samba - Dec 2013 - Samba4 Winbind on DC Authentication problem

So, I've finally gotten around to installing a Samba4 AD DC.  I've 
joined a Win7 and Ubuntu machine to the domain so far, and all works 
perfectly.  Great job guys, it's nice to see this functionality working 
solidly on Samba!

The problem is coming in on the actual DC host.  My Ubuntu laptop is 
running winbindd 3.6.18, and as I said, all went flawlessly.  The DC 
host is running Debian Wheezy (7.2) and I installed Samba 4.1.2 from the 
source tarball.

I have followed the guide here:
https://wiki.samba.org/index.php/Samba4/Winbind

Including symlinking the libnss_winbind.so and pam_winbind.so to their 
proper locations.  wbinfo -u/g and getent passwd/group are working fine, 
as is the id command.  Here are the problems:

1) getent passwd/group are returning DOMAIN+username, even though I have 
specified winbind use default domain = yes in smb.conf.  Not a huge 
deal, but it would be neater to see just username in single-domain 
environments.

2) I have specified rid backend, but the UID mapping is still showing as 
the default algorithm.  I had changed it to rid after I had already done 
a getent passwd using the defaults.  Is this just a matter of clearing 
the mappings so it can re-assign them?  I did try deleting the mapping 
for 1 user via ldbedit, but it came back with the same number 
afterward.  The rid mapping is working as expected on the Ubuntu/Samba 
3/6/18 machine.

  (On a side note, what is the current best-practice for consistent UID 
mapping, since my google hunting seems to indicate rid isn't the best?)

3) Most importantly, I'm getting authentication failures when logging 
into the machine.  I can log on as userx with password xyz from my 
Ubuntu box, and I can access the server and all its shares from my 
windows box, so I know the user is authenticating properly with that 
password.  If, as root, I su - userx it works fine, and the id and 
whoami commands work as expected (with the DOMAIN portion appearing, of 
course).

But if I try to login, both as userx and DOMAIN+userx, I get 
"Authentication failure" in auth.log.  I get the same error when
trying
to log in via ssh.

I am only assuming pam_winbind is working properly, and the 
account/session portions are behaving correctly, it's the auth that 
seems to be the problem.

Any ideas?

Thanks again for the great work to the Samba team!

-Ron



-- 

Riomar Group <http://www.riomargroup.com>*Ron Garc?a-Vidal | President | 
Riomar Group (A NYC & NYS Certified MBE)*
1315 Prospect Ave., First Floor | Brooklyn, NY 11218
2655 Le Jeune Road, Suite 915 | Coral Gables, FL 33134
(347) 746-6276 | www.riomargroup.com <http://www.riomargroup.com>
ron at riomargroup.com <mailto:ron at riomargroup.com>

On Tue, 2013-12-03 at 18:43 -0500, Ron Garc?a-Vidal
wrote:
> So, I've finally gotten around to installing a Samba4 AD DC.  I've 
> joined a Win7 and Ubuntu machine to the domain so far, and all works 
> perfectly.  Great job guys, it's nice to see this functionality working
> solidly on Samba!
> 
> The problem is coming in on the actual DC host.  My Ubuntu laptop is 
> running winbindd 3.6.18, and as I said, all went flawlessly.  The DC 
> host is running Debian Wheezy (7.2) and I installed Samba 4.1.2 from the 
> source tarball.
> 
> I have followed the guide here:
> https://wiki.samba.org/index.php/Samba4/Winbind
> 
> Including symlinking the libnss_winbind.so and pam_winbind.so to their 
> proper locations.  wbinfo -u/g and getent passwd/group are working fine, 
> as is the id command.  Here are the problems:
> 
> 1) getent passwd/group are returning DOMAIN+username, even though I have 
> specified winbind use default domain = yes in smb.conf.  Not a huge 
> deal, but it would be neater to see just username in single-domain 
> environments.
If you want only user without the DOMAIN\ bit then nss-ldapd and sssd
give exactly that. winbind use default domain doesn't work on the DC
here either unless you use the default separator
'\'
> 
> 2) I have specified rid backend, but the UID mapping is still showing as 
> the default algorithm.  I had changed it to rid after I had already done 
> a getent passwd using the defaults.  Is this just a matter of clearing 
> the mappings so it can re-assign them?  I did try deleting the mapping 
> for 1 user via ldbedit, but it came back with the same number 
> afterward.  The rid mapping is working as expected on the Ubuntu/Samba 
> 3/6/18 machine.
> 
>   (On a side note, what is the current best-practice for consistent UID 
> mapping, since my google hunting seems to indicate rid isn't the best?)
Consistent uid:gid is one of the most important issues and is the
subject of many posts and problems on this list. If you read through the
archives you'll see a very strong move to recommend that you store
rfc2307 in AD and not in a separate database. If you then pull the
attributes you can be certain tat they are consistent since they can
only be read from a single database. Introduce a second db based on the
rid and you are asking for trouble. If the attributes are in AD then
they will even survive replication if, say a DC fails.
> 
> 3) Most importantly, I'm getting authentication failures when logging 
> into the machine.  I can log on as userx with password xyz from my 
> Ubuntu box, and I can access the server and all its shares from my 
> windows box, so I know the user is authenticating properly with that 
> password.  If, as root, I su - userx it works fine, and the id and 
> whoami commands work as expected (with the DOMAIN portion appearing, of 
> course).
> 
> But if I try to login, both as userx and DOMAIN+userx, I get 
> "Authentication failure" in auth.log.  I get the same error when
trying
> to log in via ssh.
> 
> I am only assuming pam_winbind is working properly, and the 
> account/session portions are behaving correctly, it's the auth that 
> seems to be the problem.
> 
> Any ideas?
> 
This looks like a pam problem. Have you added winbind to pam? If so,
where is it? Can you post your stack? Especially common-auth
HTH
Steve
> Thanks again for the great work to the Samba team!
> 
> -Ron
> 
> 
> 
> -- 
> 
> Riomar Group <http://www.riomargroup.com>*Ron Garc?a-Vidal |
President |
> Riomar Group (A NYC & NYS Certified MBE)*
> 1315 Prospect Ave., First Floor | Brooklyn, NY 11218
> 2655 Le Jeune Road, Suite 915 | Coral Gables, FL 33134
> (347) 746-6276 | www.riomargroup.com <http://www.riomargroup.com>
> ron at riomargroup.com <mailto:ron at riomargroup.com>
>

On 12/4/2013 3:09 AM, steve wrote:
> This looks like a pam problem. Have you added winbind to pam? If so, 
> where is it? Can you post your stack? Especially common-auth HTH Steve
Thanks Steve, you're right.  I wasn't familiar with the
"success=1"
notation in the common-auth.  I guess this is post Debian 6.  The number 
of lines to skip was incorrect and landing me right on the pam_deny.so 
line.  This is why it wasn't showing a password failure, but not letting 
me in anyway.  Just wanted to post this for future google searches.

Thanks for pointing me in the right direction.

-Ron


Riomar Group <http://www.riomargroup.com>*Ron Garc?a-Vidal | President | 
Riomar Group (A NYC & NYS Certified MBE)*
1315 Prospect Ave., First Floor | Brooklyn, NY 11218
2655 Le Jeune Road, Suite 915 | Coral Gables, FL 33134
(347) 746-6276 | www.riomargroup.com <http://www.riomargroup.com>
ron at riomargroup.com <mailto:ron at riomargroup.com>