The problem is at the end
Hello we have Samba Version 4.3.11, we are trying to logon linux desktop
clients on domain, we easy can join the client on the domain with net rpc
join -S 10.11.37.3 -U xxxxx it is satisfactory. We don't have kinit server.
Later we install libpam-winbind, winbind ,libnss-winbind and samba on the
client side.
Edit nsswitch.conf -->
passwd: compat winbind
group: compat winbind
shadow: compat winbind
edit smb.conf -> security = *domain .......*
edit /etc/pam.d/common-auth,/etc/pam.d/common-session,
edit /etc/lightdm/lightdm.conf
[SeatDefaults]
allow-guest=false
greeter-show-manual-login=true
*Problem*:
The problem was when try try logon on desktop login console we use
domain\username and always get error "invalid password please try
again"
--> /var/log/auth.log
Jul 1 12:29:10 samba-cliente lightdm: pam_winbind(lightdm:auth): user
'policia\gafranchello' granted access
Jul 1 12:29:10 samba-cliente lightdm: pam_unix(lightdm:account): could not
identify user (from getpwnam(gafranchello))
But if we use a user that it it is still created on the client desktop, and
use the domain password, work
Jul 1 12:31:26 samba-cliente lightdm: pam_winbind(lightdm:auth): getting
password (0x00000000)
Jul 1 12:31:30 samba-cliente lightdm: pam_winbind(lightdm:auth): user
'policia\jmperrote' granted access
Jul 1 12:31:30 samba-cliente lightdm: pam_unix(lightdm-greeter:session):
session closed for user lightdm
Jul 1 12:31:30 samba-cliente lightdm:
pam_kwallet(lightdm-greeter:session): pam_kwallet: pam_sm_close_session
Jul 1 12:31:30 samba-cliente lightdm:
pam_kwallet5(lightdm-greeter:session): pam_kwallet5: pam_sm_close_session
Jul 1 12:31:30 samba-cliente lightdm:
pam_kwallet(lightdm-greeter:setcred): pam_kwallet: pam_sm_setcred
Jul 1 12:31:30 samba-cliente lightdm:
pam_kwallet5(lightdm-greeter:setcred): pam_kwallet5: pam_sm_setcred
Jul 1 12:31:30 samba-cliente lightdm: pam_unix(lightdm:session): session
opened for user jmperrote by (uid=0)
Jul 1 12:31:30 samba-cliente systemd-logind[635]: New session c4 of user
jmperrote.
Jul 1 12:31:30 samba-cliente lightdm: pam_kwallet(lightdm:session):
(null): pam_sm_open_session
Jul 1 12:31:30 samba-cliente lightdm: pam_kwallet(lightdm:session):
pam_kwallet: open_session called without kwallet_key
Jul 1 12:31:30 samba-cliente lightdm: pam_kwallet5(lightdm:session):
(null): pam_sm_open_session
Jul 1 12:31:30 samba-cliente lightdm: pam_kwallet5(lightdm:session):
pam_kwallet5: open_session called without kwallet5_key
Jul 1 12:31:34 samba-cliente gnome-keyring-daemon[5872]: The PKCS#11
component was already initialized
Jul 1 12:31:34 samba-cliente gnome-keyring-daemon[5872]: The SSH agent was
already initialized
Jul 1 12:31:34 samba-cliente gnome-keyring-daemon[5872]: The Secret
Service was already initialized
Jul 1 12:31:35 samba-cliente polkitd(authority=local): Registered
Authentication Agent for unix-session:c4 (system bus name :1.149
[/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1], object
path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Regards.
-------------- next part --------------
[global]
### Browser de red - Identificaci?##
workgroup = POLICIA
server string = %h server
wins server = 10.11.37.3
dns proxy = no
security = domain
netbios name = samba-cliente
workgroup = POLICIA
idmap uid = 10000000-19999999
idmap gid = 10000000-19999999
winbind use default domain = yes
winbind use default domain = yes
template shell = /bin/bash
template homedir = /home/%D/%U
domain master = no
winbind enum users = yes
winbind enum groups = yes
add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false
-------------- next part --------------
[global]
workgroup = POLICIA
netbios name = DOMAIN-SERVER
deadtime = 10
log level = 1
log file = /var/log/samba/log.%m
max log size = 1000
debug pid = yes
debug uid = yes
utmp = yes
security = user
domain logons = yes
os level = 64
#logon path=\\%L\homes\%U\profile
logon script = logon_win2.cmd
logon path #logon home #logon drive = H: ## Logon drive ##
passdb backend = ldapsam:"ldap://xx.xx.xx.xx/"
ldap ssl = off
ldap admin dn = cn=ebox,dc=vs-zmaster,dc=xxxx,dc=ssss,dc=EE,dc=ZC
ldap delete dn = no
usershare max shares = 0
wins support = true
# Sync UNIX password with Samba password
## Method 1:
ldap password sync = yes
## Method 2:
;ldap password sync = no
;unix password sync = yes
;passwd program = /usr/sbin/smbldap-passwd -u '%u'
;passwd chat = "Changing *\nNew password*" %n\n "*Retype new
password*" %n\n"
ldap suffix = dc=vs-zmaster,dc=xxxx,dc=ssss,dc=EE,dc=ZC
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
rename user script = /usr/sbin/smbldap-usermod -r '%unew'
'%uold'
delete user script = /usr/sbin/smbldap-userdel '%u'
set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u'
'%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u'
'%g'
add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1
#agregado por problemas para autentificar maquinas en el dominio
wide links = no
#Deshabilitando impresoras
load printers = no
printcap name = /dev/null
disable spoolss = Yes
[netlogon]
browseable = no
read list = @"Domain Users"
path = /etc/samba/netlogon
comment = Script de logueo en la red
valid users = @"Domain Users"
public = yes
#share modes = no
[PROFILES]
path = /var/lib/samba/profiles
browseable = no
writeable = yes
create mask = 0611
directory mask = 0700
profile acls = yes
csc policy = disable
map system = yes
map hidden = yes
# recursos compartidos policia
..........................