The winbind now works...my getent passwd & groups returns the domain users/groups What should be the next step? my clients (Win2K & Win9x) are still prompting for a password and I cannot login to my linux box using DOMAIN*domainuser. Must I add each domain user as a user on the linux box? Regards Winston Nimchan -----Original Message----- From: Sean Trammell [mailto:strammell@siumed.edu] Sent: Friday, October 19, 2001 9:15 AM To: Winston Nimchan Cc: samba@lists.samba.org Subject: Re: Winbind/RH7.1...Help It works on Redhat 7.1 against my NT4 server, you should have something that looks like this for the nsswitch module: $ ls -l /lib/libnss_winbind* /lib/libnss_winbind.so /lib/libnss_winbind.so.2 -> libnss_winbind.so If the symlink isn't there, you can create it with $ cd /lib $ ln -s libnss_winbind.so libnss_winbind.so.2 then just make sure that /etc/nsswitch.conf is configured correctly, for me it looks like: passwd: files winbind group: files winbind Winston Nimchan wrote:> > Hi All: > > I followed all the instructions for activating winbind and it wentthru> but my getent etc are only showing users on the linux box. The only > thing i'm not sure if i did correctly was to create the symbolic link > for libnss_winbind.so.2 > > Anyone got winbind working on RH7.1? > > Thanx
That is most likely a PAM problem, you need to create/modify a file at: /etc/pam.d/samba so that authentication will work against your domain (only for the samba service, logging into your linux computer is a different service). Be very careful with PAM, you can lock yourself out of your machine if it is misconfigured. For example, my /etc/pam.d/samba file looks like this: auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok account required /lib/security/pam_winbind.so session required /lib/security/pam_pwdb.so password required /lib/security/pam_pwdb.so Check to make sure that PAM is configured correctly for samba here, and then you can check the error log at /var/log/messages for any errors relating to PAM if it still won't work. Also make sure that the pam module pam_winbind.so is in place in /lib/security. Login is a separate module (not samba), you would need to modify another module config to do that. -Sean Winston Nimchan wrote:> > The winbind now works...my getent passwd & groups returns the domain > users/groups > > What should be the next step? my clients (Win2K & Win9x) are still > prompting for a password and I cannot login to my linux box using > DOMAIN*domainuser. > > Must I add each domain user as a user on the linux box? > > Regards
Here are my sshd & login pam config files:
sh-2.04$ cat sshd
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so use_first_pass shadow
nullok
account required /lib/security/pam_winbind.so
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_limits.so
session optional /lib/security/pam_console.so
sh-2.04$ cat login
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so use_first_pass shadow
nullok
account required /lib/security/pam_winbind.so
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
This works for me, also did you mean to use * for your winbindd seperator?
The recommended is +, so you may want to try that as well just to make sure
while you are testing.
-----Original Message-----
From: Rafael [mailto:rafiros@posgrad.nce.ufrj.br]
Sent: Friday, October 19, 2001 9:27 AM
To: Sean Trammell
Cc: samba@lists.samba.org
Subject: Re: Winbind/RH7.1...More Help
I'm with the same problem and i only can get access to my samba server
with i stop the winbind service.
Does anyone know the right configuration of pam so that with winbind
running i can get access to samba and login to the linux box?
Rafael
----- Original Message -----
From: "Sean Trammell" <strammell@siumed.edu>
To: "Winston Nimchan" <Winston_Nimchan@trinsys.com>
Cc: <samba@lists.samba.org>
Sent: Friday, October 19, 2001 11:53 AM
Subject: Re: Winbind/RH7.1...More Help
> That is most likely a PAM problem, you need to create/modify a file at:
> /etc/pam.d/samba
>
> so that authentication will work against your domain (only for the
> samba service, logging into your linux computer is a different
> service). Be very careful with PAM, you can lock yourself out of your
> machine if it is misconfigured. For example, my /etc/pam.d/samba file
> looks like this:
>
> auth required /lib/security/pam_securetty.so
> auth required /lib/security/pam_nologin.so
> auth sufficient /lib/security/pam_winbind.so
> auth required /lib/security/pam_pwdb.so use_first_pass
shadow nullok> account required /lib/security/pam_winbind.so
> session required /lib/security/pam_pwdb.so
> password required /lib/security/pam_pwdb.so
>
> Check to make sure that PAM is configured correctly for samba here,
> and then you can check the error log at /var/log/messages for any
> errors relating to PAM if it still won't work. Also make sure
> that the pam module pam_winbind.so is in place in /lib/security.
>
> Login is a separate module (not samba), you would need to modify
> another module config to do that.
>
> -Sean
>
> Winston Nimchan wrote:
> >
> > The winbind now works...my getent passwd & groups returns the
domain
> > users/groups
> >
> > What should be the next step? my clients (Win2K & Win9x) are still
> > prompting for a password and I cannot login to my linux box using
> > DOMAIN*domainuser.
> >
> > Must I add each domain user as a user on the linux box?
> >
> > Regards
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Hi:
Are you using RH 7.1? if yes, where does tho sshd & login files go?
Regards
Winston Nimchan
-----Original Message-----
From: Levi Ruiz [mailto:lruiz@pnicorp.com]
Sent: Friday, October 19, 2001 1:18 PM
To: Samba Mailing List (E-mail)
Subject: RE: Winbind/RH7.1...More Help
Here are my sshd & login pam config files:
sh-2.04$ cat sshd
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so use_first_pass shadow
nullok
account required /lib/security/pam_winbind.so
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_limits.so
session optional /lib/security/pam_console.so
sh-2.04$ cat login
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so use_first_pass shadow
nullok
account required /lib/security/pam_winbind.so
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
This works for me, also did you mean to use * for your winbindd
seperator?
The recommended is +, so you may want to try that as well just to make
sure
while you are testing.
-----Original Message-----
From: Rafael [mailto:rafiros@posgrad.nce.ufrj.br]
Sent: Friday, October 19, 2001 9:27 AM
To: Sean Trammell
Cc: samba@lists.samba.org
Subject: Re: Winbind/RH7.1...More Help
I'm with the same problem and i only can get access to my samba
server
with i stop the winbind service.
Does anyone know the right configuration of pam so that with winbind
running i can get access to samba and login to the linux box?
Rafael
----- Original Message -----
From: "Sean Trammell" <strammell@siumed.edu>
To: "Winston Nimchan" <Winston_Nimchan@trinsys.com>
Cc: <samba@lists.samba.org>
Sent: Friday, October 19, 2001 11:53 AM
Subject: Re: Winbind/RH7.1...More Help
> That is most likely a PAM problem, you need to create/modify a file
at:> /etc/pam.d/samba
>
> so that authentication will work against your domain (only for the
> samba service, logging into your linux computer is a different
> service). Be very careful with PAM, you can lock yourself out of your
> machine if it is misconfigured. For example, my /etc/pam.d/samba file
> looks like this:
>
> auth required /lib/security/pam_securetty.so
> auth required /lib/security/pam_nologin.so
> auth sufficient /lib/security/pam_winbind.so
> auth required /lib/security/pam_pwdb.so
use_first_pass
shadow nullok> account required /lib/security/pam_winbind.so
> session required /lib/security/pam_pwdb.so
> password required /lib/security/pam_pwdb.so
>
> Check to make sure that PAM is configured correctly for samba here,
> and then you can check the error log at /var/log/messages for any
> errors relating to PAM if it still won't work. Also make sure
> that the pam module pam_winbind.so is in place in /lib/security.
>
> Login is a separate module (not samba), you would need to modify
> another module config to do that.
>
> -Sean
>
> Winston Nimchan wrote:
> >
> > The winbind now works...my getent passwd & groups returns the
domain
> > users/groups
> >
> > What should be the next step? my clients (Win2K & Win9x) are still
> > prompting for a password and I cannot login to my linux box using
> > DOMAIN*domainuser.
> >
> > Must I add each domain user as a user on the linux box?
> >
> > Regards
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Thank you all for your help, but unfortunally it didn't work.
If anyone got any idea, please help me because this problem it's
driving me crazy.
Rafael
----- Original Message -----
From: "Rogelio J. Baucells" <rogelio@ats-corp.com>
To: "Rafael" <rafiros@posgrad.nce.ufrj.br>
Sent: Friday, October 19, 2001 1:52 PM
Subject: RE: Winbind/RH7.1...More Help
Hello Rafael
I have not read other messages you sent to the list, but I am going to
give you the configuration I am using in my RH7.1 box.
First you have to install samba with PAM enambled (./configure
--with-pam) or install a RPM package compiled with that option.
Then you have to modify the /etc/nsswitch.conf file to add winbind to
it:
passwd: files winbind
group: files winbind
Once you have done that you need to modify the pam configuration files
for the services you want to use winbind to authenticate users. I
modified the system-auth file (it is used by all services in a RedHat
box). If you want to do the same use the file attached to this email.
Be sure before you log out the box that you can log into with an account
that has root access(su), in case something goes wrong.
Rogelio J.
-----Original Message-----
From: Rafael [mailto:rafiros@posgrad.nce.ufrj.br]
Sent: Friday, October 19, 2001 12:27 PM
To: Sean Trammell
Cc: samba@lists.samba.org
Subject: Re: Winbind/RH7.1...More Help
I'm with the same problem and i only can get access to my samba
server
with i stop the winbind service.
Does anyone know the right configuration of pam so that with winbind
running i can get access to samba and login to the linux box?
Rafael
----- Original Message -----
From: "Sean Trammell" <strammell@siumed.edu>
To: "Winston Nimchan" <Winston_Nimchan@trinsys.com>
Cc: <samba@lists.samba.org>
Sent: Friday, October 19, 2001 11:53 AM
Subject: Re: Winbind/RH7.1...More Help
> That is most likely a PAM problem, you need to create/modify a file
at:> /etc/pam.d/samba
>
> so that authentication will work against your domain (only for the
> samba service, logging into your linux computer is a different
> service). Be very careful with PAM, you can lock yourself out of your
> machine if it is misconfigured. For example, my /etc/pam.d/samba file
> looks like this:
>
> auth required /lib/security/pam_securetty.so
> auth required /lib/security/pam_nologin.so
> auth sufficient /lib/security/pam_winbind.so
> auth required /lib/security/pam_pwdb.so
use_first_pass
shadow nullok> account required /lib/security/pam_winbind.so
> session required /lib/security/pam_pwdb.so
> password required /lib/security/pam_pwdb.so
>
> Check to make sure that PAM is configured correctly for samba here,
> and then you can check the error log at /var/log/messages for any
> errors relating to PAM if it still won't work. Also make sure
> that the pam module pam_winbind.so is in place in /lib/security.
>
> Login is a separate module (not samba), you would need to modify
> another module config to do that.
>
> -Sean
>
> Winston Nimchan wrote:
> >
> > The winbind now works...my getent passwd & groups returns the
domain
> > users/groups
> >
> > What should be the next step? my clients (Win2K & Win9x) are still
> > prompting for a password and I cannot login to my linux box using
> > DOMAIN*domainuser.
> >
> > Must I add each domain user as a user on the linux box?
> >
> > Regards
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Tried all the suggestions and still can't see my domain users/groups with getent secret is good and message has nothing abnormal bout PAM Winston -----Original Message----- From: Sean Trammell [mailto:strammell@siumed.edu] Sent: Friday, October 19, 2001 10:54 AM To: Winston Nimchan Cc: samba@lists.samba.org Subject: Re: Winbind/RH7.1...More Help That is most likely a PAM problem, you need to create/modify a file at: /etc/pam.d/samba so that authentication will work against your domain (only for the samba service, logging into your linux computer is a different service). Be very careful with PAM, you can lock yourself out of your machine if it is misconfigured. For example, my /etc/pam.d/samba file looks like this: auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok account required /lib/security/pam_winbind.so session required /lib/security/pam_pwdb.so password required /lib/security/pam_pwdb.so Check to make sure that PAM is configured correctly for samba here, and then you can check the error log at /var/log/messages for any errors relating to PAM if it still won't work. Also make sure that the pam module pam_winbind.so is in place in /lib/security. Login is a separate module (not samba), you would need to modify another module config to do that. -Sean Winston Nimchan wrote:> > The winbind now works...my getent passwd & groups returns the domain > users/groups > > What should be the next step? my clients (Win2K & Win9x) are still > prompting for a password and I cannot login to my linux box using > DOMAIN*domainuser. > > Must I add each domain user as a user on the linux box? > > Regards
I don't think this is a PAM problem. 'getent' relies on the nsswitch mechanism but I don't think it relies on PAM. -----Original Message----- From: Winston Nimchan [mailto:Winston_Nimchan@trinsys.com] Sent: Friday, October 19, 2001 3:08 PM To: Sean Trammell Cc: samba@lists.samba.org Subject: RE: Winbind/RH7.1...More Help Tried all the suggestions and still can't see my domain users/groups with getent secret is good and message has nothing abnormal bout PAM Winston -----Original Message----- From: Sean Trammell [mailto:strammell@siumed.edu] Sent: Friday, October 19, 2001 10:54 AM To: Winston Nimchan Cc: samba@lists.samba.org Subject: Re: Winbind/RH7.1...More Help That is most likely a PAM problem, you need to create/modify a file at: /etc/pam.d/samba so that authentication will work against your domain (only for the samba service, logging into your linux computer is a different service). Be very careful with PAM, you can lock yourself out of your machine if it is misconfigured. For example, my /etc/pam.d/samba file looks like this: auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok account required /lib/security/pam_winbind.so session required /lib/security/pam_pwdb.so password required /lib/security/pam_pwdb.so Check to make sure that PAM is configured correctly for samba here, and then you can check the error log at /var/log/messages for any errors relating to PAM if it still won't work. Also make sure that the pam module pam_winbind.so is in place in /lib/security. Login is a separate module (not samba), you would need to modify another module config to do that. -Sean Winston Nimchan wrote:> > The winbind now works...my getent passwd & groups returns the domain > users/groups > > What should be the next step? my clients (Win2K & Win9x) are still > prompting for a password and I cannot login to my linux box using > DOMAIN*domainuser. > > Must I add each domain user as a user on the linux box? > > Regards-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
hey: got pass that stage. wbinfo & getent returns the values as expected. However my Windoze client are prompting for username/password and nothing I enter is being accepted. Any ideas? Regards Winston Nimchan -----Original Message----- From: David Brodbeck [mailto:DavidB@mail.interclean.com] Sent: Monday, October 22, 2001 12:59 PM To: Winston Nimchan; Sean Trammell Cc: samba@lists.samba.org Subject: RE: Winbind/RH7.1...More Help I don't think this is a PAM problem. 'getent' relies on the nsswitch mechanism but I don't think it relies on PAM. -----Original Message----- From: Winston Nimchan [mailto:Winston_Nimchan@trinsys.com] Sent: Friday, October 19, 2001 3:08 PM To: Sean Trammell Cc: samba@lists.samba.org Subject: RE: Winbind/RH7.1...More Help Tried all the suggestions and still can't see my domain users/groups with getent secret is good and message has nothing abnormal bout PAM Winston -----Original Message----- From: Sean Trammell [mailto:strammell@siumed.edu] Sent: Friday, October 19, 2001 10:54 AM To: Winston Nimchan Cc: samba@lists.samba.org Subject: Re: Winbind/RH7.1...More Help That is most likely a PAM problem, you need to create/modify a file at: /etc/pam.d/samba so that authentication will work against your domain (only for the samba service, logging into your linux computer is a different service). Be very careful with PAM, you can lock yourself out of your machine if it is misconfigured. For example, my /etc/pam.d/samba file looks like this: auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok account required /lib/security/pam_winbind.so session required /lib/security/pam_pwdb.so password required /lib/security/pam_pwdb.so Check to make sure that PAM is configured correctly for samba here, and then you can check the error log at /var/log/messages for any errors relating to PAM if it still won't work. Also make sure that the pam module pam_winbind.so is in place in /lib/security. Login is a separate module (not samba), you would need to modify another module config to do that. -Sean Winston Nimchan wrote:> > The winbind now works...my getent passwd & groups returns the domain > users/groups > > What should be the next step? my clients (Win2K & Win9x) are still > prompting for a password and I cannot login to my linux box using > DOMAIN*domainuser. > > Must I add each domain user as a user on the linux box? > > Regards-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
I have a Win 2K Mixed Mode domain with 1 NT4 Server and 4 2k Servers I installed from source/configured with --with-pam etc I have Win 2k, 9x clients. If I manually add my domain users to smbpasswd, my 2k clients can connect to my samba server and use resources but my win 9x clients are prompting for password and nothing that i enter seems to be valid. Is winbind supposed to copy my domain users/groups to my samba box? so I don't have to recreate each user in samba. Regards Winston Nimchan -----Original Message----- From: Sean Trammell [mailto:strammell@siumed.edu] Sent: Monday, October 22, 2001 1:35 PM To: Winston Nimchan Cc: David Brodbeck; samba@lists.samba.org Subject: Re: Winbind/RH7.1...More Help Someone correct me if I am wrong, but I think that this really is a PAM problem. There are several things that I can think of offhand, either samba was not compiled --with-pam or samba is not configured correctly or the appropriate PAM module is not configured correctly. We need more information, are you getting any errors in /var/log/messages? PAM problems are logged there on my Redhat 7.1 system. Also, did you use an RPM or did you compile samba from source? If it was source, did you use --with-pam when configuring? If that fails you could post the relevant lines of your smb.conf file (probably most the global section). What is the OS of your password server? -Sean Winston Nimchan wrote:> > hey: > > got pass that stage. wbinfo & getent returns the values as expected. > > However my Windoze client are prompting for username/password and > nothing I enter is being accepted. Any ideas? > > Regards > > Winston Nimchan > > -----Original Message----- > From: David Brodbeck [mailto:DavidB@mail.interclean.com] > Sent: Monday, October 22, 2001 12:59 PM > To: Winston Nimchan; Sean Trammell > Cc: samba@lists.samba.org > Subject: RE: Winbind/RH7.1...More Help > > I don't think this is a PAM problem. 'getent' relies on the nsswitch > mechanism but I don't think it relies on PAM. > > -----Original Message----- > From: Winston Nimchan [mailto:Winston_Nimchan@trinsys.com] > Sent: Friday, October 19, 2001 3:08 PM > To: Sean Trammell > Cc: samba@lists.samba.org > Subject: RE: Winbind/RH7.1...More Help > > Tried all the suggestions and still can't see my domain users/groups > with getent > secret is good and message has nothing abnormal bout PAM > > Winston > > -----Original Message----- > From: Sean Trammell [mailto:strammell@siumed.edu] > Sent: Friday, October 19, 2001 10:54 AM > To: Winston Nimchan > Cc: samba@lists.samba.org > Subject: Re: Winbind/RH7.1...More Help > > That is most likely a PAM problem, you need to create/modify a fileat:> /etc/pam.d/samba > > so that authentication will work against your domain (only for the > samba service, logging into your linux computer is a different > service). Be very careful with PAM, you can lock yourself out of your > machine if it is misconfigured. For example, my /etc/pam.d/samba file > looks like this: > > auth required /lib/security/pam_securetty.so > auth required /lib/security/pam_nologin.so > auth sufficient /lib/security/pam_winbind.so > auth required /lib/security/pam_pwdb.souse_first_pass> shadow nullok > account required /lib/security/pam_winbind.so > session required /lib/security/pam_pwdb.so > password required /lib/security/pam_pwdb.so > > Check to make sure that PAM is configured correctly for samba here, > and then you can check the error log at /var/log/messages for any > errors relating to PAM if it still won't work. Also make sure > that the pam module pam_winbind.so is in place in /lib/security. > > Login is a separate module (not samba), you would need to modify > another module config to do that. > > -Sean > > Winston Nimchan wrote: > > > > The winbind now works...my getent passwd & groups returns the domain > > users/groups > > > > What should be the next step? my clients (Win2K & Win9x) are still > > prompting for a password and I cannot login to my linux box using > > DOMAIN*domainuser. > > > > Must I add each domain user as a user on the linux box? > > > > Regards > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
My problem seems to be: unable to setup the PDC credenntials to machine <Domain Controller> Error was: NT_STATUS_NO_TRUST_SAM_ACCOUNT It tries to authenticate against each of my domain controllers and fails Does this seem fimilair Regards Winston Nimchan -----Original Message----- From: Sean Trammell [mailto:strammell@siumed.edu] Sent: Monday, October 22, 2001 4:00 PM To: Winston Nimchan Cc: samba@lists.samba.org Subject: Re: Winbind/RH7.1...More Help The reason for using winbind is so that you do not have to duplicate accounts on the local machine. smbpasswd is not used at all on my system. I believe that when you use winbind, authentication is passed onto your existing system(s), defined in 'password server'. You have to be getting log entries somewhere that will help you to figure out what is breaking. I think that logs, by default, are stored in /usr/local/samba/var. The default setting also separates logs by computer name, and so what I would do is find a test computer and try to connect to the samba server using a normal domain account. When that doesn't work, check the appropriate logfile to see why the connection was rejected. Log level 1 catches most problems for me, if the connection is rejected and nothing is logged, you may have to increase this. This is what I use in my smb.conf file for logs if it helps any: # LOGGING: # log level = 1 log file = /var/log/samba/%m.log max log size = 50 You are getting usernames back from 'getent passwd', right? That at least indicates that nsswitch is working. Winston Nimchan wrote:> > I have a Win 2K Mixed Mode domain with 1 NT4 Server and 4 2k Servers > I installed from source/configured with --with-pam etc > I have Win 2k, 9x clients. > > If I manually add my domain users to smbpasswd, my 2k clients can > connect to my samba server and use resources but my win 9x clients are > prompting for password and nothing that i enter seems to be valid. > > Is winbind supposed to copy my domain users/groups to my samba box? soI> don't have to recreate each user in samba. > > Regards > > Winston Nimchan > > -----Original Message----- > From: Sean Trammell [mailto:strammell@siumed.edu] > Sent: Monday, October 22, 2001 1:35 PM > To: Winston Nimchan > Cc: David Brodbeck; samba@lists.samba.org > Subject: Re: Winbind/RH7.1...More Help > > Someone correct me if I am wrong, but I think that this really is aPAM> problem. There are several things that I can think of offhand, either > samba was not compiled --with-pam or samba is not configured correctly > or the appropriate PAM module is not configured correctly. We needmore> information, are you getting any errors in /var/log/messages? PAM > problems are logged there on my Redhat 7.1 system. Also, did you usean> RPM or did you compile samba from source? If it was source, did youuse> --with-pam when configuring? If that fails you could post therelevant> lines of your smb.conf file (probably most the global section). Whatis> the OS of your password server? > > -Sean > > Winston Nimchan wrote: > > > > hey: > > > > got pass that stage. wbinfo & getent returns the values as expected. > > > > However my Windoze client are prompting for username/password and > > nothing I enter is being accepted. Any ideas? > > > > Regards > > > > Winston Nimchan > > > > -----Original Message----- > > From: David Brodbeck [mailto:DavidB@mail.interclean.com] > > Sent: Monday, October 22, 2001 12:59 PM > > To: Winston Nimchan; Sean Trammell > > Cc: samba@lists.samba.org > > Subject: RE: Winbind/RH7.1...More Help > > > > I don't think this is a PAM problem. 'getent' relies on thensswitch> > mechanism but I don't think it relies on PAM. > > > > -----Original Message----- > > From: Winston Nimchan [mailto:Winston_Nimchan@trinsys.com] > > Sent: Friday, October 19, 2001 3:08 PM > > To: Sean Trammell > > Cc: samba@lists.samba.org > > Subject: RE: Winbind/RH7.1...More Help > > > > Tried all the suggestions and still can't see my domain users/groups > > with getent > > secret is good and message has nothing abnormal bout PAM > > > > Winston > > > > -----Original Message----- > > From: Sean Trammell [mailto:strammell@siumed.edu] > > Sent: Friday, October 19, 2001 10:54 AM > > To: Winston Nimchan > > Cc: samba@lists.samba.org > > Subject: Re: Winbind/RH7.1...More Help > > > > That is most likely a PAM problem, you need to create/modify a file > at: > > /etc/pam.d/samba > > > > so that authentication will work against your domain (only for the > > samba service, logging into your linux computer is a different > > service). Be very careful with PAM, you can lock yourself out ofyour> > machine if it is misconfigured. For example, my /etc/pam.d/sambafile> > looks like this: > > > > auth required /lib/security/pam_securetty.so > > auth required /lib/security/pam_nologin.so > > auth sufficient /lib/security/pam_winbind.so > > auth required /lib/security/pam_pwdb.so > use_first_pass > > shadow nullok > > account required /lib/security/pam_winbind.so > > session required /lib/security/pam_pwdb.so > > password required /lib/security/pam_pwdb.so > > > > Check to make sure that PAM is configured correctly for samba here, > > and then you can check the error log at /var/log/messages for any > > errors relating to PAM if it still won't work. Also make sure > > that the pam module pam_winbind.so is in place in /lib/security. > > > > Login is a separate module (not samba), you would need to modify > > another module config to do that. > > > > -Sean > > > > Winston Nimchan wrote: > > > > > > The winbind now works...my getent passwd & groups returns thedomain> > > users/groups > > > > > > What should be the next step? my clients (Win2K & Win9x) are still > > > prompting for a password and I cannot login to my linux box using > > > DOMAIN*domainuser. > > > > > > Must I add each domain user as a user on the linux box? > > > > > > Regards > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: http://lists.samba.org/mailman/listinfo/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba
Delete your MACHINE.SID and secrets.tdb files from your config dir (/etc/samba/?), delete the machine account from Server Manager in NT and recreate it. Then rejoin the domain with "smbpassd -j DOMAIN -r PDC" and try again. -----Original Message----- From: Winston Nimchan [mailto:Winston_Nimchan@trinsys.com] Sent: Monday, October 22, 2001 1:37 PM To: Sean Trammell Cc: samba@lists.samba.org Subject: RE: Winbind/RH7.1...More Help My problem seems to be: unable to setup the PDC credenntials to machine <Domain Controller> Error was: NT_STATUS_NO_TRUST_SAM_ACCOUNT It tries to authenticate against each of my domain controllers and fails Does this seem fimilair Regards Winston Nimchan -----Original Message----- From: Sean Trammell [mailto:strammell@siumed.edu] Sent: Monday, October 22, 2001 4:00 PM To: Winston Nimchan Cc: samba@lists.samba.org Subject: Re: Winbind/RH7.1...More Help The reason for using winbind is so that you do not have to duplicate accounts on the local machine. smbpasswd is not used at all on my system. I believe that when you use winbind, authentication is passed onto your existing system(s), defined in 'password server'. You have to be getting log entries somewhere that will help you to figure out what is breaking. I think that logs, by default, are stored in /usr/local/samba/var. The default setting also separates logs by computer name, and so what I would do is find a test computer and try to connect to the samba server using a normal domain account. When that doesn't work, check the appropriate logfile to see why the connection was rejected. Log level 1 catches most problems for me, if the connection is rejected and nothing is logged, you may have to increase this. This is what I use in my smb.conf file for logs if it helps any: # LOGGING: # log level = 1 log file = /var/log/samba/%m.log max log size = 50 You are getting usernames back from 'getent passwd', right? That at least indicates that nsswitch is working. Winston Nimchan wrote:> > I have a Win 2K Mixed Mode domain with 1 NT4 Server and 4 2k Servers > I installed from source/configured with --with-pam etc > I have Win 2k, 9x clients. > > If I manually add my domain users to smbpasswd, my 2k clients can > connect to my samba server and use resources but my win 9x clients are > prompting for password and nothing that i enter seems to be valid. > > Is winbind supposed to copy my domain users/groups to my samba box? soI> don't have to recreate each user in samba. > > Regards > > Winston Nimchan > > -----Original Message----- > From: Sean Trammell [mailto:strammell@siumed.edu] > Sent: Monday, October 22, 2001 1:35 PM > To: Winston Nimchan > Cc: David Brodbeck; samba@lists.samba.org > Subject: Re: Winbind/RH7.1...More Help > > Someone correct me if I am wrong, but I think that this really is aPAM> problem. There are several things that I can think of offhand, either > samba was not compiled --with-pam or samba is not configured correctly > or the appropriate PAM module is not configured correctly. We needmore> information, are you getting any errors in /var/log/messages? PAM > problems are logged there on my Redhat 7.1 system. Also, did you usean> RPM or did you compile samba from source? If it was source, did youuse> --with-pam when configuring? If that fails you could post therelevant> lines of your smb.conf file (probably most the global section). Whatis> the OS of your password server? > > -Sean > > Winston Nimchan wrote: > > > > hey: > > > > got pass that stage. wbinfo & getent returns the values as expected. > > > > However my Windoze client are prompting for username/password and > > nothing I enter is being accepted. Any ideas? > > > > Regards > > > > Winston Nimchan > > > > -----Original Message----- > > From: David Brodbeck [mailto:DavidB@mail.interclean.com] > > Sent: Monday, October 22, 2001 12:59 PM > > To: Winston Nimchan; Sean Trammell > > Cc: samba@lists.samba.org > > Subject: RE: Winbind/RH7.1...More Help > > > > I don't think this is a PAM problem. 'getent' relies on thensswitch> > mechanism but I don't think it relies on PAM. > > > > -----Original Message----- > > From: Winston Nimchan [mailto:Winston_Nimchan@trinsys.com] > > Sent: Friday, October 19, 2001 3:08 PM > > To: Sean Trammell > > Cc: samba@lists.samba.org > > Subject: RE: Winbind/RH7.1...More Help > > > > Tried all the suggestions and still can't see my domain users/groups > > with getent > > secret is good and message has nothing abnormal bout PAM > > > > Winston > > > > -----Original Message----- > > From: Sean Trammell [mailto:strammell@siumed.edu] > > Sent: Friday, October 19, 2001 10:54 AM > > To: Winston Nimchan > > Cc: samba@lists.samba.org > > Subject: Re: Winbind/RH7.1...More Help > > > > That is most likely a PAM problem, you need to create/modify a file > at: > > /etc/pam.d/samba > > > > so that authentication will work against your domain (only for the > > samba service, logging into your linux computer is a different > > service). Be very careful with PAM, you can lock yourself out ofyour> > machine if it is misconfigured. For example, my /etc/pam.d/sambafile> > looks like this: > > > > auth required /lib/security/pam_securetty.so > > auth required /lib/security/pam_nologin.so > > auth sufficient /lib/security/pam_winbind.so > > auth required /lib/security/pam_pwdb.so > use_first_pass > > shadow nullok > > account required /lib/security/pam_winbind.so > > session required /lib/security/pam_pwdb.so > > password required /lib/security/pam_pwdb.so > > > > Check to make sure that PAM is configured correctly for samba here, > > and then you can check the error log at /var/log/messages for any > > errors relating to PAM if it still won't work. Also make sure > > that the pam module pam_winbind.so is in place in /lib/security. > > > > Login is a separate module (not samba), you would need to modify > > another module config to do that. > > > > -Sean > > > > Winston Nimchan wrote: > > > > > > The winbind now works...my getent passwd & groups returns thedomain> > > users/groups > > > > > > What should be the next step? my clients (Win2K & Win9x) are still > > > prompting for a password and I cannot login to my linux box using > > > DOMAIN*domainuser. > > > > > > Must I add each domain user as a user on the linux box? > > > > > > Regards > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: http://lists.samba.org/mailman/listinfo/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba