Garrett, Joseph
2006-Sep-05 13:20 UTC
[Samba] winbind auth against ads not working via remote login-solaris 10. - Success!!
Update: Success!!!! The corrective action was to move the below pam.conf settings to the top of each section. auth sufficient /usr/lib/security/pam_winbind.so try_first_pass account sufficient /usr/lib/security/pam_winbind.so try_first_pass session sufficient /usr/lib/security/pam_winbind.so try_first_pass -----Original Message----- From: Garrett, Joseph Sent: Thursday, August 31, 2006 8:40 AM To: samba@lists.samba.org Subject: RE: [Samba] winbind auth against ads not working via remote login-solaris 10. update: OS not allowing a winbind auth on Solaris 10 console. I added the below winbind options(see smb.conf). I now get "NT_STATUS_OS" for the user(see winbind log) as I try to login but Solaris 10 still reports a "Login Incorrect". What other OS configure am I missing? Does the nss_winbind.so libraries need to be copied anywhere else? I copied the libnss_winbind.so to /lib and /usr/lib and made the below links. /lib/nss_winbind.so /lib/nss_winbind.so.1 Nsswitch.conf is using "file nis winbind" . See pam.conf below. Thanks and God bless! Winbind Log:------------------ [2006/08/31 08:17:43, 5] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(445) Plain-text authentication for user jgarrett returned NT_STATUS_OK (PAM: 0) Smb.conf---------------- # cat smb.conf # Global parameters [global] workgroup = MYDOMAIN server string = Samba Server pdtsun03 password server = MYPWDSERVERS encrypt passwords = yes log level = 10 log file = /usr/local/samba/var/log.%m max log size = 50 dns proxy = No guest account = visitor realm = MYREALM security = ads ldap ssl = no idmap uid = 10000-20000 idmap gid = 10000-20000 winbind cache time = 2 winbind use default domain = Yes winbind trusted domains only = Yes winbind nested groups = Yes winbind uid = 20001-40000 winbind gid = 20001-40000 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes # give winbind users a real shell (only needed if they have telnet access) Pam.conf-------------- # cat /etc/pam.conf # #ident "@(#)pam.conf 1.28 04/04/21 SMI" # # Copyright 2004 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the "other" section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 login auth sufficient /usr/lib/security/pam_winbind.so try_first_pass debug # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth required pam_unix_auth.so.1 rlogin auth sufficient /usr/lib/security/pam_winbind.so try_first_pass debug # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth binding pam_krb5.so.1 krlogin auth required pam_unix_auth.so.1 krlogin auth sufficient /usr/lib/security/pam_winbind.so try_first_pass debug # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 rsh auth sufficient /usr/lib/security/pam_winbind.so try_first_pass debug # # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 krsh auth binding pam_krb5.so.1 krsh auth required pam_unix_auth.so.1 krsh auth sufficient /usr/lib/security/pam_winbind.so try_first_pass debug # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth binding pam_krb5.so.1 ktelnet auth required pam_unix_auth.so.1 ktelnet auth sufficient /usr/lib/security/pam_winbind.so try_first_pass debug # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 ppp auth sufficient /usr/lib/security/pam_winbind.so try_first_pass debug # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth required pam_unix_auth.so.1 other auth sufficient /usr/lib/security/pam_winbind.so try_first_pass debug # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 passwd auth sufficient /usr/lib/security/pam_winbind.so try_first_pass debug # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account sufficient /usr/lib/security/pam_winbind.so try_first_pass debug # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 other session sufficient /usr/lib/security/pam_winbind.so try_first_pass debug # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 other password sufficient /usr/lib/security/pam_winbind.so try_first_pass use_authtok debug # # Support for Kerberos V5 authentication and example configurations can # be found in the pam_krb5(5) man page under the "EXAMPLES" section. # -----Original Message----- From: samba-bounces+jgarrett=southernco.com@lists.samba.org [mailto:samba-bounces+jgarrett=southernco.com@lists.samba.org] On Behalf Of Garrett, Joseph Sent: Tuesday, August 29, 2006 2:56 PM To: samba@lists.samba.org Subject: [Samba] winbind auth against ads not working via remote login -solaris 10. I am attempting to use winbind for Telnet authentication but winbind pam doesn't recognize ads realm or smb.conf workgroup..see error snapshot. pdtsun03 is hostname of solaris 10 ADS domain member running samba 3.0.11. "net ads join" worked..."net ads user" returns all MYADSDOMAIN users and samba shares work from both unix and NT side. one note..After make install, I had to manually copy compiled nsswitch/pam_winbind.so file to /usr/lib/security. thanks for the help samba configured args: ./configure --with-ads --with-winbind --with-krb5=/usr/local --with-pam ------------------------- error snapshot: [2006/08/29 14:31:49, 8] lib/util.c:is_myname(1810) is_myname("PDTSUN03") returns 1 [2006/08/29 14:31:49, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(259) Authentication for domain PDTSUN03 (local domain to this server) not supported at this stage [2006/08/29 14:31:49, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth(361) Plain-text authentication for user jgarrett returned NT_STATUS_NO_SUCH_USER (PAM: 13) [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524) --------------------------------- smb.conf # Global parameters [global] workgroup = MYADSDOMAIN server string = Samba Server pdtsun03 password server = MYPWDSERVER(s) encrypt passwords = yes log level = 10 log file = /usr/local/samba/var/log.%m max log size = 50 dns proxy = No guest account = visitor realm = MYREALM.COM security = ads ldap ssl = no idmap uid = 10000-20000 idmap gid = 10000-20000 [homes] comment = Home Directories read only = No browseable = No [tmp] comment = Temporary file space path = /tmp read only = No --------------------------------------- detail error - with debug level at 10: [2006/08/29 14:31:49, 6] nsswitch/winbindd.c:new_connection(356) accepted socket 19 [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470) client_read: read 1824 bytes. Need 0 more for a full request. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:process_request(321) process_request: request fn INTERFACE_VERSION [2006/08/29 14:31:49, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [19587]: request interface version [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524) client_write: wrote 1300 bytes. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470) client_read: read 1824 bytes. Need 0 more for a full request. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:process_request(321) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2006/08/29 14:31:49, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [19587]: request location of privileged pipe [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524) client_write: wrote 1300 bytes. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(569) client_write: need to write 47 extra data bytes. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524) client_write: wrote 47 bytes. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(558) client_write: client_write: complete response written. [2006/08/29 14:31:49, 6] nsswitch/winbindd.c:new_connection(356) accepted socket 20 [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470) client_read: read 1824 bytes. Need 0 more for a full request. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:process_request(321) process_request: request fn PAM_AUTH [2006/08/29 14:31:49, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(179) [19587]: pam auth jgarrett [2006/08/29 14:31:49, 8] lib/util.c:is_myname(1810) is_myname("PDTSUN03") returns 1 [2006/08/29 14:31:49, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(259) Authentication for domain PDTSUN03 (local domain to this server) not supported at this stage [2006/08/29 14:31:49, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth(361) Plain-text authentication for user jgarrett returned NT_STATUS_NO_SUCH_USER (PAM: 13) [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524) client_write: wrote 1300 bytes. [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470) client_read: read 0 bytes. Need 1824 more for a full request. [2006/08/29 14:31:49, 5] nsswitch/winbindd.c:winbind_client_read(477) read failed on sock 19, pid 19587: EOF [2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470) client_read: read 0 bytes. Need 1824 more for a full request. [2006/08/29 14:31:49, 5] nsswitch/winbindd.c:winbind_client_read(477) read failed on sock 20, pid 19587: EOF -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Apparently Analagous Threads
- winbind auth against ads not working via remote login - solaris 10.
- OpenSSH public key problem with Solaris 10
- Active Directory on OpenIndiana: cannot set group permission
- Active directory authentication and Solaris 9 problems
- AD returns only one group for all users