Re: [Samba] Please assist with Winbind issues!
[EMAIL PROTECTED] wrote: > > Hello, > > I've been trying for a couple of weeks now to get Samba to authenticate via Winbind >to an NT domain. I've scoured Google and the mailing lists to no avail. I've tried >various configurations that I've found during my searches, but none of them have >worked for me. > > I need to be able to authenticate users, that do not have an account on the Linux >box, against the NT domain, and automatically create a home directory for them. This >is the purpose of Winbind (except the home directory part, which pam_mkhomedir is >supposed to do), as I understand it. Something between winbind and pam is failing >since the connecting user gets authenticated as guest rather than an actual user. > > My current configuration is RedHat 7.3 and Samba 2.2.5. My most current samba >installation is an RPM generated via the makerpms.sh script in the packaging/RedHat >folder of the 2.2.5 samba distribution. > > I've added the following compilation flags in the samba2.spec file: This is my >latest attempt, since nothing else seemed to work. > > --with-ssl \ > --with-sslinc=/usr/include/openssl \ > --with-ssllib=/usr/lib/ssl \ SSL support is being removed in Samba 3.0, and is unsupported in 2.2. While this is probably unrelated to your problem, don't make you life more difficult than it needs to be. No Microsoft client supports SMB over SSL. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Please assist with Winbind issues!
John, Thanks for spotting the typo. I fixed that, but the behavior is the same as before... Thank you. Sven -Original Message- From: John H. Reinhardt [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 09, 2002 7:25 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Please assist with Winbind issues! Sven, Being somewhat of a newbie, I cannot comment on everything that you've included here with authority, but I did notice a typographic error in the pam_winbind.so line for PAM account checking in your "/etc/pam.d/system-auth" file. It's pointed out below. Seems like that could be the problem since you can authenticate, but just not with the correct account. John Reinhardt >Message: 14 >From: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Date: Tue, 8 Oct 2002 17:29:23 -0400 >Subject: [Samba] Please assist with Winbind issues! > <> >Here is my /etc/pam.d/system-auth > >authrequired /lib/security/pam_env.so >authsufficient/lib/security/pam_winbind.so >authsufficient/lib/security/pam_unix.so likeauth nullok >use_first_pa >ss >authrequired /lib/security/pam_deny.so > >account sufficient/lib/secutiry/pam_winbind.so ^^^ <== Typo here... >account required /lib/security/pam_unix.so > >passwordrequired /lib/security/pam_cracklib.so retry=3 >passwordsufficient/lib/security/pam_unix.so nullok use_authtok md5 >shado >w >passwordrequired /lib/security/pam_deny.so > >session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ >umask=0 >022 >session required /lib/security/pam_limits.so >session required /lib/security/pam_unix.so > >Here is my /etc/samba/smb.conf: > >[global] > workgroup = CHICAGO > netbios name = SILCHRS03 > server string = > security = DOMAIN > encrypt passwords = Yes > password server = * > log level = 3 > log file = /var/log/samba/log.%m > max log size = 50 > large readwrite = Yes > name resolve order = host wins bcast > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > load printers = No > preferred master = False > local master = No > domain master = False > dns proxy = No > wins server = 172.30.XXX.XXX > winbind uid = 1-5 > winbind gid = 1-5 > template shell = /bin/bash > guest account = ftp > invalid users = root bin daemon adm sync shutdown halt mail news > uucp operator gopher > printer admin = +PrinterAdmins > nt acl support = No > printing = cups > >[homes] > comment = Home Directories > read only = No > browseable = No > >[printers] > comment = All Printers > path = /var/spool/samba > printable = Yes > browseable = No > > >I really want this to work, so any help is appreciated. >Please include my e-mail address in any replies. > >Thank you! > > >Sven -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Please assist with Winbind issues!
-Original Message- From: Gareth Davies [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 09, 2002 4:52 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Samba] Please assist with Winbind issues! Have you tried: Manually putting password server = IP adress rather than *. >>>Winbind fails to find the domain if I do this. [homes] comment = Home Directories browseable = no writable = yes valid users =%D+%S The chmod for home directory should be 700, chown to the user and chown group to 'DOMAIN+Domain Users' >>>chown doesn't find the domain users or groups. If you can use getent passwd and getent groups I presume it's just a permissions thing. I haven't been able to get pam_mkhomedir.so to work so I just manually create the accounts. >>>I don't see pam_mkhomedir working, but I don't think it's getting that far... I've >created home directories for the test accounts, but that doesn't work either. I'm just writing a guide on how to do it now on Debian 3.0. Good luck, Shaolin - IT Systems WB Ltd. .: http://www.security-forums.com :. - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 08, 2002 10:29 PM Subject: [Samba] Please assist with Winbind issues! > Hello, > > I've been trying for a couple of weeks now to get Samba to authenticate via Winbind to an NT domain. I've scoured Google and the mailing lists to no avail. I've tried various configurations that I've found during my searches, but none of them have worked for me. > > I need to be able to authenticate users, that do not have an account on the Linux box, against the NT domain, and automatically create a home directory for them. This is the purpose of Winbind (except the home directory part, which pam_mkhomedir is supposed to do), as I understand it. Something between winbind and pam is failing since the connecting user gets authenticated as guest rather than an actual user. > > My current configuration is RedHat 7.3 and Samba 2.2.5. My most current samba installation is an RPM generated via the makerpms.sh script in the packaging/RedHat folder of the 2.2.5 samba distribution. > > I've added the following compilation flags in the samba2.spec file: This is my latest attempt, since nothing else seemed to work. > > --with-ssl \ > --with-sslinc=/usr/include/openssl \ > --with-ssllib=/usr/lib/ssl \ > --with-acl-support \ > --with-winbind \ > --with-winbind-auth-challenge \ > > 'getent passwd' and 'getent group' work properly so I think winbind works, too. I think the problem lies somewhere with pam, but I'm not a pam guru by any stretch of the imagination. > > The problem is one I've seen discussed a couple of times, but have not seen any kind of resolution. The next few lines are from the log file of the client attempting to connect to the server with an account called ilchtest. > > [2002/10/08 15:00:50, 3] lib/util_sock.c:open_socket_out(845) > Connecting to 10.226.XXX.XXX at port 139 > [2002/10/08 15:00:50, 3] smbd/reply.c:reply_sesssetup_and_X(1045) > No such user ilchtest [CHICAGO] - using guest account > > > > The following is the last line of what 'winbindd -d5 -i' spits out when I start it from the root prompt: > > tdb(unknown): tdb_brlock failed (fd=10) at offset 4 rw_type=1 lck_type=13 <Not sure if this points to a problem??? > > > > > The following is what 'winbindd -d5 -i' spits out when the client trys to connect: > > rpc_read: num_read = 4, read offset: 0, to read: 4 > 18 samr_io_r_close_hnd > 0018 data1: > 001c data2: > 0020 data3: > 0022 data4: > 0024 data5: 00 00 00 00 00 00 00 00 > 002c status: NT_STATUS_OK > [23826]: sid to gid S-1-5-21-178404139-331375567-1660491571-2273 > [23826]: gid to sid 1 > [23826]: gid to sid 10001 > [23826]: getgroups ftp <---Guest account was nobody and I changed it to ftp. > > > > Here is my /etc/nsswitch.conf > > passwd: files winbind > shadow: files > group: files winbind > > #hosts: db files nisplus nis dns > hosts: files winbind dns > > > > > > Here is my /etc/pam.d/system-auth > > authrequired /lib/security/pam_env.so > authsufficient/lib/security/pam_winbind.so > authsufficient/lib/security/pam_unix.so likeauth nullok use_first_pa > ss > authrequired /lib/security/pam_deny.so > > account sufficient/lib/secutiry/pam_winbind.so > account required /lib/security/pam_unix.so > &
Re: [Samba] Please assist with Winbind issues!
Sven, Being somewhat of a newbie, I cannot comment on everything that you've included here with authority, but I did notice a typographic error in the pam_winbind.so line for PAM account checking in your "/etc/pam.d/system-auth" file. It's pointed out below. Seems like that could be the problem since you can authenticate, but just not with the correct account. John Reinhardt >Message: 14 >From: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Date: Tue, 8 Oct 2002 17:29:23 -0400 >Subject: [Samba] Please assist with Winbind issues! > <> >Here is my /etc/pam.d/system-auth > >authrequired /lib/security/pam_env.so >authsufficient/lib/security/pam_winbind.so >authsufficient/lib/security/pam_unix.so likeauth nullok >use_first_pa >ss >authrequired /lib/security/pam_deny.so > >account sufficient/lib/secutiry/pam_winbind.so ^^^ <== Typo here... >account required /lib/security/pam_unix.so > >passwordrequired /lib/security/pam_cracklib.so retry=3 >passwordsufficient/lib/security/pam_unix.so nullok use_authtok md5 >shado >w >passwordrequired /lib/security/pam_deny.so > >session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ >umask=0 >022 >session required /lib/security/pam_limits.so >session required /lib/security/pam_unix.so > >Here is my /etc/samba/smb.conf: > >[global] > workgroup = CHICAGO > netbios name = SILCHRS03 > server string = > security = DOMAIN > encrypt passwords = Yes > password server = * > log level = 3 > log file = /var/log/samba/log.%m > max log size = 50 > large readwrite = Yes > name resolve order = host wins bcast > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > load printers = No > preferred master = False > local master = No > domain master = False > dns proxy = No > wins server = 172.30.XXX.XXX > winbind uid = 1-5 > winbind gid = 1-5 > template shell = /bin/bash > guest account = ftp > invalid users = root bin daemon adm sync shutdown halt mail news > uucp operator gopher > printer admin = +PrinterAdmins > nt acl support = No > printing = cups > >[homes] > comment = Home Directories > read only = No > browseable = No > >[printers] > comment = All Printers > path = /var/spool/samba > printable = Yes > browseable = No > > >I really want this to work, so any help is appreciated. >Please include my e-mail address in any replies. > >Thank you! > > >Sven -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Please assist with Winbind issues!
Have you tried: Manually putting password server = IP adress rather than *. [homes] comment = Home Directories browseable = no writable = yes valid users =%D+%S The chmod for home directory should be 700, chown to the user and chown group to 'DOMAIN+Domain Users' If you can use getent passwd and getent groups I presume it's just a permissions thing. I haven't been able to get pam_mkhomedir.so to work so I just manually create the accounts. I'm just writing a guide on how to do it now on Debian 3.0. Good luck, Shaolin - IT Systems WB Ltd. .: http://www.security-forums.com :. - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 08, 2002 10:29 PM Subject: [Samba] Please assist with Winbind issues! > Hello, > > I've been trying for a couple of weeks now to get Samba to authenticate via Winbind to an NT domain. I've scoured Google and the mailing lists to no avail. I've tried various configurations that I've found during my searches, but none of them have worked for me. > > I need to be able to authenticate users, that do not have an account on the Linux box, against the NT domain, and automatically create a home directory for them. This is the purpose of Winbind (except the home directory part, which pam_mkhomedir is supposed to do), as I understand it. Something between winbind and pam is failing since the connecting user gets authenticated as guest rather than an actual user. > > My current configuration is RedHat 7.3 and Samba 2.2.5. My most current samba installation is an RPM generated via the makerpms.sh script in the packaging/RedHat folder of the 2.2.5 samba distribution. > > I've added the following compilation flags in the samba2.spec file: This is my latest attempt, since nothing else seemed to work. > > --with-ssl \ > --with-sslinc=/usr/include/openssl \ > --with-ssllib=/usr/lib/ssl \ > --with-acl-support \ > --with-winbind \ > --with-winbind-auth-challenge \ > > 'getent passwd' and 'getent group' work properly so I think winbind works, too. I think the problem lies somewhere with pam, but I'm not a pam guru by any stretch of the imagination. > > The problem is one I've seen discussed a couple of times, but have not seen any kind of resolution. The next few lines are from the log file of the client attempting to connect to the server with an account called ilchtest. > > [2002/10/08 15:00:50, 3] lib/util_sock.c:open_socket_out(845) > Connecting to 10.226.XXX.XXX at port 139 > [2002/10/08 15:00:50, 3] smbd/reply.c:reply_sesssetup_and_X(1045) > No such user ilchtest [CHICAGO] - using guest account > > > > The following is the last line of what 'winbindd -d5 -i' spits out when I start it from the root prompt: > > tdb(unknown): tdb_brlock failed (fd=10) at offset 4 rw_type=1 lck_type=13> > > > The following is what 'winbindd -d5 -i' spits out when the client trys to connect: > > rpc_read: num_read = 4, read offset: 0, to read: 4 > 18 samr_io_r_close_hnd > 0018 data1: > 001c data2: > 0020 data3: > 0022 data4: > 0024 data5: 00 00 00 00 00 00 00 00 > 002c status: NT_STATUS_OK > [23826]: sid to gid S-1-5-21-178404139-331375567-1660491571-2273 > [23826]: gid to sid 1 > [23826]: gid to sid 10001 > [23826]: getgroups ftp <---Guest account was nobody and I changed it to ftp. > > > > Here is my /etc/nsswitch.conf > > passwd: files winbind > shadow: files > group: files winbind > > #hosts: db files nisplus nis dns > hosts: files winbind dns > > > > > > Here is my /etc/pam.d/system-auth > > authrequired /lib/security/pam_env.so > authsufficient/lib/security/pam_winbind.so > authsufficient/lib/security/pam_unix.so likeauth nullok use_first_pa > ss > authrequired /lib/security/pam_deny.so > > account sufficient/lib/secutiry/pam_winbind.so > account required /lib/security/pam_unix.so > > passwordrequired /lib/security/pam_cracklib.so retry=3 > passwordsufficient/lib/security/pam_unix.so nullok use_authtok md5 shado > w > passwordrequired /lib/security/pam_deny.so > > session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0 > 022 > session required /lib/security/pam_limits.so > session required /lib/security/pam_unix.so > > Here is my /etc/samba/smb.conf: > > [global] > workgroup = CHICAGO > netbios name = SILCHRS03 > server string = > security = DOMAIN > encrypt passwords = Yes > password server = * > log level = 3 > log file = /var/log/samba/log.%m > max log size = 50 > large readwrite = Yes > name resolve order = host wins bcast > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > load printers = No > preferred master = False > local master = No > domain master = False > dns proxy = No >
