On Wed, Oct 20, 2010 at 12:46 PM, Andrew Lyon <andrew.lyon at gmail.com>
wrote:> Hi,
>
> I've setup Samba 3.5.6 as a member server in a 2003R2 domain with a
> single dc, idmapping is by rfc2307 with a tdb backend for builtin
> accounts etc, I can list users and groups using wbinfo and I can
> create shares and access them from the windows server, files and
> folders owned by ad users show the correct user and group names so
> mapping appears to be working, I can su to ad accounts but I am unable
> to ssh into the system as a AD user.
>
> Relevant config files:
>
> cat /etc/samba/smb.conf
>
>
> [global]
> debug hires timestamp = yes
> ? ? ? ?workgroup = SAMBATEST
> ? ? ? ?security = ADS
> ? ? ? ?winbind use default domain = true
> ? ? ? ?realm = SAMBATEST.LOCAL
> ? ? ? ?server string = Samba file and print server
> ? ? ? ?log level = 3
> ? ? ? ?max log size = 4192
> ? ? ? ?printcap name = cups
> ? ? ? ?idmap config SAMBATEST : backend ?= ad
> ? ? ? ?idmap config SAMBATEST : range = 10000-10020
> ? ? ? ?idmap config SAMBATEST : schema_mode = rfc2307
> ? ? ? ?idmap config SAMBATEST : default = yes
> ? ? ? ?idmap backend = tdb
> ? ? ? ?idmap uid = 10100-10110
> ? ? ? ?idmap gid = 10100-10110
> ? ? ? ?winbind separator = +
> ? ? ? ?winbind enum users = Yes
> ? ? ? ?winbind enum groups = Yes
> ? ? ? ?winbind refresh tickets = Yes
> ? ? ? ?winbind normalize names = Yes
> ? ? ? ?winbind nested groups = Yes
> ? ? ? ?client ntlmv2 auth = yes
> ? ? ? ?encrypt passwords = yes
> ? ? ? ?password server = w2k3r2svr.sambatest.local
> ? ? ? ?template shell = /bin/bash
> [homes]
> ? ? ? ?comment = Home Directories
> ? ? ? ?read only = No
>
> [printers]
> ? ? ? ?comment = All Printers
> ? ? ? ?guest ok = Yes
> ? ? ? ?printable = Yes
> ? ? ? ?browseable = No
> ? ? ? ?available = No
>
> cat /etc/pam.d/sshd
> auth ? ? ? include ? ? ?system-remote-login
> account ? ?include ? ? ?system-remote-login
> password ? include ? ? ?system-remote-login
> session ? ?include ? ? ?system-remote-login
>
> cat /etc/pam.d/system-remote-login
> auth ? ? ? ? ? ?include ? ? ? ? system-login
> account ? ? ? ? include ? ? ? ? system-login
> password ? ? ? ?include ? ? ? ? system-login
> session ? ? ? ? include ? ? ? ? system-login
>
> cat /etc/pam.d/system-login
> auth ? ? ? ? ? ?required ? ? ? ?pam_tally.so onerr=succeed
> auth ? ? ? ? ? ?required ? ? ? ?pam_shells.so
> auth ? ? ? ? ? ?required ? ? ? ?pam_nologin.so
> auth ? ? ? ? ? ?include ? ? ? ? system-auth
>
> account ? ? ? ? required ? ? ? ?pam_access.so
> account ? ? ? ? required ? ? ? ?pam_nologin.so
> account ? ? ? ? include ? ? ? ? system-auth
> account ? ? ? ? required ? ? ? ?pam_tally.so onerr=succeed
>
> password ? ? ? ?include ? ? ? ? system-auth
>
> session ? ? ? ? required ? ? ? ?pam_env.so
> session ? ? ? ? optional ? ? ? ?pam_lastlog.so
> session ? ? ? ? include ? ? ? ? system-auth
> session ? ? ? ? optional ? ? ? ?pam_ck_connector.so nox11
> session ? ? ? ? optional ? ? ? ?pam_motd.so motd=/etc/motd
> session ? ? ? ? optional ? ? ? ?pam_mail.so
>
> file /etc/pam.d/system-auth
> /etc/pam.d/system-auth: symbolic link to `system-auth-winbind'
>
> ?cat /etc/pam.d/system-auth-winbind
> #%PAM-1.0
> # $Header:
/var/cvsroot/gentoo-x86/net-fs/samba/files/3.5/system-auth-winbind.pam,v
> 1.1 2010/03/01 16:19:54 patrick Exp $
>
> auth ? ? ? ?required ? ? ?pam_env.so
> auth ? ? ? ?sufficient ? ?pam_winbind.so
> auth ? ? ? ?sufficient ? ?pam_unix.so likeauth nullok use_first_pass
> auth ? ? ? ?required ? ? ?pam_deny.so
>
> account ? ? sufficient ? ?pam_winbind.so
> account ? ? sufficient ? ?pam_unix.so
>
> password ? ?required ? ? ?pam_cracklib.so retry=3
> password ? ?sufficient ? ?pam_unix.so nullok use_authtok md5 shadow
> password ? ?required ? ? ?pam_deny.so
>
> session ? ? required ? ? ?pam_mkhomedir.so skel=/etc/skel/ umask=0022
> session ? ? required ? ? ?pam_limits.so
> session ? ? sufficient ? ?pam_unix.so
>
> Trust is ok:
>
> wbinfo -t
> checking the trust secret for domain SAMBATEST via RPC calls succeeded
>
>
> I can authenticate the user using kerberos
>
> kinit testuser
> Password for testuser at SAMBATEST.LOCAL:
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: testuser at SAMBATEST.LOCAL
>
> Valid starting ? ? Expires ? ? ? ? ? ?Service principal
> 10/20/10 12:28:11 ?10/20/10 19:08:11 ?krbtgt/SAMBATEST.LOCAL at
SAMBATEST.LOCAL
>
> And with wbinfo:
>
>
> wbinfo -a testuser%abcABC123
> plaintext password authentication failed
> Could not authenticate user testuser%abcABC123 with plaintext password
> challenge/response password authentication succeeded
>
> When authenticating with wbinfo the following events are logged to
log.winbindd
>
> [2010/10/20 12:39:25.902284, ?3]
> winbindd/winbindd_misc.c:352(winbindd_interface_version)
> ?[ 2329]: request interface version
> [2010/10/20 12:39:25.902435, ?3]
> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
> ?[ 2329]: request location of privileged pipe
> [2010/10/20 12:39:25.902626, ?3]
winbindd/winbindd_pam.c:818(winbindd_pam_auth)
> ?[ 2329]: pam auth testuser
> [2010/10/20 12:39:25.911435, ?3]
> winbindd/winbindd_misc.c:352(winbindd_interface_version)
> ?[ 2329]: request interface version
> [2010/10/20 12:39:25.911533, ?3]
winbindd/winbindd_misc.c:340(winbindd_info)
> ?[ 2329]: request misc info
> [2010/10/20 12:39:25.911628, ?3]
> winbindd/winbindd_misc.c:373(winbindd_netbios_name)
> ?[ 2329]: request netbios name
> [2010/10/20 12:39:25.911724, ?3]
> winbindd/winbindd_misc.c:362(winbindd_domain_name)
> ?[ 2329]: request domain name
> [2010/10/20 12:39:25.911816, ?3]
> winbindd/winbindd_misc.c:244(winbindd_domain_info)
> ?[ 2329]: domain_info [SAMBATEST]
> [2010/10/20 12:39:25.912161, ?3]
> winbindd/winbindd_pam.c:1768(winbindd_pam_auth_crap)
> ?[ 2329]: pam auth crap domain: [SAMBATEST] user: testuser
>
>
> But when I try to ssh into the samba server as testuser the
> authentication fails, the winbindd log entries are:
>
> [2010/10/20 12:41:39.712313, ?3]
> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
> ?getpwnam testuser
> [2010/10/20 12:41:41.208210, ?3]
> winbindd/winbindd_misc.c:352(winbindd_interface_version)
> ?[ 6462]: request interface version
> [2010/10/20 12:41:41.208378, ?3]
> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
> ?[ 6462]: request location of privileged pipe
> [2010/10/20 12:41:41.208596, ?3]
> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
> ?getpwnam testuser
> [2010/10/20 12:41:41.209050, ?3]
> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
> ?getpwnam testuser
> [2010/10/20 12:41:55.790569, ?3]
> winbindd/winbindd_misc.c:352(winbindd_interface_version)
> ?[ 6889]: request interface version
> [2010/10/20 12:41:55.790795, ?3]
> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
> ?[ 6889]: request location of privileged pipe
> [2010/10/20 12:41:55.791038, ?3]
> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
> ?getpwnam testuser
> [2010/10/20 12:41:55.795625, ?3]
> winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
> ?getgroups testuser
> [2010/10/20 12:41:55.798148, ?3]
> winbindd/winbindd_misc.c:352(winbindd_interface_version)
> ?[ 6891]: request interface version
> [2010/10/20 12:41:55.798304, ?3]
> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
> ?[ 6891]: request location of privileged pipe
> [2010/10/20 12:41:55.798580, ?3]
> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
> ?getpwnam testuser
> [2010/10/20 12:41:55.799019, ?3]
> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
> ?getpwnam testuser
> [2010/10/20 12:41:57.789992, ?3]
> winbindd/winbindd_misc.c:352(winbindd_interface_version)
> ?[ 6891]: request interface version
> [2010/10/20 12:41:57.790115, ?3]
> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
> ?[ 6891]: request location of privileged pipe
> [2010/10/20 12:41:57.790277, ?3]
winbindd/winbindd_pam.c:818(winbindd_pam_auth)
> ?[ 6891]: pam auth testuser
> [2010/10/20 12:41:57.807080, ?3]
> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
> ?getpwnam testuser
> [2010/10/20 12:41:59.716477, ?3]
> winbindd/winbindd_misc.c:352(winbindd_interface_version)
> ?[ 7019]: request interface version
> [2010/10/20 12:41:59.716632, ?3]
> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
> ?[ 7019]: request location of privileged pipe
> [2010/10/20 12:41:59.716828, ?3]
> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
> ?getpwnam testuser
> [2010/10/20 12:41:59.717221, ?3]
> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
> ?getpwnam testuser
>
>
> log.wb-SAMBATEST (the name of the windows dc) logs the following errors:
>
> [2010/10/20 12:43:15.749729, ?3]
> winbindd/winbindd_pam.c:1466(winbindd_dual_pam_auth)
> ?[ 2769]: dual pam auth SAMBATEST+testuser
> [2010/10/20 12:43:15.750852, ?2]
> winbindd/winbindd_pam.c:1722(winbindd_dual_pam_auth)
> ?Plain-text authentication for user SAMBATEST\testuser returned
> NT_STATUS_NO_SUCH_USER (PAM: 10)
>
>
> I've tried using ssh -l testuser and ssh -l SAMBATEST+testuser, it
> makes no difference to the result or the log entries.
>
> getent passwd/group returns only local users, perhaps a clue as to
> what is wrong?
>
> Any suggestions would be appreciated, I've been trying to get this
> working for quite a while but I seem to have hit a wall.
>
> Andy
>
Trypical, try to fix something for 2 days and a few mins after posting
the problem I figured it out, it appears that winbind separator = +
causes pam authentication to fail, after commenting out that line I
can login using ssh.
Looks like I'm not the only person to hit this problem
http://www.linuxquestions.org/questions/linux-server-73/getting-pam-working-with-samba-with-active-directory-authentication-639165/
, perhaps it is a bug after all? winbind should know what separator is
being used shouldn't it?
Andy