Stefan Heß
2013-Dec-03 13:08 UTC
[Samba] winbind when machine account is not allowed to read users from ad
HI, I want to use samba winbind (3.6.18 - Ubuntu) to login to a machine using ads. The problem I have is that the ad server (win 2008) does not grant read access to the user list for the machine account. Only each user can read his own entry. Due to the privacy police this behaviour can not be changed. How do I tell winbind to use the user account to look up the user and not use the machine account. Kerberos is working fine: kinit user at DOAIN.NET gives a ticket. Also ntlm_auth is also working: ntlm_auth --username=USER -> NT_STATUS_OK: Success (0x0) wbinfo -u only show local users and old (deprecated) domain users. wbinfo -g works normal. (groups are readable by machine accounts) For idmap we use the rid mechanism. Has anybody a hint how to solve this issue? smb.conf [global] workgroup = DOMAIN realm = DOMAIN.NET server string = %h security = ADS map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = ... unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d template homedir = /home/%U template shell = /bin/bash winbind cache time = 3600 winbind enum groups = Yes winbind use default domain = Yes winbind refresh tickets = Yes winbind offline logon = Yes idmap config DOMAIN:range = 10000-999999 idmap config DOMAIN:backend = rid idmap config * : range = 2000-9999 idmap config * : backend = tdb valid users = %U /var/log/auth.log: login[739]: pam_unix(login:auth): check pass; user unknown login[739]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty2 ruser= rhostlogin[739]: pam_winbind(login:auth): [pamh: 0x190d460] ENTER: pam_sm_authenticate (flags: 0x0000) login[739]: pam_winbind(login:auth): getting password (0x00004389) login[739]: pam_winbind(login:auth): pam_get_item returned a password login[739]: pam_winbind(login:auth): Verify user 'USER' login[739]: pam_winbind(login:auth): PAM config: krb5_ccache_type 'FILE' login[739]: pam_winbind(login:auth): [pamh: 0x190d460] LEAVE: pam_sm_authenticate returning 10 (PAM_USER_UNKNOWN) login[739]: pam_krb5(login:auth): user ac111286 authenticated as USER at DOMAIN.NET login[739]: pam_unix(login:account): could not identify user (from getpwnam(USER)) login[739]: Authentication failure Thanks Stefan
steve
2013-Dec-03 14:30 UTC
[Samba] winbind when machine account is not allowed to read users from ad
On Tue, 2013-12-03 at 14:08 +0100, Stefan He? wrote:> /var/log/auth.log: > > login[739]: pam_unix(login:auth): check pass; user unknown > login[739]: pam_unix(login:auth): authentication failure; logname=LOGIN > uid=0 euid=0 tty=/dev/tty2 ruser= rhost> login[739]: pam_winbind(login:auth): [pamh: 0x190d460] ENTER: > pam_sm_authenticate (flags: 0x0000) > login[739]: pam_winbind(login:auth): getting password (0x00004389) > login[739]: pam_winbind(login:auth): pam_get_item returned a password > login[739]: pam_winbind(login:auth): Verify user 'USER' > login[739]: pam_winbind(login:auth): PAM config: krb5_ccache_type 'FILE' > login[739]: pam_winbind(login:auth): [pamh: 0x190d460] LEAVE: > pam_sm_authenticate returning 10 (PAM_USER_UNKNOWN) > login[739]: pam_krb5(login:auth): user ac111286 authenticated as > USER at DOMAIN.NET > login[739]: pam_unix(login:account): could not identify user (from > getpwnam(USER)) > login[739]: Authentication failure > > > Thanks > Stefan >Hi I think your pam stack is in the wrong order or has the wrong options. RU allowed to post it? Cheers, Steve
Andrew Bartlett
2013-Dec-08 18:07 UTC
[Samba] winbind when machine account is not allowed to read users from ad
On Tue, 2013-12-03 at 14:08 +0100, Stefan He? wrote:> HI, > > I want to use samba winbind (3.6.18 - Ubuntu) to login to a machine > using ads. The problem I have is that the ad server (win 2008) does not > grant read access to the user list for the machine account. Only each > user can read his own entry. Due to the privacy police this behaviour > can not be changed. > How do I tell winbind to use the user account to look up the user and > not use the machine account. > Kerberos is working fine: kinit user at DOAIN.NET gives a ticket. > Also ntlm_auth is also working: > ntlm_auth --username=USER -> NT_STATUS_OK: Success (0x0) > > wbinfo -u only show local users and old (deprecated) domain users. > wbinfo -g works normal. (groups are readable by machine accounts) > > For idmap we use the rid mechanism. > > Has anybody a hint how to solve this issue?Which type of login is this? Access over SMB or local user login? Either way, this is a very interesting restriction we have not come across before. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba