I have Samba Version 3.5.8-74.fc13 (Fedora 13) set up as the PDC for an NT domain. I have several Windows XP Pro and Windows 7 Ultimate workstations as domain members and everything is working fine. Domain users can log-in at the workstations, access shares on the Samba server and the other workstations, etc. I am in the process of adding Samba Version 3.5.8-76.fc14 (Fedora 14) as an additional domain member. x86_64 arch, if that matters. So far I have joined it to the domain, other workstations can see it and can access its shares. With smbclient I can access shares on other domain members. I want to enable authentication via PAM and winbind (Version 3.5.8-74.fc14). I have things set-up to the point where "wbinfo -u", "wbinfo -g", "getent passwd" and "getent group" are all showing the lists of domain users and groups. PAM has been configured as well. But here's the rub: authentication of domain users on this workstation is failing. When I try to login using domain credentials, this fails with the error NT_STATUS_NO_SUCH_USER. If I use "wbinfo -a user%password", I get the following results: plaintext password authentication failed Could not authenticate user%password with plaintext password challenge/response authentication succeeded In the logs, I see the error NT_STATUS_NO_SUCH_USER. At this point, I'm not sure how to proceed. Should I be investigating why plaintext authentication is failing and trying to fix it, or should I be trying to get pam_winbind to use challenge/response authentication instead, since that works? I am under the impression that plaintext authentication is obsolete and insecure (I have "encrypt passwords = yes" configured in smb.conf on both PDC and workstation), so my inclination is towards the latter. smb.conf from workstation (manually retyped, might have minor typos, names and addresses changed): netbios name = NAME server string workgroup = DOMAIN security = domain password server = * encrypt passwords = yes wins server = 66.67.68.69 winbind separator = . idmap uid = 500-599 idmap gid = 500-599 idmap backend = tdb winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%u template shell = /bin/bash winbind rpc only = yes winbind offline logon = yes winbind normalize names = yes Any suggestions or advice for investigating deeper would be greatly appreciated. (Could the version difference between samba-winbind and the other parts of samba be the problem? I had to manually download the rpm and force an install. Trying to install with yum did not work as the x86_64 samba-winbind seemed to require i686 dependencies instead of using the corresponding x86_64 packages I already had.) MV
> > If I use "wbinfo -a user%password", I get the following results: > > plaintext password authentication failed > Could not authenticate user%password with plaintext password > challenge/response authentication succeeded > > In the logs, I see the error NT_STATUS_NO_SUCH_USER.Maybe you need to put your domain name in front of the user; domain\user %password> netbios name = NAME > server string > workgroup = DOMAIN > security = domain > password server = * > encrypt passwords = yes > wins server = 66.67.68.69 > winbind separator = . > idmap uid = 500-599 > idmap gid = 500-599 > idmap backend = tdb > winbind enum users = yes > winbind enum groups = yes > template homedir = /home/%D/%u > template shell = /bin/bash > winbind rpc only = yes > winbind offline logon = yes > winbind normalize names = yesI guess that should be domain.user%password since you have winbind separator configured. Conversely, you could try adding winbind use default domain = yes so the domain name part isn't necessary... Bob Miller 334-7117/660-5315 http://computerisms.ca bob at computerisms.ca Network, Internet, Server, and Open Source Solutions
> Hi Martin, > My experience from this is in getting ubuntu workstations to operate in > the domain environment, also using a samba PDC in a mixed windows/linux > environment. It took me a couple weeks to piece everything together, > was not a trivial task. I have posted my notes to this list on how I > configured the ubuntu workstation, so you might find it useful to find > that and compare against your DMS config. > The wbinfo and net commands were instrumental in tracking down my > problems, which mostly ended up being on the PDC itself. the biggest > lesson I took away about using winbind on a DMS is that it won't work > if > your PDC isn't configured correctly. > wbinfo with its various switches allow you to convert > sid/rid/gid/uid/name back and forth and to each other. I would guess > that at least one of these conversions will fail if you try them all > against your valid user. The other switches might also provide you > more > clues.Hi Bob. Thanks for all your additional helpful advice. Unfortunately, all the things that you suggest are things that I have already tried on my own but for brevity did not mention in my posting. I can map SID and RID <-> UID and GID and name etc. and everything looks kosher (including challenge/response authentication), with the sole exception of the plaintext password authentication. Everything looks OK on the PDC as well. Plus authentication of that and other users works fine on Windows workstations, and has been working well for months. I am open to some configuration issue there, but if there is I can't put my finger on it. I will look for your notes/postings on the list. MV