samba - Nov 2017 - Domain users cannot log on locally to DC

Hi,
I have a samba 4.7.0 DC installed on a Debian Stretch machine.   I
provisioned the domain with rfc2307 enabled and have set the Unix attributes
using Windows 7 RSAT/ADUC.   I think I followed the WiKi pages correctly to
enable the pam_winbind module in PAM, and have allocated a gID to Domain
Users.   After falling foul of the
https://bugzilla.samba.org/show_bug.cgi?id=13054 bug, entering net cache
flush gave the correct output for getent group and getent passwd test1.

Yet I still cannot log on locally to the DC, either on the console or via
ssh.   Relevant config and log files are as follows:

/etc/smb.conf:
# Global parameters
[global]
                netbios name = DC1
                realm = MICROLYNX.CO.UK
                workgroup = MICROLYNX
                dns forwarder = 192.168.2.1
                server role = active directory domain controller
                idmap_ldb:use rfc2307 = yes
                allow dns updates = nonsecure
                wins support = no
                local master = yes
                domain master = yes
                preferred master = yes
                rpc_server:spoolss = external
                rpc_daemon:spoolssd = fork
                printing = cups
                printcap name = cups
                load printers = yes
                winbind nss info = rfc2307
                winbind enum users = yes
                winbind enum groups = yes
                # Use settings from AD for login shell and home directory -
doesn't work so use the next two lines
                template shell = /bin/bash
                template homedir = /srv/users/%U
                log file = /var/log/samba/log.%m
                log level = 1

[netlogon]
                path = /srv/samba/sysvol/microlynx.co.uk/scripts
                read only = No

[sysvol]
                path = /srv/samba/sysvol
                read only = No

[users]
	path = /srv/users
	read only = No

/etc/pam.d/common-account - following lines added:
# add pam_winbind to allow domain users to log in locally
account [default=bad success=ok user_unknown=ignore]	pam_winbind.so

/etc/pam.d/common-auth  - following lines added:
# add pam_winbind to allow domain users to log in locally
auth sufficient	pam_winbind.so use_first_pass

/etc/pam.d/common-password - following lines added:
# add pam_winbind to allow domain users to log in locally
password	sufficient	pam_winbind.so use_authtok

excerpt from /var/log/auth.log: (with debug added to line: auth sufficient
pam_winbind.so use_first_pass in /etc/pam.d/common-auth)
Nov  1 22:53:58 dc1 sshd[5788]: pam_winbind(sshd:auth): [pamh: 0x81d72698]
ENTER: pam_sm_authenticate (flags: 0x0001)
Nov  1 22:53:58 dc1 sshd[5788]: pam_winbind(sshd:auth): getting password
(0x00000011)
Nov  1 22:53:58 dc1 sshd[5788]: pam_winbind(sshd:auth): Could not retrieve
user's password
Nov  1 22:53:58 dc1 sshd[5788]: pam_winbind(sshd:auth): [pamh: 0x81d72698]
LEAVE: pam_sm_authenticate returning 20 (PAM_AUTHTOK_ERR)
Nov  1 22:53:58 dc1 sshd[5788]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.240  user=test1
Nov  1 22:54:00 dc1 sshd[5788]: Failed password for test1 from 192.168.2.240
port 50348 ssh2
Nov  1 22:54:04 dc1 sshd[5788]: Connection closed by 192.168.2.240 port
50348 [preauth]

Output of getent passwd test1
root at dc1:~# getent passwd test1
MICROLYNX\test1:*:10000:10000:Test One User:/srv/users/test1:/bin/bash

Output of getent group “Domain Users”
root at dc1:~# getent group "Domain Users"
MICROLYNX\domain users:x:10000:

Output of: # ls -l /lib/i386-linux-gnu/security/pam_winbind.so
lrwxrwxrwx 1 root root 44 Nov  1 18:04
/lib/i386-linux-gnu/security/pam_winbind.so ->
/usr/local/samba/lib/security/pam_winbind.so

What am I missing?    Any help appreciated,

Thanks,

Roy

On Thu, 2 Nov 2017 08:59:13 -0000
Roy Eastwood via samba <samba at lists.samba.org> wrote:
> Hi,
> I have a samba 4.7.0 DC installed on a Debian Stretch machine.   I
> provisioned the domain with rfc2307 enabled and have set the Unix
> attributes using Windows 7 RSAT/ADUC.   I think I followed the WiKi
> pages correctly to enable the pam_winbind module in PAM, and have
> allocated a gID to Domain Users.   After falling foul of the
> https://bugzilla.samba.org/show_bug.cgi?id=13054 bug, entering net
> cache flush gave the correct output for getent group and getent
> passwd test1.
> 
> Yet I still cannot log on locally to the DC, either on the console or
> via ssh.   Relevant config and log files are as follows:
> 
> /etc/smb.conf:
> # Global parameters
> [global]
>                 netbios name = DC1
>                 realm = MICROLYNX.CO.UK
>                 workgroup = MICROLYNX
>                 dns forwarder = 192.168.2.1
>                 server role = active directory domain controller
>                 idmap_ldb:use rfc2307 = yes
>                 allow dns updates = nonsecure
>                 wins support = no
>                 local master = yes
>                 domain master = yes
>                 preferred master = yes
>                 rpc_server:spoolss = external
>                 rpc_daemon:spoolssd = fork
>                 printing = cups
>                 printcap name = cups
>                 load printers = yes
>                 winbind nss info = rfc2307
>                 winbind enum users = yes
>                 winbind enum groups = yes
>                 # Use settings from AD for login shell and home
> directory - doesn't work so use the next two lines
>                 template shell = /bin/bash
>                 template homedir = /srv/users/%U
>                 log file = /var/log/samba/log.%m
>                 log level = 1
> 
> [netlogon]
>                 path = /srv/samba/sysvol/microlynx.co.uk/scripts
>                 read only = No
> 
> [sysvol]
>                 path = /srv/samba/sysvol
>                 read only = No
> 
> [users]
> 	path = /srv/users
> 	read only = No
> 
> /etc/pam.d/common-account - following lines added:
> # add pam_winbind to allow domain users to log in locally
> account [default=bad success=ok user_unknown=ignore]
> pam_winbind.so
> 
> /etc/pam.d/common-auth  - following lines added:
> # add pam_winbind to allow domain users to log in locally
> auth sufficient	pam_winbind.so use_first_pass
> 
> /etc/pam.d/common-password - following lines added:
> # add pam_winbind to allow domain users to log in locally
> password	sufficient	pam_winbind.so use_authtok
> 
> excerpt from /var/log/auth.log: (with debug added to line: auth
> sufficient pam_winbind.so use_first_pass in /etc/pam.d/common-auth)
> Nov  1 22:53:58 dc1 sshd[5788]: pam_winbind(sshd:auth): [pamh:
> 0x81d72698] ENTER: pam_sm_authenticate (flags: 0x0001)
> Nov  1 22:53:58 dc1 sshd[5788]: pam_winbind(sshd:auth): getting
> password (0x00000011)
> Nov  1 22:53:58 dc1 sshd[5788]: pam_winbind(sshd:auth): Could not
> retrieve user's password
> Nov  1 22:53:58 dc1 sshd[5788]: pam_winbind(sshd:auth): [pamh:
> 0x81d72698] LEAVE: pam_sm_authenticate returning 20 (PAM_AUTHTOK_ERR)
> Nov  1 22:53:58 dc1 sshd[5788]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.240
> user=test1 Nov  1 22:54:00 dc1 sshd[5788]: Failed password for test1
> from 192.168.2.240 port 50348 ssh2
> Nov  1 22:54:04 dc1 sshd[5788]: Connection closed by 192.168.2.240
> port 50348 [preauth]
> 
> Output of getent passwd test1
> root at dc1:~# getent passwd test1
> MICROLYNX\test1:*:10000:10000:Test One User:/srv/users/test1:/bin/bash
> 
> Output of getent group “Domain Users”
> root at dc1:~# getent group "Domain Users"
> MICROLYNX\domain users:x:10000:
> 
> Output of: # ls -l /lib/i386-linux-gnu/security/pam_winbind.so
> lrwxrwxrwx 1 root root 44 Nov  1 18:04
> /lib/i386-linux-gnu/security/pam_winbind.so ->
> /usr/local/samba/lib/security/pam_winbind.so
> 
> What am I missing?    Any help appreciated,
> 
> Thanks,
> 
> Roy
> 
> 
> 
Have you compiled Samba yourself ?
If so you are probably missing this file:

/usr/share/pam-configs/winbind

Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
	[success=end default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE
cached_login try_first_pass
Auth-Initial:
	[success=end default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE
cached_login
Account-Type: Primary
Account:
	[success=end new_authtok_reqd=done default=ignore]	pam_winbind.so
Password-Type: Primary
Password:
	[success=end default=ignore]	pam_winbind.so use_authtok try_first_pass
Password-Initial:
	[success=end default=ignore]	pam_winbind.so
Session-Type: Additional
Session:
	optional			pam_winbind.so

Remove the lines you added to PAM, then run 'pam-auth-update'

If you are using packages from somewhere, install:

winbind libpam-winbind libpam-krb5 libnss-winbind

Rowland

On Thu, 2 Nov 2017 09:21:22 -0000
Rowland Penny via samba wrote:
>  Have you compiled Samba yourself ?
Yes
> If so you are probably missing this file:
> /usr/share/pam-configs/winbind
Indeed; after creating the file and running pam-auth-update it is now working as
expected.  Many thanks.   Is this documented
somewhere in the WiKi?   If not perhaps it should be added for those who compile
samba from sources?

Regards,

Roy