[Bug 996293] Re: Cannot login using active directory users ( Unknown id: $username )
Hello Scott, The exact idmap config that had the problem is as follows: idmap config * : backend = tdb # automatically generated by samba idmap config EXAMPLE : backend = rid idmap config EXAMPLE : range = 1 - 2 There was no idmap config * : range configured. No errors were generated when I ran testparm or in the logs. Later, I tried adding idmap config * : range and that fixed the issue. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/996293 Title: Cannot login using active directory users ( Unknown id: $username ) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/996293/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 996293] Re: Cannot login using active directory users ( Unknown id: $username )
I've identified the problem. The lack of a default idmap range (idmap config * : range = X - Y) is causing the error. I am not sure if this can be classified as a bug since a range was specified for the domain itself and samba generates a default idmap config * : backend = tdb if it's not specified. In any case, specifying idmap config * : range fixes it. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/996293 Title: Cannot login using active directory users ( Unknown id: $username ) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/996293/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 996293] [NEW] Cannot login using active directory users ( Unknown id: $username )
Public bug reported: I'm currently having this issue on Ubuntu 12.04. I've verified that I've done everything listed in https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto. The smb.conf configuration I'm using is the same as the one I used in 10.04 (which works) with the exception that idmap config is used in place of idmap backend/uid/gid. - wbinfo -u / -g lists all the active directory users / groups just fine. - getent passwd / group fails at listing active directory users / groups. - wbinfo -a $username authenticates the user properly. - wbinfo -i $username fails to display the user info. I've attached my nsswitch, pam, and samba configuration as well as test.log which contains a log of the commands I've used to try to troubleshoot this issue. I haven't seen anything unusual in the winbind logs. ** Affects: samba (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/996293 Title: Cannot login using active directory users ( Unknown id: $username ) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/996293/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 556285] [NEW] cannot change password of AD user when using pam_winbind
Public bug reported: Binary package hint: samba I've been doing these tests on Karmic using the Lucid winbind pam- config. When trying to change the user's password using the Lucid winbind pam- config, I get the following: $ passwd passwd: Authentication token manipulation error passwd: password unchanged I've attached a patch for the winbind pam-config which at least recognizes the username, but I still get the following error: $ passwd Changing password for EXAMPLE\user (current) NT password: passwd: Authentication token manipulation error passwd: password unchanged Some more details about the diff patch: 1. For the auth module, I've changed 'try_first_pass' to 'use_first_pass' so that it insists that the credentials used for authentication are the ones initially entered by the user. Whether that's a good thing or not, I have no idea. 'try_first_pass' might be a better idea if there is a chance that the username exists in both /etc/passwd and active directory but have different passwords. 2. I've changed the 'Password-Type' from 'Additional' to 'Primary'. With the 'Additional' setting, any failure in pam_unix.so (e.g. user does not exist in /etc/passwd) means that pam_deny.so is the next module so pam_winbind.so is never executed. For both 'Password' and 'Password- Initial', I've changed the control from 'requisite' to '[success=end default=ignore]' so that it stacks properly with any other module that may also be in use. 3. I've added pam_mkhomedir.so as an optional module in the session type since it uses /etc/skel while the 'mkhomedir' argument for pam_winbind.so does not. Again, whether this is a good thing or not, I have no idea. P.S. Apologies if the diff patch contains more than that which is relevant with this issue. ** Affects: samba (Ubuntu) Importance: Undecided Status: New -- cannot change password of AD user when using pam_winbind https://bugs.launchpad.net/bugs/556285 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 556285] Re: cannot change password of AD user when using pam_winbind
** Patch added: diff patch for /usr/share/pam-configs/winbind http://launchpadlibrarian.net/43225229/winbind.diff ** Description changed: Binary package hint: samba I've been doing these tests on Karmic using the Lucid winbind pam- config. When trying to change the user's password using the Lucid winbind pam- config, I get the following: $ passwd passwd: Authentication token manipulation error passwd: password unchanged I've attached a patch for the winbind pam-config which at least recognizes the username, but I still get the following error: $ passwd Changing password for EXAMPLE\user (current) NT password: passwd: Authentication token manipulation error passwd: password unchanged Some more details about the diff patch: 1. For the auth module, I've changed 'try_first_pass' to 'use_first_pass' so that it insists that the credentials used for authentication are the ones initially entered by the user. Whether that's a good thing or not, I have no idea. 'try_first_pass' might be a better idea if there is a chance that the username exists in both /etc/passwd and active directory but have different passwords. 2. I've changed the 'Password-Type' from 'Additional' to 'Primary'. With the 'Additional' setting, any failure in pam_unix.so (e.g. user does not exist in /etc/passwd) means that pam_deny.so is the next module so pam_winbind.so is never executed. For both 'Password' and 'Password- Initial', I've changed the control from 'requisite' to '[success=end default=ignore]' so that it stacks properly with any other module that may also be in use. 3. I've added pam_mkhomedir.so as an optional module in the session type since it uses /etc/skel while the 'mkhomedir' argument for pam_winbind.so does not. Again, whether this is a good thing or not, I have no idea. + + P.S. Apologies if the diff patch contains more than that which is + relevant with this issue. -- cannot change password of AD user when using pam_winbind https://bugs.launchpad.net/bugs/556285 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 556996] [NEW] winbind pam-config potentially breaks stacking with modules of lower priority in common-passwd
Public bug reported: Binary package hint: samba Using requisite control for Password and Password-Initial in /usr/share /pam-configs/winbind potentially breaks stacking if there are other modules of lower priority. FIX: Change requisite to [success=end default=ignore] for both Password and Password-Initial ** Affects: samba (Ubuntu) Importance: Low Status: Triaged ** Affects: samba (Ubuntu Lucid) Importance: Low Status: New -- winbind pam-config potentially breaks stacking with modules of lower priority in common-passwd https://bugs.launchpad.net/bugs/556996 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 549508] Re: Can't resolve realm kdc with a fully qualified hostname
This configuration file works. ** Attachment added: krb5.conf http://launchpadlibrarian.net/42445545/krb5.conf -- Can't resolve realm kdc with a fully qualified hostname https://bugs.launchpad.net/bugs/549508 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 549508] Re: Can't resolve realm kdc with a fully qualified hostname
This configuration file doesn't work. ** Attachment added: krb5.conf http://launchpadlibrarian.net/42445566/krb5.conf -- Can't resolve realm kdc with a fully qualified hostname https://bugs.launchpad.net/bugs/549508 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 549527] Re: Cannot find domain controller when joining a domain
Aha! Good point there pinging the domain. host example.local resolves it but ping example.local doesn't. The problem may be somewhere else. I have the following in my /etc/resolv.conf: snip domain example.local search example.local nameserver 192.168.7.1 nameserver 192.168.7.254 /snip host example.local resolves to the following: snip example.local has address 192.168.7.1 example.local has address 192.168.8.5 example.local has address 192.168.9.5 example.local mail is handled by 10 mail.example.local. /snip out of these, 192.168.8.5 and 192.168.9.5 are unreachable since they're on a different subnet. I can successfully get a TGT with kinit. As for smb.conf, I have the required minimum: snip workgroup = EXAMPLE realm = EXAMPLE.LOCAL security = ads /snip What's curious though is that I have a Fedora 12 box on the same subnet with the same configuration that can resolve and ping the domain with no problem. It has no problem finding the domain controller and joining the domain. Thanks. -- Cannot find domain controller when joining a domain https://bugs.launchpad.net/bugs/549527 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 549508] Re: Can't resolve realm kdc with a fully qualified hostname
May be related to https://bugs.launchpad.net/ubuntu/+source/iputils/+bug/551389 -- Can't resolve realm kdc with a fully qualified hostname https://bugs.launchpad.net/bugs/549508 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 549535] Re: Failed to join domain: failed to connect to AD: Operations error
It seems to be reproducible since I've encountered the same error on multiple Karmic systems. I've attached a tarball of all the related configuration files I know of. Once all configuration files are in place, trying to join the domain results in the error mentioned. ** Attachment added: ads.tar.gz http://launchpadlibrarian.net/42452488/ads.tar.gz -- Failed to join domain: failed to connect to AD: Operations error https://bugs.launchpad.net/bugs/549535 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 549535] Re: Failed to join domain: failed to connect to AD: Operations error
Sorry, it seems I've been barking up the wrong tree here. It seems to be a conflict with the .local TLD I'm using and avahi. -- Failed to join domain: failed to connect to AD: Operations error https://bugs.launchpad.net/bugs/549535 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 549527] Re: Cannot find domain controller when joining a domain
Sorry, it seems I've been barking up the wrong tree here. It seems to be a conflict with the .local TLD I'm using and avahi. -- Cannot find domain controller when joining a domain https://bugs.launchpad.net/bugs/549527 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 549508] Re: Can't resolve realm kdc with a fully qualified hostname
Sorry, it seems I've been barking up the wrong tree here. It seems to be a conflict with the .local TLD I'm using and avahi. -- Can't resolve realm kdc with a fully qualified hostname https://bugs.launchpad.net/bugs/549508 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 549508] [NEW] Can't resolve realm kdc with a fully qualified hostname
Public bug reported: If a realm is specified as the following in /etc/krb5.conf: [realms] EXAMPLE.LOCAL = { kdc = auth.example.local } I get the following: $ kinit user kinit: Cannot resolve network address for KDC in realm EXAMPLE.LOCAL while getting initial credentials If it's specified as kdc = auth, it works fine. i have the following in my /etc/resolv.conf: domain example.local search example.local EDIT: Forgot to mention, this is happening on Karmic. ** Affects: krb5 (Ubuntu) Importance: Undecided Status: New ** Description changed: If a realm is specified as the following in /etc/krb5.conf: [realms] EXAMPLE.LOCAL = { - kdc = auth.example.local + kdc = auth.example.local } I get the following: $ kinit user kinit: Cannot resolve network address for KDC in realm EXAMPLE.LOCAL while getting initial credentials If it's specified as kdc = auth, it works fine. i have the following in my /etc/resolv.conf: domain example.local search example.local - auth.example.local is a Windows 2003 domain controller. + EDIT: Forgot to mention, this is happening on Karmic. -- Can't resolve realm kdc with a fully qualified hostname https://bugs.launchpad.net/bugs/549508 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 549527] [NEW] Cannot find domain controller when joining a domain
Public bug reported: Binary package hint: samba When I try to join a domain, I get the following: $ sudo net ads join -U admin Enter admin's password: Failed to join domain: failed to find DC for domain EXAMPLE.LOCAL Using 'sudo net ads join -U admin -S DC' works. This seems to be specific to Ubuntu since another distro (Fedora 12) on the same network doesn't have any problem finding the domain controller. This problem occurs on Karmic. ** Affects: samba (Ubuntu) Importance: Undecided Status: New ** Description changed: Binary package hint: samba When I try to join a domain, I get the following: $ sudo net ads join -U admin Enter admin's password: Failed to join domain: failed to find DC for domain EXAMPLE.LOCAL Using 'sudo net ads join -U admin -S DC' works. This seems to be specific to Ubuntu since another distro (Fedora 12) on the same network doesn't have any problem finding the domain controller. + + This problem occurs on Karmic. -- Cannot find domain controller when joining a domain https://bugs.launchpad.net/bugs/549527 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 549535] [NEW] Failed to join domain: failed to connect to AD: Operations error
Public bug reported: Binary package hint: samba Running 'net ads join -U admin -S DC -d 3' on Karmic gives me the following: [2010/03/27 21:06:04, 3] libads/ldap.c:621(ads_connect) Successfully contacted LDAP server 192.168.0.1 [2010/03/27 21:06:09, 2] libads/ldap.c:74(ldap_open_with_timeout) Could not open connection to LDAP server dc.example.local:389: No such file or directory [2010/03/27 21:06:09, 1] libnet/libnet_join.c:1902(libnet_Join) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'EXAMPLE' dns_domain_name : 'example.local' forest_name : 'example.local' dn : NULL domain_sid : * domain_sid : S-1-5-21-959354272-2033366336-421042676 modified_config : 0x00 (0) error_string : 'failed to connect to AD: Operations error' domain_is_ad : 0x01 (1) result : WERR_GENERAL_FAILURE Failed to join domain: failed to connect to AD: Operations error [2010/03/27 21:06:09, 2] utils/net.c:779(main) return code = -1 ** Affects: samba (Ubuntu) Importance: Undecided Status: New -- Failed to join domain: failed to connect to AD: Operations error https://bugs.launchpad.net/bugs/549535 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs