Re: [Samba] Samba/winbind with Active Directory auth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kris and Johan, Both of you have not appended your smb.conf files. Maybe doing that would help as well. - From what I am seeing, the pam stack Kris gave was authenticating via winbind which would use either plaintext, lanman, ntlm or ntlmv2 and not configured to authenticate using kerberos. The plaintext password authentication is pretty insecure and this is what I suspect your setup is attempting to use. Win 2008 has that disabled by default as well as (afaik) lanman and ntlm. If you plan on using winbind to authenticate, you will likely need to add the following directive in the [global] section of your smb.conf file: client ntlmv2 auth = yes You may then need to restart winbindd and smbd (hell, you could restart the whole machine if you felt like it). Tell us if this works out for you. Volker Lendecke wrote: On Tue, Jan 19, 2010 at 08:23:45AM +0400, Alexander R. Fahrutdinov wrote: В сообщении от Понедельник 18 января 2010 19:33:00 автор Kris Kaido написал: Hi List, I'm installing a Samba server with the intended purpose of serving files to Windows users with seamless authentication on the smb server. For that, I've been reading and following every single google search result regarding the subject, but it seems I'm stuck at some point where other people are not blocked ... To summarize, I have these commands OK: # kinit admin_u...@domain.example.com # klist (ticket ok) # net join ads -S server -U admin_user # wbinfo -u and -g (both showing DOMAIN\...) # wbinfo -t (succeeded) Try to use Kerberos auth (wbinfo -K login%pass). It's possible, Windows PDC does not support NT-style auth via pipe. Also, try 'nt pipe support = no' option in smb.conf file. ??? nt pipe support = no is extremely unlikely to ever help these days. Volker -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAktoNyMACgkQup357T5MfTZZQACfddZOp6HuFaC7yQ4ccQY3s/Gx DqQAn3/1pdGzOj+LnnNEFNiabeMff/Qq =F63l -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/winbind with Active Directory auth
Hello Robert, Kris. I have tried with client ntlmv2 auth = yes but I'm still getting the problem. This is output from the messages log; Feb 2 16:32:26 udcsp03 winbindd[1]: [2010/02/02 16:32:26, 0] rpc_client/cli_pipe.c:cli_pipe_verify_schannel(354) Feb 2 16:32:26 udcsp03 winbindd[1]: cli_pipe_verify_schannel: auth_len 56. Above Startup Feb 2 16:32:26 udcsp03 winbindd[20007]: [2010/02/02 16:32:26, 0] nsswitch/idmap.c:smb_register_idmap(146) Feb 2 16:32:26 udcsp03 winbindd[20007]: Idmap module rid already registered! Feb 2 16:32:26 udcsp03 winbindd[20007]: [2010/02/02 16:32:26, 0] lib/module.c:do_smb_load_module(69) Feb 2 16:32:26 udcsp03 winbindd[20007]: Module '/usr/lib64/samba/idmap/rid.so' initialization failed: NT_STATUS_OBJECT_NAME_COLLISION The above is from when I do wbinfo -g or wbinfo -u Feb 2 16:33:07 udcsp03 winbindd[1]: [2010/02/02 16:33:07, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) Feb 2 16:33:07 udcsp03 winbindd[1]: rpc_api_pipe: Remote machine INFRADC06.sweinfra.se pipe \NETLOGON fnum 0x8008returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED And above the main problem, wbinfo -a domainuser%password I'm attaching my smb.conf. /JB -Original Message- From: Robert Freeman-Day [mailto:pres...@gmail.com] Sent: den 2 februari 2010 15:31 To: Kris Kaido Cc: Bergstrom Johan; samba@lists.samba.org Subject: Re: [Samba] Samba/winbind with Active Directory auth -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kris and Johan, Both of you have not appended your smb.conf files. Maybe doing that would help as well. - From what I am seeing, the pam stack Kris gave was authenticating via winbind which would use either plaintext, lanman, ntlm or ntlmv2 and not configured to authenticate using kerberos. The plaintext password authentication is pretty insecure and this is what I suspect your setup is attempting to use. Win 2008 has that disabled by default as well as (afaik) lanman and ntlm. If you plan on using winbind to authenticate, you will likely need to add the following directive in the [global] section of your smb.conf file: client ntlmv2 auth = yes You may then need to restart winbindd and smbd (hell, you could restart the whole machine if you felt like it). Tell us if this works out for you. Volker Lendecke wrote: On Tue, Jan 19, 2010 at 08:23:45AM +0400, Alexander R. Fahrutdinov wrote: В сообщении от Понедельник 18 января 2010 19:33:00 автор Kris Kaido написал: Hi List, I'm installing a Samba server with the intended purpose of serving files to Windows users with seamless authentication on the smb server. For that, I've been reading and following every single google search result regarding the subject, but it seems I'm stuck at some point where other people are not blocked ... To summarize, I have these commands OK: # kinit admin_u...@domain.example.com # klist (ticket ok) # net join ads -S server -U admin_user # wbinfo -u and -g (both showing DOMAIN\...) # wbinfo -t (succeeded) Try to use Kerberos auth (wbinfo -K login%pass). It's possible, Windows PDC does not support NT-style auth via pipe. Also, try 'nt pipe support = no' option in smb.conf file. ??? nt pipe support = no is extremely unlikely to ever help these days. Volker -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAktoNyMACgkQup357T5MfTZZQACfddZOp6HuFaC7yQ4ccQY3s/Gx DqQAn3/1pdGzOj+LnnNEFNiabeMff/Qq =F63l -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba/winbind with Active Directory auth
Hi List, I'm installing a Samba server with the intended purpose of serving files to Windows users with seamless authentication on the smb server. For that, I've been reading and following every single google search result regarding the subject, but it seems I'm stuck at some point where other people are not blocked ... To summarize, I have these commands OK: # kinit admin_u...@domain.example.com # klist (ticket ok) # net join ads -S server -U admin_user # wbinfo -u and -g (both showing DOMAIN\...) # wbinfo -t (succeeded) I configured PAM to use winbind, and to test it I'm using ssh with the same config as I will for samba Here's what I get when I try to ssh into my smb server using my AD credentials: Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): getting password (0x) Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): request failed: Named pipe dicconnected, PAM error was System error (4), NT error was NT_STATUS_PIPE_DISCONNECTED Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): internal module error (retval = 4, user = 'DOMAIN\myusername') Jan 18 15:34:18 smb sshd[9157]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.6 user= DOMAIN\myusername Jan 18 15:34:20 smb sshd[9157]: Failed password for DOMAIN\myusername from 192.168.5.6 port 50872 ssh2 Any idea on what this error (NT_STATUS...) means ? Also when trying this I get an error: smb:~# wbinfo -a admin_user%admin_pwd plaintext password authentication failed Could not authenticate user henry_admin with plaintext password challenge/response password authentication failed error code was NT_STATUS_PIPE_DISCONNECTED (0xc0b0) error messsage was: Named pipe dicconnected Could not authenticate user admin_user with challenge/response smb:~# Here's my PAM config: authsufficient pam_winbind.so authrequiredpam_unix.so use_first_pass account sufficient pam_winbind.so account requiredpam_unix.so session requiredpam_mkhomedir.so skel=/etc/skel/ umask=0022 session sufficient pam_winbind.so session requiredpam_unix.so passwordrequisite pam_cracklib.so retry=3 type= passwordsufficient pam_unix.so nullok use_authtok md5 shadow passwordsufficient pam_winbind.so use_first_pass passwordrequiredpam_deny.so Any help would be greatly appreciated. Thanks, k. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/winbind with Active Directory auth
On Mon, 2010-01-18 at 16:33 +0100, Kris Kaido wrote: Hi List, I'm installing a Samba server with the intended purpose of serving files to Windows users with seamless authentication on the smb server. For that, I've been reading and following every single google search result regarding the subject, but it seems I'm stuck at some point where other people are not blocked ... To summarize, I have these commands OK: # kinit admin_u...@domain.example.com # klist (ticket ok) # net join ads -S server -U admin_user # wbinfo -u and -g (both showing DOMAIN\...) # wbinfo -t (succeeded) I configured PAM to use winbind, and to test it I'm using ssh with the same config as I will for samba Here's what I get when I try to ssh into my smb server using my AD credentials: Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): getting password (0x) Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): request failed: Named pipe dicconnected, PAM error was System error (4), NT error was NT_STATUS_PIPE_DISCONNECTED Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): internal module error (retval = 4, user = 'DOMAIN\myusername') Jan 18 15:34:18 smb sshd[9157]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.6 user= DOMAIN\myusername Jan 18 15:34:20 smb sshd[9157]: Failed password for DOMAIN\myusername from 192.168.5.6 port 50872 ssh2 Any idea on what this error (NT_STATUS...) means ? Also when trying this I get an error: smb:~# wbinfo -a admin_user%admin_pwd plaintext password authentication failed Could not authenticate user henry_admin with plaintext password challenge/response password authentication failed error code was NT_STATUS_PIPE_DISCONNECTED (0xc0b0) error messsage was: Named pipe dicconnected Could not authenticate user admin_user with challenge/response smb:~# Here's my PAM config: authsufficient pam_winbind.so authrequiredpam_unix.so use_first_pass account sufficient pam_winbind.so account requiredpam_unix.so session requiredpam_mkhomedir.so skel=/etc/skel/ umask=0022 session sufficient pam_winbind.so session requiredpam_unix.so passwordrequisite pam_cracklib.so retry=3 type= passwordsufficient pam_unix.so nullok use_authtok md5 shadow passwordsufficient pam_winbind.so use_first_pass passwordrequiredpam_deny.so Any help would be greatly appreciated. Thanks, k. Two things. 1 - make sure nscd is disabled (not just stopped - disable it to prevent restarting on the next reboot) 2 - I found that using winbind use default domain = yes caused a lot of my default authentication issues to go away. I only have one domain and so I don't need the extra information / complexity of having to specify domains. Regards, Frank -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/winbind with Active Directory auth
В сообщении от Понедельник 18 января 2010 19:33:00 автор Kris Kaido написал: Hi List, I'm installing a Samba server with the intended purpose of serving files to Windows users with seamless authentication on the smb server. For that, I've been reading and following every single google search result regarding the subject, but it seems I'm stuck at some point where other people are not blocked ... To summarize, I have these commands OK: # kinit admin_u...@domain.example.com # klist (ticket ok) # net join ads -S server -U admin_user # wbinfo -u and -g (both showing DOMAIN\...) # wbinfo -t (succeeded) Try to use Kerberos auth (wbinfo -K login%pass). It's possible, Windows PDC does not support NT-style auth via pipe. Also, try 'nt pipe support = no' option in smb.conf file. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/winbind with Active Directory auth
On Tue, Jan 19, 2010 at 08:23:45AM +0400, Alexander R. Fahrutdinov wrote: В сообщении от Понедельник 18 января 2010 19:33:00 автор Kris Kaido написал: Hi List, I'm installing a Samba server with the intended purpose of serving files to Windows users with seamless authentication on the smb server. For that, I've been reading and following every single google search result regarding the subject, but it seems I'm stuck at some point where other people are not blocked ... To summarize, I have these commands OK: # kinit admin_u...@domain.example.com # klist (ticket ok) # net join ads -S server -U admin_user # wbinfo -u and -g (both showing DOMAIN\...) # wbinfo -t (succeeded) Try to use Kerberos auth (wbinfo -K login%pass). It's possible, Windows PDC does not support NT-style auth via pipe. Also, try 'nt pipe support = no' option in smb.conf file. ??? nt pipe support = no is extremely unlikely to ever help these days. Volker signature.asc Description: Digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba, Winbind and Active Directory
On 8/23/07, Kevin Gutch [EMAIL PROTECTED] wrote: I am trying to set up Samba joining Active Directory. I have done this successfully before and have most of my previous files. Here is the issue I am seeing. I can kinit [EMAIL PROTECTED] I cannot net ads join -U administrator I get thus message: Failed to join domain: Invalid credentials I was seeing this same behavior. Joining the domain as a different user in the Domain Admins group worked fine though. Once joined the adminisitrator user was able to access the shares as normal. Ed Plese -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba, Winbind and Active Directory
Hi, I am trying to set up Samba joining Active Directory. I have done this successfully before and have most of my previous files. Here is the issue I am seeing. I can kinit [EMAIL PROTECTED] I cannot net ads join -U administrator I get thus message: Failed to join domain: Invalid credentials The only error I seem to find is in my winbind log file. [2007/08/23 13:06:50, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491) [14116]: request interface version [2007/08/23 13:06:50, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524) [14116]: request location of privileged pipe [2007/08/23 13:06:50, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1273) [14116]: getgroups root [2007/08/23 13:06:50, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491) [14119]: request interface version [2007/08/23 13:06:50, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524) [14119]: request location of privileged pipe [2007/08/23 13:06:50, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1273) [14119]: getgroups root -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Winbind and Active Directory
I have a problem with the Winbind setup authenticating Active Directory Users. I have setup Fedora Core2 with the minimal setup option These are the Fedora RPM's that I have installed manually. openldap-2.1.29-1 openldap-devel-2.1.29-1 krb5-libs-1.3.3-1 krb5-devel-1.3.3-1 krb5-workstation-1.3.3-1 pam_smb-1.1.7-3.1 pam-devel-0.77-40 pam-0.77-40 pam_krb5-2.0.10-1 samba-client-3.0.3-5 samba-common-3.0.3-5 samba-3.0.3-5 I have setup my connect to the AD Server and can do a Kinit. I have setup winbind and can use wbinfo -u and wbinfo -g and get the desired results. I can do a getent passwd and getent group and the desired results are achieved. I can't however give ownership to a file using an Active Directory account and can not authenticate to the samba server using a Windows 2003 account. I followed the instructions on this site but I must be missing something http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html I have verified that nscd is not running but is installed Here is a sample of my getent passwd MARKETLINKSOL\jzorzi:x:10019:1:Jay Zorzi:/home/MARKETLINKSOL/jzorzi:/bin/false MARKETLINKSOL\kclarke:x:10020:1:Kevin Clarke:/home/MARKETLINKSOL/kclarke:/bin/false MARKETLINKSOL\krbtgt:x:10021:1::/home/MARKETLINKSOL/krbtgt:/bin/false Here is the global section of my smb.conf file [global] realm = MARKETLINKSOL.NET ;ads server = 10.20.1.1 *** This generates an error unless commented out * security = ADS encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUFF=8192 SO_SNDBUF=8192 workgroup = MARKETLINKSOL ;winbind separator = + idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes Thank you in advance for your help -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba