Robert M. Martel
2005-Jun-21 18:08 UTC
[Samba] Active directory authentication and Solaris 9 problems
Greetings, I currently have Samba 3.0.14a built using gcc 3.2.2 on a Solaris 9/Sparc box. This Samba server is a member server of our Active Directory (AD) domain called "CSUNET". When logged unto a windows client machine as an AD user I can see and access resources on the Solaris server. I've been trying to get PAM working to pam_windbind.so and correctly configured. So far I am unable to log onto the solaris box as an AD user. If I am root, I can "su" to an AD user. If I am not root, I cannot "su" to an AD user. I cannot logon to the machine at all with an AD account, only the ones available in /etc/passwd - for which I am password prompted twice. /etc/nsswitch is set with the following: passwd: files winbind group: files winbind I think I have my /etc/pam.conf set up as it should be (at bottom of this message.) I don't know if I missed something there, if there is a problem with my build of samba - or supporting software - or if the issue is with out Active Directory server. The AD server is Windows 2003 vanilla. The people in charge of it DO NOT want to make any sort of change from the Microsoft stock configuration. Any ideas will be appreciated. I was able to get a SuSE 9.2 configured to work with AD and allow logins, but the Solaris machine seems to enjoy being more of a challenge. In /var/adm/messages I see: ----------- Jun 21 13:39:13 techops pam_winbind[4648]: [ID 467601 auth.error] request failed: No such user, PAM error was 13, NT error was NT_STATUS_NO_SUCH_USER Jun 21 13:39:15 techops last message repeated 1 time Jun 21 13:40:56 techops su[4658]: [ID 810491 auth.crit] 'su 1001362' failed for bob on /dev/pts/7 ----------- From the winbind log it looks like winbind is getting correct info from the AD server - the UID and GID I see are correct, them it becomes unhappy around the end with "client_read: read 0 bytes. Need 1824 more for a full request" (A more complete copy if anyone want to look at it is at: http://urban.csuohio.edu/~bob/samba3/smblog.winbindd.txt ) --------------------------------------------------- ... [2005/06/21 13:40:56, 10] sam/idmap_tdb.c:internal_get_id_from_sid(228) internal_get_id_from_sid: record S-1-5-21-3414352988-972178952-4124595837-91888 -> UID 10000 [2005/06/21 13:40:56, 10] sam/idmap_tdb.c:internal_get_id_from_sid(243) internal_get_id_from_sid: ID_USERID fetching record S-1-5-21-3414352988-972178952-4124595837-91888 -> UID 10000 [2005/06/21 13:40:56, 10] sam/idmap_tdb.c:internal_get_sid_from_id(190) internal_get_sid_from_id: fetching record UID 10000 [2005/06/21 13:40:56, 10] sam/idmap_tdb.c:internal_get_sid_from_id(196) internal_get_sid_from_id: fetching record UID 10000 -> S-1-5-21-3414352988-972178952-4124595837-91888 [2005/06/21 13:40:56, 10] sam/idmap_util.c:idmap_sid_to_uid(157) idmap_sid_to_uid: uid = [10000] [2005/06/21 13:40:56, 10] sam/idmap_util.c:idmap_sid_to_gid(179) sid_to_gid: sid = [S-1-5-21-3414352988-972178952-4124595837-513] [2005/06/21 13:40:56, 10] sam/idmap_tdb.c:db_get_id_from_sid(315) db_get_id_from_sid [2005/06/21 13:40:56, 10] sam/idmap_tdb.c:internal_get_id_from_sid(221) internal_get_id_from_sid: fetching record S-1-5-21-3414352988-972178952-4124595837-513 of type 0x2 [2005/06/21 13:40:56, 10] sam/idmap_tdb.c:internal_get_id_from_sid(228) internal_get_id_from_sid: record S-1-5-21-3414352988-972178952-4124595837-513 -> GID 10000 [2005/06/21 13:40:56, 10] sam/idmap_tdb.c:internal_get_id_from_sid(262) internal_get_id_from_sid: ID_GROUPID fetching record S-1-5-21-3414352988-972178952-4124595837-513 -> GID 10000 [2005/06/21 13:40:56, 10] sam/idmap_tdb.c:internal_get_sid_from_id(190) internal_get_sid_from_id: fetching record GID 10000 [2005/06/21 13:40:56, 10] sam/idmap_tdb.c:internal_get_sid_from_id(196) internal_get_sid_from_id: fetching record GID 10000 -> S-1-5-21-3414352988-972178952-4124595837-513 [2005/06/21 13:40:56, 10] sam/idmap_util.c:idmap_sid_to_gid(187) idmap_sid_to_gid: gid = [10000] [2005/06/21 13:40:56, 10] nsswitch/winbindd.c:client_write(524) client_write: wrote 1300 bytes. [2005/06/21 13:40:56, 10] nsswitch/winbindd.c:winbind_client_read(470) client_read: read 0 bytes. Need 1824 more for a full request. [2005/06/21 13:40:56, 5] nsswitch/winbindd.c:winbind_client_read(477) read failed on sock 21, pid 4658: EOF [2005/06/21 13:40:56, 10] nsswitch/winbindd.c:winbind_client_read(470) client_read: read 0 bytes. Need 1824 more for a full request. [2005/06/21 13:40:56, 5] nsswitch/winbindd.c:winbind_client_read(477) read failed on sock 20, pid 4658: EOF ------------------------------------------------- /etc/pam.conf # Authentication management # # login service (explicit because of pam_dial_auth) # login auth required /usr/lib/security/pam_winbind.so debug login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_auth.so.1 try_first_pass login auth required pam_dial_auth.so.1 try_first_pass # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient /usr/lib/security/pam_winbind.so debug rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_auth.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 other auth sufficient /usr/lib/security/pam_winbind.so debug rsh auth required pam_unix_auth.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authenctication # other auth sufficient /usr/lib/security/pam_winbind.so debug other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_auth.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_projects.so.1 cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account required pam_projects.so.1 other account required pam_unix_account.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # #rlogin auth optional pam_krb5.so.1 try_first_pass #login auth optional pam_krb5.so.1 try_first_pass #other auth optional pam_krb5.so.1 try_first_pass #cron account optional pam_krb5.so.1 #other account optional pam_krb5.so.1 #other session optional pam_krb5.so.1 #other password optional pam_krb5.so.1 try_first_pass Much thanks to anyone that looked at this whole, long message. -Bob -- *********************************************************************** Bob Martel,System Administrator I met someone who looks a lot like you Levin College of Urban Affairs She does the things you do Cleveland State University But she is an IBM (216) 687-2214 bob@urban.csuohio.edu -Jeff Lynne ***********************************************************************
Seemingly Similar Threads
Wisdom of the Ancients
