samba - Dec 2001 - Desperate -- I'll even pay -- winbind/samba -- challenge/resp onse password authentication failed

I think this is acceptable - I get the same output for this command in a
Samba session on a Win2000 domain and it works fine.

$ wbinfo -a DOM+W2kusername%password
plaintext password authentication succeeded
challenge/response password authentication failed
Could not authenticate user DOM+W2kusername%password with
challenge/response

I think you are 99% setup.  I followed this posting initially to get things
going.  It has lost some of the formatting but is a nice step by step guide:

Here is my procedure to get winbind running with (a fairly recent) CVS of
SAMBA_2_2 A. Shutdown samba smbd, nmbd and winbindd daemons         

	1. kill all smbd's
	2. kill all nmbd's
	3. kill all winbindd's B. Make a clean version of samba to test with
as root, in the samba/source directory         

	1. # rm -rf /usr/local/samba  (get's rid of any old samba you may
have)
                (*** save ../lib/smb.conf if you want to reuse it)
2. # make clean         3. # rm config.cache         4. # ./configure
--with-pam --with-winbind (--with-acl-support)
                (I use XFS acls, you don't need to to use winbind)
5. # make         6. # make install
                (puts the stuff in /usr/local/samba by default)         

7. # cp nsswitch/libnss_winbind.so /lib         
8. # ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2         
9. # cp nsswitch/pam_winbind.so /lib/security/pam_winbind.so        
10. edit nsswitch.conf                 passwd:     files nisplus winbind
                shadow:     files nisplus winbind
                group:      files nisplus winbind
       
           (note: group needs winbind entry too!)         
11. # /sbin/ldconfig -v | grep winbind
                (makes libnss_winbind available and checks)        
12. copy proper smb.conf into /usr/local/samba/lib         
13. # /usr/local/samba/bin/smbpasswd -j DOMAIN
                (where DOMAIN is the domain of your PDC)         
12. # /usr/local/samba/bin/winbindd
                (starts up the winbindd daemon)         
13. # ps -ae | grep winbindd
                (make sure winbindd started ok)         1
4. # /usr/local/samba/bin/wbinfo -u
                (should give a list containing local AND domain users)

15. # /usr/local/samba/bin/wbinfo -g
                (should give a list containing local AND domain groups)

16. # getent passwd
                (should give a list containing local AND domain users)

17. # getent group
                (should give a list containing local AND domain users)
       
C. Now need to fix the pam.d files!         
1. to enable authentication and accounts from local and DOMAIN users
                change /etc/pam.d/samba to:                 auth required
/lib/security/pam_winbind.so
                account required /lib/security/pam_winbind.so         
2. Other pam.d files:  I'm working on them ;-> D. restart smbd and nmbd
        1. # /etc/rc.d/init.d/smb restart
       
        (note: I have 'fixed' /etc/rc.d/init.d/smb to run smbd and nmbd
from
        /usr/local/samba/bin) I can now connect to my share as a user who
exists ONLY in the domain (i.e.,
not a local user at all) and create and modify files.  For instance, I have
a
user CEO/burdell (domain CEO, user burdell) who doesn't exist in my local
/etc/passwd or my /usr/local/samba/private/smbpasswd files.  I can log in
from
a windows box as 'burdell' and files are created in the share with owner
CEO/burdell: [jt@jtsdevel jt]$ ls -l /mnt/xfs_part/bu* -rwxrwxr--    1
CEO\burd root     37 Sep 20 14:32 /mnt/xfs_part/burdell's.txt (Using XFS
ACLs)
[jt@jtsdevel jt]$ getfacl /mnt/xfs_part/bu* getfacl: Removing leading
'/'
from absolute path names
# file: mnt/xfs_part/burdell's.txt
# owner: CEO\burdell
# group: root
user::rwx
other::r--
group::rw-
mask::rwx My smb.conf file: [global]
        workgroup = CEO
        netbios name = JTSDEVEL
        server string = JTs devel machine XFS Samba Server
        printing = bsd
        printcap name = /etc/printcap
        load printers = yes
        guest account = guest
        encrypt passwords = Yes
        update encrypted = Yes
        os level = 0
        preferred master = False
        local master = No
        domain master = False
        security = domain
        password server = ZEPHYR
        smb passwd file = /usr/local/samba/private/smbpasswd
        debug level = 1
        wins server = 192.168.10.15
        name resolve order = wins host bcast
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes [Public]
        path = /mnt/xfs_part
        public = yes
        read only = No
        inherit permissions = yes
        create mask = 777
        force create mode = 0
        directory security mask = 777
        force directory security mode = 0 --
John M. Trostel
Senior Software Engineer
Quantum / SnapAppliances
jtrostel@snapserver.com