect > > to the server. But the output is huge (41k) and I would not > > like to post it directly to the list :) > > > > Any suggestions? I would be happy for every hint. > > > > > > Marcus > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS question
On Wednesday 09 March 2005 8:56 am, Marcus Franke wrote: > Hi, > > > [public] > > comment = Backup Verzeichnis > > path = /mnt/backup > > admin users = DOMAIN+Administrator, root > > valid users = DOMAIN+Administrator, root > > > > The administrator of my Windows domain now should be able > > to access the "public" share. But when I try to access the > > box I am asked for a username and a password. > > > > I found, that getent passwd and group does not list the > > domain users and groups, just my local users and groups > > > > >from /etc/passwd and /etc/groups. > > After some more searching, I tuned the loglevel up to 10 and > found these entries in winbindd.log: > > [2005/03/09 15:37:00, 0] > libsmb/cliconnect.c:cli_session_setup_spnego(764) > Kinit failed: Preauthentication failed > [2005/03/09 15:38:12, 1] > nsswitch/winbindd_group.c:winbindd_getgroups(1032) > user 'marcus' does not exist > [2005/03/09 15:38:28, 1] > nsswitch/winbindd_group.c:winbindd_getgroups(1032) > user 'root' does not exist > [2005/03/09 15:40:00, 1] > nsswitch/winbindd_group.c:winbindd_getgroups(1032) > user 'root' does not exist > [2005/03/09 15:42:00, 0] > libsmb/cliconnect.c:cli_session_setup_spnego(764) > Kinit failed: Preauthentication failed > > kinit failed? > > I can use wbinfo -[sgu] even from the local user "marcus" > and get positive info from it, why not when invoked from > the server? > > I can mail the smbd log for the machine I am trying to connect > to the server. But the output is huge (41k) and I would not > like to post it directly to the list :) > > Any suggestions? I would be happy for every hint. > > > Marcus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS question
Hi, > [public] > comment = Backup Verzeichnis > path = /mnt/backup > admin users = DOMAIN+Administrator, root > valid users = DOMAIN+Administrator, root > > The administrator of my Windows domain now should be able > to access the "public" share. But when I try to access the > box I am asked for a username and a password. > > I found, that getent passwd and group does not list the > domain users and groups, just my local users and groups > >from /etc/passwd and /etc/groups. After some more searching, I tuned the loglevel up to 10 and found these entries in winbindd.log: [2005/03/09 15:37:00, 0] libsmb/cliconnect.c:cli_session_setup_spnego(764) Kinit failed: Preauthentication failed [2005/03/09 15:38:12, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032) user 'marcus' does not exist [2005/03/09 15:38:28, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032) user 'root' does not exist [2005/03/09 15:40:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032) user 'root' does not exist [2005/03/09 15:42:00, 0] libsmb/cliconnect.c:cli_session_setup_spnego(764) Kinit failed: Preauthentication failed kinit failed? I can use wbinfo -[sgu] even from the local user "marcus" and get positive info from it, why not when invoked from the server? I can mail the smbd log for the machine I am trying to connect to the server. But the output is huge (41k) and I would not like to post it directly to the list :) Any suggestions? I would be happy for every hint. Marcus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS question
Am Mittwoch, den 09.03.2005, 08:43 +0100 schrieb Marcus Franke: > Greetings, > > I managed to join my samba server into my ActiveDirectory domain. > > wbinfo -g or -u shows the groups and users in my Windows domain. > > But how do I use it for granting or denying access to my shares? > Ok, did some further investigations and found the following: [public] comment = Backup Verzeichnis path = /mnt/backup admin users = DOMAIN+Administrator, root valid users = DOMAIN+Administrator, root The administrator of my Windows domain now should be able to access the "public" share. But when I try to access the box I am asked for a username and a password. I found, that getent passwd and group does not list the domain users and groups, just my local users and groups from /etc/passwd and /etc/groups. Am I doing something completely wrong? I used the doc from: http://us2.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-adssdm Marcus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ADS question
Greetings, I managed to join my samba server into my ActiveDirectory domain. wbinfo -g or -u shows the groups and users in my Windows domain. But how do I use it for granting or denying access to my shares? Marcus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
