pam doesn't work.
Samba Version 4.12.0rc4
openSUSE Leap 15.2
./configure --with-ads --systemd-install-services
--with-shared-modules=idmap_ad --enable-debug --enable-selftest
--with-systemd
# Global parameters
[global]
dns forwarder = 172.16.0.1
netbios name = WNETIN
realm = WNETINFO.LAN
server role = active directory domain controller
workgroup = WNETINFO
idmap_ldb:use rfc2307 = yes
###Winbind
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = true
winbind offline logon = false
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
[sysvol]
path = /opt/samba4/var/locks/sysvol
read only = No
[netlogon]
path = /opt/samba4/var/locks/sysvol/wnetinfo.lan/scripts
read only = No
https://wiki.samba.org/index.php/Pam_winbind_Link
https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files mdns_minimal [NOTFOUND=return] dns
#hosts: files dns wins
networks: files dns
/etc/pam.d/common.session
session optional pam_systemd.so
session required pam_limits.so
session required pam_unix.so try_first_pass
session optional pam_umask.so
session optional pam_env.so
session required pam_winbind.so try_first_pass
session required pam_mkhomedir.so
/etc/pam.d/common-password
password required pam_unix.so use_authtok nullok
shadow try_first_pass
password requisite pam_cracklib.so
password [success=1 default=ignore] pam_winbind.so
try_first_pass
ln -s /op/samba/lib/libnss_winbind.so.2 /lib64/
ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
ldconfig
Tests
wnetin:~ # wbinfo --ping-dc
checking the NETLOGON for domain[WNETINFO] dc connection to
"wnetin.wnetinfo.lan" succeeded
wnetin:~ # getent passwd WNETINFO\user
wnetin:~ #
wnetin:~ # getent group "WNETINFO\\Domain Users"
wnetin:~ # getent passwd "WNETINFO\\user"
wnetin:~ # getent passwd
root:x:0:0:root:/root:/bin/bash
messagebus:x:499:499:User for D-Bus:/run/dbus:/usr/bin/false
nobody:x:65534:65534:nobody:/var/lib/nobody:/bin/bash
man:x:13:62:Manual pages viewer:/var/lib/empty:/sbin/nologin
mail:x:498:498:Mailer daemon:/var/spool/clientmqueue:/sbin/nologin
daemon:x:2:2:Daemon:/sbin:/sbin/nologin
tftp:x:497:484:TFTP account:/srv/tftpboot:/bin/false
dnsmasq:x:496:65533:dnsmasq:/var/lib/empty:/bin/false
bin:x:1:1:bin:/bin:/sbin/nologin
lp:x:495:487:Printing daemon:/var/spool/lpd:/sbin/nologin
systemd-timesync:x:480:480:systemd Time Synchronization:/:/sbin/nologin
systemd-network:x:482:482:systemd Network Management:/:/sbin/nologin
systemd-coredump:x:481:481:systemd Core Dumper:/:/sbin/nologin
polkitd:x:479:479:User for polkitd:/var/lib/polkit:/sbin/nologin
rpc:x:478:65534:user for rpcbind:/var/lib/empty:/sbin/nologin
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
nscd:x:477:478:User for nscd:/run/nscd:/sbin/nologin
statd:x:476:65533:NFS statd daemon:/var/lib/nfs:/sbin/nologin
chrony:x:475:477:Chrony Daemon:/var/lib/chrony:/bin/false
sshd:x:474:476:SSH daemon:/var/lib/sshd:/bin/false
avahi:x:473:475:User for Avahi:/run/avahi-daemon:/bin/false
scard:x:472:474:Smart Card Reader:/var/run/pcscd:/usr/sbin/nologin
ldap:x:76:70:User for OpenLDAP:/var/lib/ldap:/bin/false
ntp:x:74:473:NTP daemon:/var/lib/ntp:/bin/false
WNETINFO\administrator:*:0:100::/home/administrator:/bin/bash
WNETINFO\guest:*:3000012:100::/home/guest:/bin/bash
WNETINFO\krbtgt:*:3000018:100::/home/krbtgt:/bin/bash
WNETINFO\jose:*:3000019:100::/home/jose:/bin/bash
WNETINFO\user:*:3000021:100::/home/user:/bin/bash
wnetin:~ # getent group
root:x:0:
shadow:x:15:
trusted:x:42:
users:x:100:
messagebus:x:499:
nogroup:x:65533:nobody
nobody:x:65534:
man:x:62:
mail:!:498:postfix
daemon:x:2:
wheel:x:497:
kmem:x:496:
lock:x:495:
tty:x:5:
utmp:x:494:
audio:x:493:
cdrom:x:492:
dialout:x:491:
disk:x:490:
input:x:489:
kvm:x:488:
lp:x:487:
tape:x:486:
video:x:485:
tftp:x:484:tftp,dnsmasq
bin:x:1:daemon
systemd-timesync:x:480:
systemd-journal:x:483:
systemd-network:x:482:
systemd-coredump:x:481:
polkitd:x:479:
postfix:x:51:
maildrop:x:59:postfix
nscd:x:478:
chrony:x:477:
ntadmin:x:71:
sshd:x:476:
avahi:x:475:
scard:x:474:
ldap:x:70:
ntp:x:473:
BUILTIN\administrators:x:3000000:
BUILTIN\users:x:3000009:
BUILTIN\guests:x:3000011:
BUILTIN\account operators:x:3000022:
BUILTIN\server operators:x:3000001:
BUILTIN\print operators:x:3000023:
BUILTIN\backup operators:x:3000024:
BUILTIN\replicator:x:3000025:
BUILTIN\pre-windows 2000 compatible access:x:3000017:
BUILTIN\remote desktop users:x:3000026:
BUILTIN\network configuration operators:x:3000027:
BUILTIN\incoming forest trust builders:x:3000028:
BUILTIN\performance monitor users:x:3000029:
BUILTIN\performance log users:x:3000030:
BUILTIN\windows authorization access group:x:3000031:
BUILTIN\terminal server license servers:x:3000032:
BUILTIN\distributed com users:x:3000033:
BUILTIN\iis_iusrs:x:3000034:
BUILTIN\cryptographic operators:x:3000035:
BUILTIN\event log readers:x:3000036:
BUILTIN\certificate service dcom access:x:3000037:
WNETINFO\cert publishers:x:3000038:
WNETINFO\ras and ias servers:x:3000039:
WNETINFO\allowed rodc password replication group:x:3000040:
WNETINFO\denied rodc password replication group:x:3000005:
WNETINFO\dnsadmins:x:3000041:
WNETINFO\enterprise read-only domain controllers:x:3000042:
WNETINFO\domain admins:x:3000004:
WNETINFO\domain users:x:100:
WNETINFO\domain guests:x:3000013:
WNETINFO\domain computers:x:3000043:
WNETINFO\domain controllers:x:3000044:
WNETINFO\schema admins:x:3000006:
WNETINFO\enterprise admins:x:3000007:
WNETINFO\group policy creator owners:x:3000008:
WNETINFO\read-only domain controllers:x:3000045:
WNETINFO\dnsupdateproxy:x:3000046:
WNETINFO\ti:x:3000047:
wnetin:~ #
wnetin:~ # getent passwd | grep WNETINFO
WNETINFO\administrator:*:0:100::/home/administrator:/bin/bash
WNETINFO\guest:*:3000012:100::/home/guest:/bin/bash
WNETINFO\krbtgt:*:3000018:100::/home/krbtgt:/bin/bash
WNETINFO\user:*:3000021:100::/home/user:/bin/bash
wnetin:~ #
wnetin:~ # getent group | grep WNETINFO
WNETINFO\cert publishers:x:3000038:
WNETINFO\ras and ias servers:x:3000039:
WNETINFO\allowed rodc password replication group:x:3000040:
WNETINFO\denied rodc password replication group:x:3000005:
WNETINFO\dnsadmins:x:3000041:
WNETINFO\enterprise read-only domain controllers:x:3000042:
WNETINFO\domain admins:x:3000004:
WNETINFO\domain users:x:100:
WNETINFO\domain guests:x:3000013:
WNETINFO\domain computers:x:3000043:
WNETINFO\domain controllers:x:3000044:
WNETINFO\schema admins:x:3000006:
WNETINFO\enterprise admins:x:3000007:
WNETINFO\group policy creator owners:x:3000008:
WNETINFO\read-only domain controllers:x:3000045:
WNETINFO\dnsupdateproxy:x:3000046:
WNETINFO\ti:x:3000047:
wnetin:~ #
wnetin:~ # su - user
su: usu?rio "user" n?o existe
wnetin:~ # id user
id: "user": usu?rio inexistente
wnetin:~ # id root
uid=0(root) gid=0(root) grupos=0(root)
wnetin:~ #
Logon ssh:
2020-03-02T03:49:22.167299-04:00 wnetin sshd[3723]:
pam_winbind(sshd:auth): getting password (0x00000010)
2020-03-02T03:49:22.167601-04:00 wnetin sshd[3723]:
pam_winbind(sshd:auth): pam_get_item returned a password
2020-03-02T03:49:22.182994-04:00 wnetin sshd[3723]:
pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR,
PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER,
Error message was: The specified account does not exist.
2020-03-02T03:49:22.186560-04:00 wnetin sshd[3721]: Accepted
keyboard-interactive/pam for root from 192.168.0.100 port 45720 ssh2
2020-03-02T03:49:22.193139-04:00 wnetin systemd[1]: Started Session 2
of user root.
2020-03-02T03:49:22.193344-04:00 wnetin systemd-logind[1170]: New
session 2 of user root.
2020-03-02T03:49:22.195122-04:00 wnetin sshd[3721]:
pam_unix(sshd:session): session opened for user root by (uid=0)
--
A persist?ncia ? o caminho do ?xito.
Charles Chaplin
On 02/03/2020 09:54, Edson Wolf via samba wrote:> pam doesn't work. > > Samba Version 4.12.0rc4 > > openSUSE Leap 15.2 > > ./configure --with-ads --systemd-install-services > --with-shared-modules=idmap_ad --enable-debug --enable-selftest > --with-systemdIf that was your configure line, why did Samba end up in /opt/samba4 and not in the default /usr/local/samba ?> # Global parameters > [global] > dns forwarder = 172.16.0.1 > netbios name = WNETIN > realm = WNETINFO.LAN > server role = active directory domain controller > workgroup = WNETINFO > idmap_ldb:use rfc2307 = yes > > ###Winbind > template shell = /bin/bash > template homedir = /home/%U > winbind use default domain = true > winbind offline logon = false > winbind nss info = rfc2307 > winbind enum users = yes > winbind enum groups = yesRemove the winbind lines, they do nothing on a DC or just slow things down. You can temporarily leave the last two until you are sure everything works, then remove them.> passwd: compat winbind > group: compat winbind > shadow: compat > hosts: files mdns_minimal [NOTFOUND=return] dnsTry it like this: hosts: files dns> ln -s /op/samba/lib/libnss_winbind.so.2 /lib64/ > ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so > ldconfigYou missed one: ln -s /opt/samba4/lib/security/pam_winbind.so /lib64/security/ Is 'ln -s /op/samba/' a typo ?> > Tests > > > wnetin:~ # getent group "WNETINFO\\Domain Users" > wnetin:~ # getent passwd "WNETINFO\\user"No, either "WNETINFO\Domain Users" or WBNETINFO\\Domain\ Users> wnetin:~ # getent passwd > root:x:0:0:root:/root:/bin/bash > ...... > WNETINFO\administrator:*:0:100::/home/administrator:/bin/bash > WNETINFO\guest:*:3000012:100::/home/guest:/bin/bash > WNETINFO\krbtgt:*:3000018:100::/home/krbtgt:/bin/bash > WNETINFO\jose:*:3000019:100::/home/jose:/bin/bash > WNETINFO\user:*:3000021:100::/home/user:/bin/bashAm I missing something here, that shows that getent works.> wnetin:~ # getent group > root:x:0: > ....... > BUILTIN\administrators:x:3000000: > BUILTIN\users:x:3000009: > BUILTIN\guests:x:3000011:Again, it works> wnetin:~ # id user > id: "user": usu?rio inexistenteHow did you create the user 'user' Rowland
On 08/03/2020 02:13, Edson Wolf wrote:> Em 2020-03-02 06:46, Rowland penny via samba escreveu: >> On 02/03/2020 09:54, Edson Wolf via samba wrote: >>> pam doesn't work. >>> >>> Samba Version 4.12.0rc4 > Samba version: 4.12.0 > Build environment: > Paths: > ?? BINDIR: /opt/samba4/binIf you didn't set '--prefix' on the 'configure' line why has Samba ended up in '/opt/samba' ?? if you run './configure --help', amongst the output is this: ? Installation prefix: ??? By default, "waf install" will put the files in "/usr/local/bin", "/usr/local/lib" etc. An installation prefix other than "/usr/local" can be given using "--prefix", for example "-- ??? prefix=$HOME" ??? --prefix=PREFIX ??????????? installation prefix [default: '/usr/local/samba']> ln -s /op/samba/lib/libnss_winbind.so.2 /lib64/ >>> ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so >>> ldconfig >> >> You missed one: >> >> ln -s /opt/samba4/lib/security/pam_winbind.so /lib64/security/ >> >> Is 'ln -s /op/samba/' a typo ? >> > cp /opt/samba4/lib/security/pam_winbind.so /lib64/security/ > > cp? /opt/samba4/lib/libnss_winbind.so.2 /lib64/ > cp? /opt/samba4/lib/libnss_winbind.so.2 /lib64/libnss_winbind.soYou should create symlinks, this will save you having to copy the files again if/when you upgrade Samba.> > ldconfig -v|grep pam > ????libpamc.so.0 -> libpamc.so.0.82.1 > ????libpam_misc.so.0 -> libpam_misc.so.0.82.1 > ????libpam.so.0 -> libpam.so.0.84.2 > > pam_winbind == NO OKI wouldn't worry about that, it doesn't work on my DC, yet 'getent' produces output.> > wnetin:/build/samba-4.12.0 # getent group "WNETINFO\\Domain Users" > wnetin:/build/samba-4.12.0 # > wnetin:/build/samba-4.12.0 # It shows nothing > > wnetin:/build/samba-4.12.0 # getent passwd "WNETINFO\\edson" > wnetin:/build/samba-4.12.0 # It shows nothingThis is very strange, does 'wbinfo -i edson' produce output and does ' wbinfo --group-info=Domain\ Users' produce output ?> getent passwd > root:x:0:0:root:/root:/bin/bash > ................................... > dnsmasq:x:496:65533:dnsmasq:/var/lib/empty:/bin/falseYou shouldn't run dnsmasq on a DC, only one dns server.> nscd:x:477:478:User for nscd:/run/nscd:/sbin/nologinWinbind has its own cache, remove nscd> ldap:x:76:70:User for OpenLDAP:/var/lib/ldap:/bin/falseIs ldap running on the DC ? If so, stop it immediately, you cannot run an ldap server on a Samba DC, it interferes with DC's ldap. Rowland