Re: [Samba] Samba/winbind with Active Directory auth

[Robert Freeman-Day]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Kris and Johan,

Both of you have not appended your smb.conf files.  Maybe doing that
would help as well.

- From what I am seeing, the pam stack Kris gave was authenticating via
winbind which would use either plaintext, lanman, ntlm or ntlmv2 and not
configured to authenticate using kerberos.  The plaintext password
authentication is pretty insecure and this is what I suspect your setup
is attempting to use.  Win 2008 has that disabled by default as well as
(afaik) lanman and ntlm.  If you plan on using winbind to authenticate,
you will likely need to add the following directive in the [global]
section of your smb.conf file:

client ntlmv2 auth = yes

You may then need to restart winbindd and smbd (hell, you could restart
the whole machine if you felt like it).  Tell us if this works out for you.


Volker Lendecke wrote:
 On Tue, Jan 19, 2010 at 08:23:45AM +0400, Alexander R. Fahrutdinov wrote:
 В сообщении от Понедельник 18 января 2010 19:33:00 автор Kris Kaido написал:
 Hi List,

 I'm installing a Samba server with the intended purpose of serving files to
 Windows users with seamless authentication on the smb server.
 For that, I've been reading and following every single google search result
 regarding the subject, but it seems I'm stuck at some point where other
 people are not blocked ...

 To summarize, I have these commands OK:
 # kinit admin_u...@domain.example.com
 # klist (ticket ok)
 # net join ads -S server -U admin_user
 # wbinfo -u and -g (both showing DOMAIN\...)
 # wbinfo -t (succeeded)
  
 Try to use Kerberos auth (wbinfo -K login%pass). It's possible, Windows PDC 
 does not support NT-style auth via pipe. Also, try 'nt pipe support = no' 
 option in smb.conf file.
 
 ???
 
 nt pipe support = no
 
 is extremely unlikely to ever help these days.
 
 Volker
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAktoNyMACgkQup357T5MfTZZQACfddZOp6HuFaC7yQ4ccQY3s/Gx
DqQAn3/1pdGzOj+LnnNEFNiabeMff/Qq
=F63l
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba/winbind with Active Directory auth

[Johan.Bergstrom]

Hello Robert, Kris.

I have tried with client ntlmv2 auth = yes but I'm still getting the problem.

This is output from the messages log;

Feb  2 16:32:26 udcsp03 winbindd[1]: [2010/02/02 16:32:26, 0] 
rpc_client/cli_pipe.c:cli_pipe_verify_schannel(354)
Feb  2 16:32:26 udcsp03 winbindd[1]:   cli_pipe_verify_schannel: auth_len 
56.

Above Startup

Feb  2 16:32:26 udcsp03 winbindd[20007]: [2010/02/02 16:32:26, 0] 
nsswitch/idmap.c:smb_register_idmap(146)
Feb  2 16:32:26 udcsp03 winbindd[20007]:   Idmap module rid already registered!
Feb  2 16:32:26 udcsp03 winbindd[20007]: [2010/02/02 16:32:26, 0] 
lib/module.c:do_smb_load_module(69)
Feb  2 16:32:26 udcsp03 winbindd[20007]:   Module 
'/usr/lib64/samba/idmap/rid.so' initialization failed: 
NT_STATUS_OBJECT_NAME_COLLISION

The above is from when I do wbinfo -g or wbinfo -u

Feb  2 16:33:07 udcsp03 winbindd[1]: [2010/02/02 16:33:07, 0] 
rpc_client/cli_pipe.c:rpc_api_pipe(790)
Feb  2 16:33:07 udcsp03 winbindd[1]:   rpc_api_pipe: Remote machine 
INFRADC06.sweinfra.se pipe \NETLOGON fnum 0x8008returned critical error. Error 
was NT_STATUS_PIPE_DISCONNECTED

And above the main problem, wbinfo -a domainuser%password

I'm attaching my smb.conf.

/JB

 -Original Message-
 From: Robert Freeman-Day [mailto:pres...@gmail.com]
 Sent: den 2 februari 2010 15:31
 To: Kris Kaido
 Cc: Bergstrom Johan; samba@lists.samba.org
 Subject: Re: [Samba] Samba/winbind with Active Directory auth
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Kris and Johan,
 
 Both of you have not appended your smb.conf files.  Maybe doing that
 would help as well.
 
 - From what I am seeing, the pam stack Kris gave was authenticating via
 winbind which would use either plaintext, lanman, ntlm or ntlmv2 and not
 configured to authenticate using kerberos.  The plaintext password
 authentication is pretty insecure and this is what I suspect your setup
 is attempting to use.  Win 2008 has that disabled by default as well as
 (afaik) lanman and ntlm.  If you plan on using winbind to authenticate,
 you will likely need to add the following directive in the [global]
 section of your smb.conf file:
 
 client ntlmv2 auth = yes
 
 You may then need to restart winbindd and smbd (hell, you could restart
 the whole machine if you felt like it).  Tell us if this works out for
 you.
 
 
 Volker Lendecke wrote:
  On Tue, Jan 19, 2010 at 08:23:45AM +0400, Alexander R. Fahrutdinov
 wrote:
  В сообщении от Понедельник 18 января 2010 19:33:00 автор Kris Kaido
 написал:
  Hi List,
 
  I'm installing a Samba server with the intended purpose of serving
 files to
  Windows users with seamless authentication on the smb server.
  For that, I've been reading and following every single google search
 result
  regarding the subject, but it seems I'm stuck at some point where
 other
  people are not blocked ...
 
  To summarize, I have these commands OK:
  # kinit admin_u...@domain.example.com
  # klist (ticket ok)
  # net join ads -S server -U admin_user
  # wbinfo -u and -g (both showing DOMAIN\...)
  # wbinfo -t (succeeded)
 
  Try to use Kerberos auth (wbinfo -K login%pass). It's possible, Windows
 PDC
  does not support NT-style auth via pipe. Also, try 'nt pipe support =
 no'
  option in smb.conf file.
 
  ???
 
  nt pipe support = no
 
  is extremely unlikely to ever help these days.
 
  Volker
 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.9 (GNU/Linux)
 
 iEYEARECAAYFAktoNyMACgkQup357T5MfTZZQACfddZOp6HuFaC7yQ4ccQY3s/Gx
 DqQAn3/1pdGzOj+LnnNEFNiabeMff/Qq
 =F63l
 -END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba/winbind with Active Directory auth

[Kris Kaido]

Hi List,

I'm installing a Samba server with the intended purpose of serving files to
Windows users with seamless authentication on the smb server.
For that, I've been reading and following every single google search result
regarding the subject, but it seems I'm stuck at some point where other
people are not blocked ...

To summarize, I have these commands OK:
# kinit admin_u...@domain.example.com
# klist (ticket ok)
# net join ads -S server -U admin_user
# wbinfo -u and -g (both showing DOMAIN\...)
# wbinfo -t (succeeded)

I configured PAM to use winbind, and to test it I'm using ssh with the same
config as I will for samba

Here's what I get when I try to ssh into my smb server using my AD
credentials:
Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): getting password
(0x)
Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): request failed:
Named pipe dicconnected, PAM error was System error (4), NT error was
NT_STATUS_PIPE_DISCONNECTED
Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): internal module
error (retval = 4, user = 'DOMAIN\myusername')
Jan 18 15:34:18 smb sshd[9157]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.6
 user= DOMAIN\myusername
Jan 18 15:34:20 smb sshd[9157]: Failed password for DOMAIN\myusername from
192.168.5.6 port 50872 ssh2

Any idea on what this error (NT_STATUS...) means ?

Also when trying this I get an error:
smb:~# wbinfo -a admin_user%admin_pwd
plaintext password authentication failed
Could not authenticate user henry_admin with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_PIPE_DISCONNECTED (0xc0b0)
error messsage was: Named pipe dicconnected
Could not authenticate user admin_user with challenge/response
smb:~#

Here's my PAM config:
authsufficient  pam_winbind.so
authrequiredpam_unix.so use_first_pass
account sufficient  pam_winbind.so
account requiredpam_unix.so
session requiredpam_mkhomedir.so skel=/etc/skel/ umask=0022
session sufficient  pam_winbind.so
session requiredpam_unix.so
passwordrequisite   pam_cracklib.so retry=3 type=
passwordsufficient  pam_unix.so nullok use_authtok md5 shadow
passwordsufficient  pam_winbind.so use_first_pass
passwordrequiredpam_deny.so

Any help would be greatly appreciated.

Thanks,

k.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba/winbind with Active Directory auth

[Frank Gruman]

On Mon, 2010-01-18 at 16:33 +0100, Kris Kaido wrote:

 Hi List,
 
 I'm installing a Samba server with the intended purpose of serving files to
 Windows users with seamless authentication on the smb server.
 For that, I've been reading and following every single google search result
 regarding the subject, but it seems I'm stuck at some point where other
 people are not blocked ...
 
 To summarize, I have these commands OK:
 # kinit admin_u...@domain.example.com
 # klist (ticket ok)
 # net join ads -S server -U admin_user
 # wbinfo -u and -g (both showing DOMAIN\...)
 # wbinfo -t (succeeded)
 
 I configured PAM to use winbind, and to test it I'm using ssh with the same
 config as I will for samba
 
 Here's what I get when I try to ssh into my smb server using my AD
 credentials:
 Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): getting password
 (0x)
 Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): request failed:
 Named pipe dicconnected, PAM error was System error (4), NT error was
 NT_STATUS_PIPE_DISCONNECTED
 Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): internal module
 error (retval = 4, user = 'DOMAIN\myusername')
 Jan 18 15:34:18 smb sshd[9157]: pam_unix(sshd:auth): authentication failure;
 logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.6
  user= DOMAIN\myusername
 Jan 18 15:34:20 smb sshd[9157]: Failed password for DOMAIN\myusername from
 192.168.5.6 port 50872 ssh2
 
 Any idea on what this error (NT_STATUS...) means ?
 
 Also when trying this I get an error:
 smb:~# wbinfo -a admin_user%admin_pwd
 plaintext password authentication failed
 Could not authenticate user henry_admin with plaintext password
 challenge/response password authentication failed
 error code was NT_STATUS_PIPE_DISCONNECTED (0xc0b0)
 error messsage was: Named pipe dicconnected
 Could not authenticate user admin_user with challenge/response
 smb:~#
 
 Here's my PAM config:
 authsufficient  pam_winbind.so
 authrequiredpam_unix.so use_first_pass
 account sufficient  pam_winbind.so
 account requiredpam_unix.so
 session requiredpam_mkhomedir.so skel=/etc/skel/ umask=0022
 session sufficient  pam_winbind.so
 session requiredpam_unix.so
 passwordrequisite   pam_cracklib.so retry=3 type=
 passwordsufficient  pam_unix.so nullok use_authtok md5 shadow
 passwordsufficient  pam_winbind.so use_first_pass
 passwordrequiredpam_deny.so
 
 Any help would be greatly appreciated.
 
 Thanks,
 
 k.



Two things.

1 - make sure nscd is disabled (not just stopped - disable it to prevent
restarting on the next reboot)
2 - I found that using winbind use default domain = yes caused a lot
of my default authentication issues to go away.  I only have one domain
and so I don't need the extra information / complexity of having to
specify domains.

Regards,
Frank
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba/winbind with Active Directory auth

[Alexander R. Fahrutdinov]

В сообщении от Понедельник 18 января 2010 19:33:00 автор Kris Kaido написал:
 Hi List,
 
 I'm installing a Samba server with the intended purpose of serving files to
 Windows users with seamless authentication on the smb server.
 For that, I've been reading and following every single google search result
 regarding the subject, but it seems I'm stuck at some point where other
 people are not blocked ...
 
 To summarize, I have these commands OK:
 # kinit admin_u...@domain.example.com
 # klist (ticket ok)
 # net join ads -S server -U admin_user
 # wbinfo -u and -g (both showing DOMAIN\...)
 # wbinfo -t (succeeded)
 
Try to use Kerberos auth (wbinfo -K login%pass). It's possible, Windows PDC 
does not support NT-style auth via pipe. Also, try 'nt pipe support = no' 
option in smb.conf file.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba/winbind with Active Directory auth

[Volker Lendecke]

On Tue, Jan 19, 2010 at 08:23:45AM +0400, Alexander R. Fahrutdinov wrote:
 В сообщении от Понедельник 18 января 2010 19:33:00 автор Kris Kaido написал:
  Hi List,
  
  I'm installing a Samba server with the intended purpose of serving files to
  Windows users with seamless authentication on the smb server.
  For that, I've been reading and following every single google search result
  regarding the subject, but it seems I'm stuck at some point where other
  people are not blocked ...
  
  To summarize, I have these commands OK:
  # kinit admin_u...@domain.example.com
  # klist (ticket ok)
  # net join ads -S server -U admin_user
  # wbinfo -u and -g (both showing DOMAIN\...)
  # wbinfo -t (succeeded)
  
 Try to use Kerberos auth (wbinfo -K login%pass). It's possible, Windows PDC 
 does not support NT-style auth via pipe. Also, try 'nt pipe support = no' 
 option in smb.conf file.

???

nt pipe support = no

is extremely unlikely to ever help these days.

Volker


signature.asc
Description: Digital signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba, Winbind and Active Directory

[Ed Plese]

On 8/23/07, Kevin Gutch [EMAIL PROTECTED] wrote:
 I am trying to set up Samba joining Active Directory. I have done this
 successfully before and have most of my previous files.

 Here is the issue I am seeing.

 I can  kinit [EMAIL PROTECTED]

 I cannot net ads join -U administrator

 I get thus message: Failed to join domain: Invalid credentials

I was seeing this same behavior.  Joining the domain as a different user
in the Domain Admins group worked fine though.  Once joined the
adminisitrator user was able to access the shares as normal.


Ed Plese
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba, Winbind and Active Directory

[Kevin Gutch]

Hi,

I am trying to set up Samba joining Active Directory. I have done this 
successfully before and have most of my previous files.


Here is the issue I am seeing.

I can  kinit [EMAIL PROTECTED]

I cannot net ads join -U administrator

I get thus message: Failed to join domain: Invalid credentials

The only error I seem to find is in my winbind log file.

[2007/08/23 13:06:50, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(491)

[14116]: request interface version
[2007/08/23 13:06:50, 3] 
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)

[14116]: request location of privileged pipe
[2007/08/23 13:06:50, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1273)
[14116]: getgroups root
[2007/08/23 13:06:50, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(491)

[14119]: request interface version
[2007/08/23 13:06:50, 3] 
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)

[14119]: request location of privileged pipe
[2007/08/23 13:06:50, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1273)
[14119]: getgroups root

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba Winbind and Active Directory

[jzorzi]

I have a problem with the Winbind setup authenticating Active Directory
Users.

I have setup Fedora Core2 with the minimal setup option

 

These are the Fedora RPM's that I have installed manually.

openldap-2.1.29-1

openldap-devel-2.1.29-1

 

krb5-libs-1.3.3-1

krb5-devel-1.3.3-1

krb5-workstation-1.3.3-1

 

pam_smb-1.1.7-3.1

pam-devel-0.77-40

pam-0.77-40

pam_krb5-2.0.10-1

 

samba-client-3.0.3-5

samba-common-3.0.3-5

samba-3.0.3-5

 

I have setup my connect to the AD Server and can do a Kinit.

I have setup winbind and can use wbinfo -u and wbinfo -g and get the desired
results.

I can do a getent passwd and getent group and the desired results are
achieved.

 

I can't however give ownership to a file using an Active Directory account
and can not authenticate to the samba server using a Windows 2003 account.

 

I followed the instructions on this site but I must be missing something

http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html 

I have verified that nscd is not running but is installed

 

Here is a sample of my getent passwd

MARKETLINKSOL\jzorzi:x:10019:1:Jay
Zorzi:/home/MARKETLINKSOL/jzorzi:/bin/false

MARKETLINKSOL\kclarke:x:10020:1:Kevin
Clarke:/home/MARKETLINKSOL/kclarke:/bin/false

MARKETLINKSOL\krbtgt:x:10021:1::/home/MARKETLINKSOL/krbtgt:/bin/false

 

Here is the global section of my smb.conf file

[global]

realm = MARKETLINKSOL.NET

;ads server = 10.20.1.1   *** This generates an error unless
commented out *

security = ADS

encrypt passwords = yes

socket options = TCP_NODELAY SO_RCVBUFF=8192 SO_SNDBUF=8192

workgroup = MARKETLINKSOL

;winbind separator = +

idmap uid = 1-2

idmap gid = 1-2

winbind enum users = yes

winbind enum groups = yes

 

Thank you in advance for your help

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba