sorry to take some of your time again,
I was playing a little bit arround with winbindd today.
I compiled samba-2.2.2 with winbind and pam support.
Everything seems to work fine but:
i can getent passwd and the users resolfe fine, i can finger the user with
FHS-HAGENBERG+user this works fine too.
But I can't chown a file to a domain user, i get illegal user name.
Also I was not able to setup pam correctly
I first tried login: (console)
I got the following errors in log whet i try to log in :
Nov 30 15:04:57 wostok login[7416]: FAILED LOGIN 1 FROM /dev/tty1 FOR as,
Authentication failure
Nov 30 15:05:07 wostok pam_winbind[7416]: user 'FHS-HAGENBERG+as'
granted
acces
Nov 30 15:05:07 wostok login[7416]: User not known to the underlying
authentication module
Nov 30 15:05:59 wostok pam_winbind[28292]: user 'FHS-HAGENBERG+as'
granted
acces
Nov 30 15:05:59 wostok login[28292]: User not known to the underlying
authentication module
it seems that pam_winbind is working.
my pam login file lokkes like that:
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_unix.so use_first_pass shadow
nullok
account required /lib/security/pam_winbind.so
I am using pam_unix.so instead of pam_pwdb.so might this be the problem ? I
don't have this pam_pwdb.so on my SuSE system
It is replaced by pam_unix.so.
I have tried to compile pam_pwdb.so but it means it canno't be compiuled on
my system.
Or am i missing anything else ?
wbinfo -t says thet the secret is wrong.
But i don't know how i can make it right.
If i try to join domain with a command like this : smbpasswd -j
FHS-HAGENBERG -r ad3 -U Administrator i get the following error messages
failed session setup
Error connecting to ad3
Unable to join domain FHS-HAGENBERG.
Doesn't matter what useraccount I take, it's the same.
When I use smbpasswd -j FHS-HAGENBERG -r ad3 i get an success in joining
the domain.
As I said, samba is working fine if I create the user locally (it
autheniticates the user with the domain)
We have W2KSP2 as domain controllers.
my smb.conf looks like that:
[global]
winbind separator = +
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%U
winbind uid = 10000-20000
winbind gid = 10000-20000
workgroup = FHS-HAGENBERG
encrypt passwords = yes
security = DOMAIN
password server = ad3
netbios name = WOSTOK
socket options = IPTOS_LOWDELAY TCP_NODELAY
os level = 0
wins support = no
preferred master = no
local master = no
debug level = 0
log level = 1
mangled names = yes
default case = lower
case sensitive = no
preserve case = yes
short preserve case = yes
kernel oplocks = no
oplocks = true
level2 oplocks = True
max connections = 0
max smbd processes = 0
strict sync = no
Alexander Seitz (Alexander.Seitz@fhs-hagenberg.ac.at)
System Administrator (sysadmin@fhs-hagenberg.ac.at)
FHS Hagenberg (www.fhs-hagenberg.ac.at)
Hauptstrasse 117
4232 Hagenberg
AUSTRIA
Tel..: +43 7236 3888 2151
Fax.: +43 7236 3888 62151
______
Live long and prosper. - Vulcan proverb
And eat well. - Jewish addendum to Vulcan proverb
Feast on your enemies! - Klingon interpertation of Jewish
addendum to Vulcan proverb
jesus saves, but only budda makes incremental backups
I am using RH 7.1 and Samba 2.2.2 with winbindd. While it generally seems to be working, group permissions are giving me a problem. Group ownership for a specific directory is established as 10007, which translates to my NT domain's Domain Admins group. I am trying to access the directory through a share using Windows 2000 workstation. The group has RWX permissions yet, as a member of that group, I can't save a file to that directory. I have to change the world to RWX. Then when I save a file, it shows the owner as nobody. The smb.conf pertaining to that share looks like this: [Intranet] path = /usr/local/apache/htdocs/ read only = No guest ok = Yes browseable = No It appears that I may have a disconnect between winbindd and Samba, but I don't know what. Any ideas? I'm not a member of the list, so please respond privately. Thanks. Carl Carpenter IT Manager Hill Country Community MHMR Center "Hiroshima 1945, Chernobyl 1986, Windows 2000" --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.313 / Virus Database: 174 - Release Date: 1/2/2002
Rebuilding the Redhat 7.2 samba rpm from the sources worked well on Redhat 7.1 also upgrading was smooth. I want to remind people that winbindd before 2.2.3 has a memory leakege that in the end i had to kill the process all the time. So people having problems with winbindd should upgrade their samba to 2.2.3a also i experienced winbindd dies unexpectedly if you select security=server in smb.conf. Good luck.
Hi, Is there a method or a patch to automount a user home dir using its given credentials during authenticatoin? It could be: - Asks password - Give it to PAM to authenticate (password) - session or account of PAM could mount the home dir from //server/Users/%U => /home/winbind/%U using the previously checked password This would give the same user home dir on NT and Linux Anyone? -jec -- Jean-Eric Cuendet Linkvest SA Av des Baumettes 19, 1020 Renens Switzerland Tel +41 21 632 9043 Fax +41 21 632 9090 E-mail: jean-eric.cuendet@linkvest.com http://www.linkvest.com --------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le Vendredi 6 Septembre 2002 01:17, Jean-Eric Cuendet a ?crit :> Hi, > Is there a method or a patch to automount a user home dir using its > given credentials during authenticatoin? > It could be: > - Asks password > - Give it to PAM to authenticate (password) > - session or account of PAM could mount the home dir from > //server/Users/%U => /home/winbind/%U using the previously checked password > > This would give the same user home dir on NT and Linux > > Anyone? > -jecpam_mount does that. http://pam-mount.conectevil.com/ - -- Sylvestre Taburet - 1024D/030E1B7E sylvestre.taburet@free.fr -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9eE5SBot2zwMOG34RAlstAJ4sqTt08lT2g+T6zGDt/6yh2Q0isACgs8VY naLT+U/yARTk8ZTJMLRiZFc=Vmxq -----END PGP SIGNATURE-----
hi all, as i heard, i need winbind to connect linux-clients on samba. i installed this - without pam (in the hope this would work...) but this constellation seems to be needed, as i still cannot connect, even if winbind logs my domain as accepted. Do i really have to do the pam-configuration on the samba-server-side too?? i just thought, it was enough to authentificate against smbpasswd. is there always a comparison against /etc/passwd done because of access rights? thx for any info
The message I got from Jerry Carter yesterday says that Winbindd is only required for trust accounts between 2 domains. I was confused also, the documentation seems to lead one to the contrary. -- Kent L. Nasveschuk <kent@wareham.k12.ma.us>
> * a Samba server that is a member of a Windows domain should > run winbindd to allocate IDs for users/groups in its own > domain and trusted domains. >In my specific situation, the UNIX id's are set up first so they don't conflict with legacy systems/GIDs/UIDs, NT user names match the UNIX user names and users maintain their own UNIX and NT passwords separately ie. it's up to them to make them the same. Is this specific situation, winbindd is going to do more harm than good, if I understand correctly. Right? If it's only a member server then it would have to be getting its information from the resource domain BDC and by the definition above this information is all wrong (other than the username and password) so it would be pointless. Or am I missing something? Where does PAM fit into this?