samba - Mar 2010 - wbinfo works, getent and check via smbclient not

Hello,
I have a problem in authentification vs ads.

History:
- Samba works as stand-alone server (non productive)
- some experiments with connection to a ldap-Server running on another -
machine.
- Trying to join to Active Directory, since I have no success I deinstalled
  samba completely and reinstall it.

Versions:

	 OpenSuse 11.1 (actual apart from the kernel)
         Samba samba-3.2.7-11.4.1
         winbind: samba-winbind-3.2.7-11.4.1
         Windows 2003 Server with ADS

I followed the artikel in
http://www.pro-linux.de/NB3/artikel/2/1110/3,next.html
(sorry it's german) and looked to the official samba howto.


The following tests I have done:

not sure: kinit, I set up /etc/krb5.conf

(roemke is a local user and a user of ADS with
admin rights)

net ads join -S hhbnt12.hhb.bonn.de -Uroemke%xyz
seems to work, Server says that I have joined the
Domain but DNS update failed.

test:
www:/etc/samba # net ads testjoin
Join is OK

test:
wbinfo -u
-> shows all usernames on active directory but no machines
  as mentioned in the samba wiki

www:/etc/samba # wbinfo -a roemkea%xyz
plaintext password authentication succeeded
challenge/response password authentication succeeded
roemkea is a non local user, only available in the ads

getent passwd
shows only local users :-(

I checked the nsswitch.conf and do symbolik links
/lib/libnss_winbind ...


I think at that point I could stop, bu I tested via smbclient:

(roemkea is ADS User)
smbclient //www/documentsWrite -Uroemkea
->  NT_STATUS_ACCESS_DENIED
Log-File:
[2010/03/03 14:34:25,  3] auth/auth.c:check_ntlm_password(220)
  check_ntlm_password:  Checking password for unmapped user
 [NT_TECHNOLOGIE]\[roemkea]@[WWW] with the new password interface
[2010/03/03 14:34:25,  3] auth/auth.c:check_ntlm_password(223)
  check_ntlm_password:  mapped user is: [NT_TECHNOLOGIE]\[roemkea]@[WWW]
[2010/03/03 14:34:25,  2] auth/auth.c:check_ntlm_password(318)
  check_ntlm_password:  Authentication for user [roemkea] -> [roemkea]
 FAILED with error NT_STATUS_NO_SUCH_USER

with localuser roemke:
NT_STATUS_ACCESS_DENIED
but  in the Log-File
[2010/03/03 14:35:33,  3] auth/auth.c:check_ntlm_password(220)
  check_ntlm_password:  Checking password for unmapped user
 [NT_TECHNOLOGIE]\[roemke]@[WWW] with the new password interface
[2010/03/03 14:35:33,  3] auth/auth.c:check_ntlm_password(223)
  check_ntlm_password:  mapped user is: [NT_TECHNOLOGIE]\[roemke]@[WWW]
[2010/03/03 14:35:33,  3] auth/auth.c:check_ntlm_password(269)
  check_ntlm_password: winbind authentication for user [roemke] succeeded
[2010/03/03 14:35:33,  2] auth/auth.c:check_ntlm_password(308)
  check_ntlm_password:  authentication for user [roemke] -> [roemke] ->
 [roemke] succeeded

I found no hint.
It seems that for a local user winbind ask the ADS and get back that
the authentification is ok, but I don't get access.
For a non local user I get the Information that there is no such user.

I don't understand what happens.

Any help would be nice

      Karsten

Walter Neu schrieb:
> set the following in the [global] section and try again
>
> winbind enum users = yes
> winbind enum groups = yes
>
>
Hello,
thanks for your hint, I have done that,
I think I should post my smb.conf, the krb5.conf
and the nsswitch.conf in some parts:

smb.conf
[global]
        workgroup = NT_TECHNOLOGIE
        #printing = cups
        #printcap name = cups
        #printcap cache time = 750
        #cups options = raw
        map to guest = Bad User
        #logon path = \\%L\profiles\.msprofile
        #logon home = \\%L\%U\.9xprofile
        #logon drive = P:
        #usershare allow guests = No
        netbios name = www
        #passdb backend = smbpasswd
        wins server = hhbnt12.hhb.bonn.de
        wins support = No
        security = ads

        #zusaetzlich zu yast
        password server = hhbnt12.hhb.bonn.de
        client use spnego = yes
        realm  = HHB.BONN.DE
        winbind separator = /
        winbind use default domain = Yes
        winbind enum groups = yes
        winbind enum users = yes
        log level = 0 passdb:3 auth:3

        winbind nested groups = Yes
        template shell = /bin/bash

        #sehr unsicher:
        passdb backend = tdbsam
        idmap backend = ad


[documentswrite]
        comment = Count Dooku
        inherit acls = No
        path = /srv/www/htdocs/documents
        read only = Yes
        valid users = roemke r?mke roemkea


krb5.conf
[libdefaults]
#       default_realm = EXAMPLE.COM
default_realm = HHB.BONN.DE

[realms]
HHB.BONN.DE = {
        kdc = hhbnt12.hhb.bonn.de
        }

#folgendes von prolinux
[appdefaults]
       pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                retain_after_close = false
                minimum_uid = 0
                debug = false
        }



and parts from nsswitch.conf
#passwd:        compat winbind
passwd: files winbind
#group: files ldap winbind
group: files winbind
shadow: files winbind

I have nothing done in /etc/pam.d/ - I don't want logins of
Windows-Users.



Karsten

> 
> Karsten R?mke schrieb:
>> Hello,
>> I have a problem in authentification vs ads.
>>
>> History:
>> - Samba works as stand-alone server (non productive)
>> - some experiments with connection to a ldap-Server running on another
-
>> machine.
>> - Trying to join to Active Directory, since I have no success I
>> deinstalled
>>   samba completely and reinstall it.
>>
>> Versions:
>>
>>      OpenSuse 11.1 (actual apart from the kernel)
>>          Samba samba-3.2.7-11.4.1
>>          winbind: samba-winbind-3.2.7-11.4.1
>>          Windows 2003 Server with ADS
>>
>> I followed the artikel in
>> http://www.pro-linux.de/NB3/artikel/2/1110/3,next.html
>> (sorry it's german) and looked to the official samba howto.
>>
>>
>> The following tests I have done:
>>
>> not sure: kinit, I set up /etc/krb5.conf
>>
>> (roemke is a local user and a user of ADS with
>> admin rights)
>>
>> net ads join -S hhbnt12.hhb.bonn.de -Uroemke%xyz
>> seems to work, Server says that I have joined the
>> Domain but DNS update failed.
>>
>> test:
>> www:/etc/samba # net ads testjoin
>> Join is OK
>>
>> test:
>> wbinfo -u
>> -> shows all usernames on active directory but no machines
>>   as mentioned in the samba wiki
>>
>> www:/etc/samba # wbinfo -a roemkea%xyz
>> plaintext password authentication succeeded
>> challenge/response password authentication succeeded
>> roemkea is a non local user, only available in the ads
>>
>> getent passwd
>> shows only local users :-(
>>
>> I checked the nsswitch.conf and do symbolik links
>> /lib/libnss_winbind ...
>>
>>
>> I think at that point I could stop, bu I tested via smbclient:
>>
>> (roemkea is ADS User)
>> smbclient //www/documentsWrite -Uroemkea
>> ->  NT_STATUS_ACCESS_DENIED
>> Log-File:
>> [2010/03/03 14:34:25,  3] auth/auth.c:check_ntlm_password(220)
>>   check_ntlm_password:  Checking password for unmapped user
>>  [NT_TECHNOLOGIE]\[roemkea]@[WWW] with the new password interface
>> [2010/03/03 14:34:25,  3] auth/auth.c:check_ntlm_password(223)
>>   check_ntlm_password:  mapped user is:
[NT_TECHNOLOGIE]\[roemkea]@[WWW]
>> [2010/03/03 14:34:25,  2] auth/auth.c:check_ntlm_password(318)
>>   check_ntlm_password:  Authentication for user [roemkea] ->
[roemkea]
>>  FAILED with error NT_STATUS_NO_SUCH_USER
>>
>> with localuser roemke:
>> NT_STATUS_ACCESS_DENIED
>> but  in the Log-File
>> [2010/03/03 14:35:33,  3] auth/auth.c:check_ntlm_password(220)
>>   check_ntlm_password:  Checking password for unmapped user
>>  [NT_TECHNOLOGIE]\[roemke]@[WWW] with the new password interface
>> [2010/03/03 14:35:33,  3] auth/auth.c:check_ntlm_password(223)
>>   check_ntlm_password:  mapped user is: [NT_TECHNOLOGIE]\[roemke]@[WWW]
>> [2010/03/03 14:35:33,  3] auth/auth.c:check_ntlm_password(269)
>>   check_ntlm_password: winbind authentication for user [roemke]
succeeded
>> [2010/03/03 14:35:33,  2] auth/auth.c:check_ntlm_password(308)
>>   check_ntlm_password:  authentication for user [roemke] -> [roemke]
->
>>  [roemke] succeeded
>>
>> I found no hint.
>> It seems that for a local user winbind ask the ADS and get back that
>> the authentification is ok, but I don't get access.
>> For a non local user I get the Information that there is no such user.
>>
>> I don't understand what happens.
>>
>> Any help would be nice
>>
>>       Karsten
>>   
>

On 03/03/2010 15:51, Karsten R?mke wrote:
> Walter Neu schrieb:
>> set the following in the [global] section and try again
>>
>> winbind enum users = yes
>> winbind enum groups = yes
Well, then maybe I start seeing where my problem could be: I have them 
both set to "no" (we have about 150K users in AD, and about 500K 
groups), but "usually" resolution works well. Just sometimes it seems 
there are problems with domain trust (a machine that worked stops 
resolving and the log says there are troubles acquiring a ticket -- 
other machines that were cloned from the same disk continue working 
without problems).

-- 
Diego Zuccato
Servizi Informatici
Dip. di Astronomia - Universit? di Bologna
Via Ranzani, 1 - 40126 Bologna - Italy
tel.: +39 051 20 95786
mail: diego.zuccato at unibo.it

Hi Grant,
< ... delete old text ...
you wrote
> Your join is just fine. That err is the same as happens when I join and
> mine works excellently otherwise. The join is ok is the important part.
> 
> There are various tests you can do to see if things are working:
> KERBEROS
> kinit usernamewithadminprivileges
> like:
> kinit karsten
> should ask for a password
works
> 
> klist
> should return a tciket cache for the user just authenticated
> 
works
> kdestroy
> should make it so when you do klist agin there are no more tickets cached
> 
works

> LDAP
I don't know.
I'm confused, I thought I need winbind to connect to the windows server.
I thought that my pam configuration maybe is wrong.

So my question: Do I need winbind or ldap or both.
There are any modification needed to my pam.d directory?
I found a file named samba there.

Thanks
       Karsten
> use ldapsearch like:
> 
> ldapsearch -x -D
'cn=yourldapuserthatyouusetoauthenticate,ou=veryspeicifou,ou=users,ou=yourou,dc=yourad,dc=yourdomain,dc=yourtld'
-H ldaps://ldap.yourad.yourdomain.yourtld -W -b
'ou=yourou,dc=yourad,dc=yourdomain,dc=likecom'
> 
> you don't have to be quite that specific but you get the idea. It
> returns all the users in your ou.
> 
> you need to set your /etc/ldap.conf  and /etc/ldap/ladp.conf (might be
> /etc/openldap/ldap.conf depending on your OS)
> to look at the right places, fer instance:
> 
> /etc/ldap.conf
> ssl on
> port 636
> ldap_version 3
> tls_checkpeer no
> uri ldaps://ldap.yourldapurl
> # limit the base to your departmental OU, wider scopes can affect the
output time and entries to be displayed
> binddn CN=yourkerberosldapaccount,OU=yourou,DC=AD,DC=yourdoain,DC=yourtld
> #password for the AD user account used to bind to AD LDAP
> bindpw yourldapuserpassword
> base OU=yourou,DC=AD,DC=yourdoain,DC=yourtld
> nss_map_objectclass posixAccount user
> nss_map_objectclass shadowAccount user
> nss_map_objectclass posixGroup group
> nss_map_attribute uid sAMAccountName
> nss_map_attribute uidNumber uidNumber
> nss_map_attribute gidNumber gidNumber
> nss_map_attribute cn sAMAccountName
> nss_map_attribute homeDirectory unixHomeDirectory
> nss_map_attribute uniqueMember member
> nss_map_attribute loginShell loginShell
> nss_map_attribute shadowLastChange pwdLastSet
> pam_login_attribute sAMAccountName
> pam_filter objectclass=user
> 
> and fer the odder wun:
> 
> #/etc/ldap/ldap.conf or /etc/openldap/ldap.conf on some OS 
> #Secure LDAP URI/Server 
> uri ldaps://ldap.yourldapurl
> # restrict to your ou
> BASE OU=yourou,DC=AD,DC=yourdoain,DC=yourtld
> # set to the cn for the kerberos user used for authenticating
> BINDDN cn=yourkerberosuser,OU=yourou,DC=AD,DC=yourdoain,DC=yourtld
> # during testing switch off ssl cert checking, later you should install the
certs from your ldap server and set this always
> TLS_REQCERT never 
> 
> 
> 
> if those tests are working and you have set up the ldap conf files right
> and  nsswitch.conf as well you should get back the users/groups from
> your ou when you do
> getent passwd.
> or getent group
> 
> You might try nsswitch.conf settings like
> passwd:         files ldap
> group:          files ldap
> shadow:         files ldap
> 
> 
> there's some description here:
> http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss
> but you might also google for more.
> 
> Have fun!
> 
> Grant

On Thu, Mar 4, 2010 at 7:59 AM, grant little <grantliddle at gmail.com>
wrote:
>
>
>> OOPS! I misread what you were trying to do. I thought you were using
LDAP.
> Sorry. Please ignore my message
>
>

On Thu, Mar 4, 2010 at 8:13 AM, Karsten R?mke <k.roemke at gmx.de> wrote:
> grant little schrieb:
> <snip/>

> > OOPS! I misread what you were trying to do. I thought you were using
> > LDAP. Sorry. Please ignore my message
> >
> Hi Grant,
> I'm not sure if you misunderstand me.
> As far as I know ADS is nothing else then LDAP.
> So it is possible that I need LDAP to ask the win2003 server for
> authentification.
> I'm still unsure what my next steps should be.
> Trying to add winbind to the pam-System, which I only understand at
> the "surface" or trying to add ldap support.
> Karsten
>
Hi Karsten,

I have made samba with ads work on two servers here, one running centos 5.4
using samba 3.033  and the other  ubuntu 9.10 server using samba 3.4.0.
On each there is  kerberos, ldap and winbind.
I looked at the instructions that you used and they look as if they should
work but I am now out of my depth. I have never made it work without ldap. I
also had samba 3.5.0rc3 running on unbuntu 9.10 server with only kerberos
and ldap, that was with no winbind.
Note those all use ldap. I don't have personal experience authenticating
without ldap.

Here they do it without ldap:
http://wiki.samba.org/index.php/Samba_&_Active_Directory
 so you might try there.
Sorry I can't be more help for doing it without ldap, not my area of
expertise.
There's a good book on samba put out by OReilly called "Using
Samba"
Grant