Hello,
I've been trying for a couple of weeks now to get Samba to authenticate via
Winbind to an NT domain. I've scoured Google and the mailing lists to no
avail. I've tried various configurations that I've found during my
searches, but none of them have worked for me.
I need to be able to authenticate users, that do not have an account on the
Linux box, against the NT domain, and automatically create a home directory for
them. This is the purpose of Winbind (except the home directory part, which
pam_mkhomedir is supposed to do), as I understand it. Something between winbind
and pam is failing since the connecting user gets authenticated as guest rather
than an actual user.
My current configuration is RedHat 7.3 and Samba 2.2.5. My most current samba
installation is an RPM generated via the makerpms.sh script in the
packaging/RedHat folder of the 2.2.5 samba distribution.
I've added the following compilation flags in the samba2.spec file: This is
my latest attempt, since nothing else seemed to work.
--with-ssl \
--with-sslinc=/usr/include/openssl \
--with-ssllib=/usr/lib/ssl \
--with-acl-support \
--with-winbind \
--with-winbind-auth-challenge \
'getent passwd' and 'getent group' work properly so I think
winbind works, too. I think the problem lies somewhere with pam, but I'm
not a pam guru by any stretch of the imagination.
The problem is one I've seen discussed a couple of times, but have not seen
any kind of resolution. The next few lines are from the log file of the client
attempting to connect to the server with an account called ilchtest.
[2002/10/08 15:00:50, 3] lib/util_sock.c:open_socket_out(845)
Connecting to 10.226.XXX.XXX at port 139
[2002/10/08 15:00:50, 3] smbd/reply.c:reply_sesssetup_and_X(1045)
No such user ilchtest [CHICAGO] - using guest account
The following is the last line of what 'winbindd -d5 -i' spits out when
I start it from the root prompt:
tdb(unknown): tdb_brlock failed (fd=10) at offset 4 rw_type=1 lck_type=13
<--------Not sure if this points to a problem???
The following is what 'winbindd -d5 -i' spits out when the client trys
to connect:
rpc_read: num_read = 4, read offset: 0, to read: 4
000018 samr_io_r_close_hnd
0018 data1: 00000000
001c data2: 00000000
0020 data3: 0000
0022 data4: 0000
0024 data5: 00 00 00 00 00 00 00 00
002c status: NT_STATUS_OK
[23826]: sid to gid S-1-5-21-178404139-331375567-1660491571-2273
[23826]: gid to sid 10000
[23826]: gid to sid 10001
[23826]: getgroups ftp <-------Guest account was nobody and I changed it
to ftp.
Here is my /etc/nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind
#hosts: db files nisplus nis dns
hosts: files winbind dns
Here is my /etc/pam.d/system-auth
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pa
ss
auth required /lib/security/pam_deny.so
account sufficient /lib/secutiry/pam_winbind.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shado
w
password required /lib/security/pam_deny.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0
022
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
Here is my /etc/samba/smb.conf:
[global]
workgroup = CHICAGO
netbios name = SILCHRS03
server string =
security = DOMAIN
encrypt passwords = Yes
password server = *
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
large readwrite = Yes
name resolve order = host wins bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
preferred master = False
local master = No
domain master = False
dns proxy = No
wins server = 172.30.XXX.XXX
winbind uid = 10000-50000
winbind gid = 10000-50000
template shell = /bin/bash
guest account = ftp
invalid users = root bin daemon adm sync shutdown halt mail news uucp operator
gopher
printer admin = +PrinterAdmins
nt acl support = No
printing = cups
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
I really want this to work, so any help is appreciated.
Please include my e-mail address in any replies.
Thank you!
Sven
Have you tried:
Manually putting password server = IP adress rather than *.
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users =%D+%S
The chmod for home directory should be 700, chown to the user and chown
group to 'DOMAIN+Domain Users'
If you can use getent passwd and getent groups I presume it's just a
permissions thing.
I haven't been able to get pam_mkhomedir.so to work so I just manually
create the accounts.
I'm just writing a guide on how to do it now on Debian 3.0.
Good luck,
Shaolin - IT Systems
WB Ltd.
.: http://www.security-forums.com :.
----- Original Message -----
From: <SRuth@LANDAM.com>
To: <samba@lists.samba.org>
Sent: Tuesday, October 08, 2002 10:29 PM
Subject: [Samba] Please assist with Winbind issues!
> Hello,
>
> I've been trying for a couple of weeks now to get Samba to authenticate
via Winbind to an NT domain. I've scoured Google and the mailing lists to
no avail. I've tried various configurations that I've found during my
searches, but none of them have worked for me.>
> I need to be able to authenticate users, that do not have an account on
the Linux box, against the NT domain, and automatically create a home
directory for them. This is the purpose of Winbind (except the home
directory part, which pam_mkhomedir is supposed to do), as I understand it.
Something between winbind and pam is failing since the connecting user gets
authenticated as guest rather than an actual user.>
> My current configuration is RedHat 7.3 and Samba 2.2.5. My most current
samba installation is an RPM generated via the makerpms.sh script in the
packaging/RedHat folder of the 2.2.5 samba distribution.>
> I've added the following compilation flags in the samba2.spec file:
This
is my latest attempt, since nothing else seemed to work.>
> --with-ssl \
> --with-sslinc=/usr/include/openssl \
> --with-ssllib=/usr/lib/ssl \
> --with-acl-support \
> --with-winbind \
> --with-winbind-auth-challenge \
>
> 'getent passwd' and 'getent group' work properly so I think
winbind works,
too. I think the problem lies somewhere with pam, but I'm not a pam guru by
any stretch of the imagination.>
> The problem is one I've seen discussed a couple of times, but have not
seen any kind of resolution. The next few lines are from the log file of
the client attempting to connect to the server with an account called
ilchtest.>
> [2002/10/08 15:00:50, 3] lib/util_sock.c:open_socket_out(845)
> Connecting to 10.226.XXX.XXX at port 139
> [2002/10/08 15:00:50, 3] smbd/reply.c:reply_sesssetup_and_X(1045)
> No such user ilchtest [CHICAGO] - using guest account
>
>
>
> The following is the last line of what 'winbindd -d5 -i' spits out
when I
start it from the root prompt:>
> tdb(unknown): tdb_brlock failed (fd=10) at offset 4 rw_type=1 lck_type=13
<--------Not sure if this points to a problem???>
>
>
>
> The following is what 'winbindd -d5 -i' spits out when the client
trys to
connect:>
> rpc_read: num_read = 4, read offset: 0, to read: 4
> 000018 samr_io_r_close_hnd
> 0018 data1: 00000000
> 001c data2: 00000000
> 0020 data3: 0000
> 0022 data4: 0000
> 0024 data5: 00 00 00 00 00 00 00 00
> 002c status: NT_STATUS_OK
> [23826]: sid to gid S-1-5-21-178404139-331375567-1660491571-2273
> [23826]: gid to sid 10000
> [23826]: gid to sid 10001
> [23826]: getgroups ftp <-------Guest account was nobody and I
changed
it to ftp.>
>
>
> Here is my /etc/nsswitch.conf
>
> passwd: files winbind
> shadow: files
> group: files winbind
>
> #hosts: db files nisplus nis dns
> hosts: files winbind dns
>
>
>
>
>
> Here is my /etc/pam.d/system-auth
>
> auth required /lib/security/pam_env.so
> auth sufficient /lib/security/pam_winbind.so
> auth sufficient /lib/security/pam_unix.so likeauth nullok
use_first_pa> ss
> auth required /lib/security/pam_deny.so
>
> account sufficient /lib/secutiry/pam_winbind.so
> account required /lib/security/pam_unix.so
>
> password required /lib/security/pam_cracklib.so retry=3
> password sufficient /lib/security/pam_unix.so nullok use_authtok md5
shado> w
> password required /lib/security/pam_deny.so
>
> session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0> 022
> session required /lib/security/pam_limits.so
> session required /lib/security/pam_unix.so
>
> Here is my /etc/samba/smb.conf:
>
> [global]
> workgroup = CHICAGO
> netbios name = SILCHRS03
> server string > security = DOMAIN
> encrypt passwords = Yes
> password server = *
> log level = 3
> log file = /var/log/samba/log.%m
> max log size = 50
> large readwrite = Yes
> name resolve order = host wins bcast
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> load printers = No
> preferred master = False
> local master = No
> domain master = False
> dns proxy = No
> wins server = 172.30.XXX.XXX
> winbind uid = 10000-50000
> winbind gid = 10000-50000
> template shell = /bin/bash
> guest account = ftp
> invalid users = root bin daemon adm sync shutdown halt mail news uucp
operator gopher> printer admin = +PrinterAdmins
> nt acl support = No
> printing = cups
>
> [homes]
> comment = Home Directories
> read only = No
> browseable = No
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> printable = Yes
> browseable = No
>
>
> I really want this to work, so any help is appreciated.
> Please include my e-mail address in any replies.
>
> Thank you!
>
>
> Sven
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
Sven,
Being somewhat of a newbie, I cannot comment on everything that you've
included here with authority, but I did notice a typographic error in the
pam_winbind.so line for PAM account checking in your
"/etc/pam.d/system-auth" file. It's pointed out below. Seems
like that
could be the problem since you can authenticate, but just not with the
correct account.
John Reinhardt
>Message: 14
>From: SRuth@LANDAM.com
>To: samba@lists.samba.org
>Date: Tue, 8 Oct 2002 17:29:23 -0400
>Subject: [Samba] Please assist with Winbind issues!
>
<<snip>>
>Here is my /etc/pam.d/system-auth
>
>auth required /lib/security/pam_env.so
>auth sufficient /lib/security/pam_winbind.so
>auth sufficient /lib/security/pam_unix.so likeauth nullok
>use_first_pa
>ss
>auth required /lib/security/pam_deny.so
>
>account sufficient /lib/secutiry/pam_winbind.so
^^^ <== Typo here...
>account required /lib/security/pam_unix.so
>
>password required /lib/security/pam_cracklib.so retry=3
>password sufficient /lib/security/pam_unix.so nullok use_authtok md5
>shado
>w
>password required /lib/security/pam_deny.so
>
>session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
>umask=0
>022
>session required /lib/security/pam_limits.so
>session required /lib/security/pam_unix.so
>
>Here is my /etc/samba/smb.conf:
>
>[global]
> workgroup = CHICAGO
> netbios name = SILCHRS03
> server string > security = DOMAIN
> encrypt passwords = Yes
> password server = *
> log level = 3
> log file = /var/log/samba/log.%m
> max log size = 50
> large readwrite = Yes
> name resolve order = host wins bcast
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> load printers = No
> preferred master = False
> local master = No
> domain master = False
> dns proxy = No
> wins server = 172.30.XXX.XXX
> winbind uid = 10000-50000
> winbind gid = 10000-50000
> template shell = /bin/bash
> guest account = ftp
> invalid users = root bin daemon adm sync shutdown halt mail news
> uucp operator gopher
> printer admin = +PrinterAdmins
> nt acl support = No
> printing = cups
>
>[homes]
> comment = Home Directories
> read only = No
> browseable = No
>
>[printers]
> comment = All Printers
> path = /var/spool/samba
> printable = Yes
> browseable = No
>
>
>I really want this to work, so any help is appreciated.
>Please include my e-mail address in any replies.
>
>Thank you!
>
>
>Sven
-----Original Message----- From: Gareth Davies [mailto:gdavies@willowbrook.co.uk] Sent: Wednesday, October 09, 2002 4:52 AM To: SRuth@LANDAM.com; samba@lists.samba.org Subject: Re: [Samba] Please assist with Winbind issues! Have you tried: Manually putting password server = IP adress rather than *.>>>Winbind fails to find the domain if I do this.[homes] comment = Home Directories browseable = no writable = yes valid users =%D+%S The chmod for home directory should be 700, chown to the user and chown group to 'DOMAIN+Domain Users'>>>chown doesn't find the domain users or groups.If you can use getent passwd and getent groups I presume it's just a permissions thing. I haven't been able to get pam_mkhomedir.so to work so I just manually create the accounts.>>>I don't see pam_mkhomedir working, but I don't think it's getting that far... I've created home directories for the test accounts, but that doesn't work either.I'm just writing a guide on how to do it now on Debian 3.0. Good luck, Shaolin - IT Systems WB Ltd. .: http://www.security-forums.com :. ----- Original Message ----- From: <SRuth@LANDAM.com> To: <samba@lists.samba.org> Sent: Tuesday, October 08, 2002 10:29 PM Subject: [Samba] Please assist with Winbind issues!> Hello, > > I've been trying for a couple of weeks now to get Samba to authenticatevia Winbind to an NT domain. I've scoured Google and the mailing lists to no avail. I've tried various configurations that I've found during my searches, but none of them have worked for me.> > I need to be able to authenticate users, that do not have an account onthe Linux box, against the NT domain, and automatically create a home directory for them. This is the purpose of Winbind (except the home directory part, which pam_mkhomedir is supposed to do), as I understand it. Something between winbind and pam is failing since the connecting user gets authenticated as guest rather than an actual user.> > My current configuration is RedHat 7.3 and Samba 2.2.5. My most currentsamba installation is an RPM generated via the makerpms.sh script in the packaging/RedHat folder of the 2.2.5 samba distribution.> > I've added the following compilation flags in the samba2.spec file: Thisis my latest attempt, since nothing else seemed to work.> > --with-ssl \ > --with-sslinc=/usr/include/openssl \ > --with-ssllib=/usr/lib/ssl \ > --with-acl-support \ > --with-winbind \ > --with-winbind-auth-challenge \ > > 'getent passwd' and 'getent group' work properly so I think winbind works,too. I think the problem lies somewhere with pam, but I'm not a pam guru by any stretch of the imagination.> > The problem is one I've seen discussed a couple of times, but have notseen any kind of resolution. The next few lines are from the log file of the client attempting to connect to the server with an account called ilchtest.> > [2002/10/08 15:00:50, 3] lib/util_sock.c:open_socket_out(845) > Connecting to 10.226.XXX.XXX at port 139 > [2002/10/08 15:00:50, 3] smbd/reply.c:reply_sesssetup_and_X(1045) > No such user ilchtest [CHICAGO] - using guest account > > > > The following is the last line of what 'winbindd -d5 -i' spits out when Istart it from the root prompt:> > tdb(unknown): tdb_brlock failed (fd=10) at offset 4 rw_type=1 lck_type=13<--------Not sure if this points to a problem???> > > > > The following is what 'winbindd -d5 -i' spits out when the client trys toconnect:> > rpc_read: num_read = 4, read offset: 0, to read: 4 > 000018 samr_io_r_close_hnd > 0018 data1: 00000000 > 001c data2: 00000000 > 0020 data3: 0000 > 0022 data4: 0000 > 0024 data5: 00 00 00 00 00 00 00 00 > 002c status: NT_STATUS_OK > [23826]: sid to gid S-1-5-21-178404139-331375567-1660491571-2273 > [23826]: gid to sid 10000 > [23826]: gid to sid 10001 > [23826]: getgroups ftp <-------Guest account was nobody and I changedit to ftp.> > > > Here is my /etc/nsswitch.conf > > passwd: files winbind > shadow: files > group: files winbind > > #hosts: db files nisplus nis dns > hosts: files winbind dns > > > > > > Here is my /etc/pam.d/system-auth > > auth required /lib/security/pam_env.so > auth sufficient /lib/security/pam_winbind.so > auth sufficient /lib/security/pam_unix.so likeauth nullokuse_first_pa> ss > auth required /lib/security/pam_deny.so > > account sufficient /lib/secutiry/pam_winbind.so > account required /lib/security/pam_unix.so > > password required /lib/security/pam_cracklib.so retry=3 > password sufficient /lib/security/pam_unix.so nullok use_authtok md5shado> w > password required /lib/security/pam_deny.so > > session required /lib/security/pam_mkhomedir.so skel=/etc/skel/umask=0> 022 > session required /lib/security/pam_limits.so > session required /lib/security/pam_unix.so > > Here is my /etc/samba/smb.conf: > > [global] > workgroup = CHICAGO > netbios name = SILCHRS03 > server string > security = DOMAIN > encrypt passwords = Yes > password server = * > log level = 3 > log file = /var/log/samba/log.%m > max log size = 50 > large readwrite = Yes > name resolve order = host wins bcast > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > load printers = No > preferred master = False > local master = No > domain master = False > dns proxy = No > wins server = 172.30.XXX.XXX > winbind uid = 10000-50000 > winbind gid = 10000-50000 > template shell = /bin/bash > guest account = ftp > invalid users = root bin daemon adm sync shutdown halt mail news uucpoperator gopher> printer admin = +PrinterAdmins > nt acl support = No > printing = cups > > [homes] > comment = Home Directories > read only = No > browseable = No > > [printers] > comment = All Printers > path = /var/spool/samba > printable = Yes > browseable = No > > > I really want this to work, so any help is appreciated. > Please include my e-mail address in any replies. > > Thank you! > > > Sven > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
John,
Thanks for spotting the typo. I fixed that, but the behavior is the same as
before...
Thank you.
Sven
-----Original Message-----
From: John H. Reinhardt [mailto:johnhreinhardt@yahoo.com]
Sent: Wednesday, October 09, 2002 7:25 AM
To: samba@lists.samba.org
Cc: SRuth@LANDAM.com
Subject: Re: [Samba] Please assist with Winbind issues!
Sven,
Being somewhat of a newbie, I cannot comment on everything that you've
included here with authority, but I did notice a typographic error in the
pam_winbind.so line for PAM account checking in your
"/etc/pam.d/system-auth" file. It's pointed out below. Seems
like that
could be the problem since you can authenticate, but just not with the
correct account.
John Reinhardt
>Message: 14
>From: SRuth@LANDAM.com
>To: samba@lists.samba.org
>Date: Tue, 8 Oct 2002 17:29:23 -0400
>Subject: [Samba] Please assist with Winbind issues!
>
<<snip>>
>Here is my /etc/pam.d/system-auth
>
>auth required /lib/security/pam_env.so
>auth sufficient /lib/security/pam_winbind.so
>auth sufficient /lib/security/pam_unix.so likeauth nullok
>use_first_pa
>ss
>auth required /lib/security/pam_deny.so
>
>account sufficient /lib/secutiry/pam_winbind.so
^^^ <== Typo here...
>account required /lib/security/pam_unix.so
>
>password required /lib/security/pam_cracklib.so retry=3
>password sufficient /lib/security/pam_unix.so nullok use_authtok md5
>shado
>w
>password required /lib/security/pam_deny.so
>
>session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
>umask=0
>022
>session required /lib/security/pam_limits.so
>session required /lib/security/pam_unix.so
>
>Here is my /etc/samba/smb.conf:
>
>[global]
> workgroup = CHICAGO
> netbios name = SILCHRS03
> server string > security = DOMAIN
> encrypt passwords = Yes
> password server = *
> log level = 3
> log file = /var/log/samba/log.%m
> max log size = 50
> large readwrite = Yes
> name resolve order = host wins bcast
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> load printers = No
> preferred master = False
> local master = No
> domain master = False
> dns proxy = No
> wins server = 172.30.XXX.XXX
> winbind uid = 10000-50000
> winbind gid = 10000-50000
> template shell = /bin/bash
> guest account = ftp
> invalid users = root bin daemon adm sync shutdown halt mail news
> uucp operator gopher
> printer admin = +PrinterAdmins
> nt acl support = No
> printing = cups
>
>[homes]
> comment = Home Directories
> read only = No
> browseable = No
>
>[printers]
> comment = All Printers
> path = /var/spool/samba
> printable = Yes
> browseable = No
>
>
>I really want this to work, so any help is appreciated.
>Please include my e-mail address in any replies.
>
>Thank you!
>
>
>Sven
SRuth@LANDAM.com wrote:> > Hello, > > I've been trying for a couple of weeks now to get Samba to authenticate via Winbind to an NT domain. I've scoured Google and the mailing lists to no avail. I've tried various configurations that I've found during my searches, but none of them have worked for me. > > I need to be able to authenticate users, that do not have an account on the Linux box, against the NT domain, and automatically create a home directory for them. This is the purpose of Winbind (except the home directory part, which pam_mkhomedir is supposed to do), as I understand it. Something between winbind and pam is failing since the connecting user gets authenticated as guest rather than an actual user. > > My current configuration is RedHat 7.3 and Samba 2.2.5. My most current samba installation is an RPM generated via the makerpms.sh script in the packaging/RedHat folder of the 2.2.5 samba distribution. > > I've added the following compilation flags in the samba2.spec file: This is my latest attempt, since nothing else seemed to work. > > --with-ssl \ > --with-sslinc=/usr/include/openssl \ > --with-ssllib=/usr/lib/ssl \SSL support is being removed in Samba 3.0, and is unsupported in 2.2. While this is probably unrelated to your problem, don't make you life more difficult than it needs to be. No Microsoft client supports SMB over SSL. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
Hello,
I think my typo may have been the problem after all. Doh!
It seems to be working properly now.
A couple of additional things I've noticed:
'obey pam restrictions' must be set to yes to get the pam_mkhomedir
module to do its job.
The homes share must have /home/%D as the path. /home/%D/%U, and blank does not
work. This connects the user to a share named after the login ID, but
double-clicking that share shows all of the folders in the /home/%D path rather
than just the contents of the user's folder. Which makes sense, but why
doesn't /home/%D/%U or a blank entry work?
Thanks to everyone for your assistance.
More questions to come, I'm sure. :-)
Sven
-----Original Message-----
From: John H. Reinhardt [mailto:johnhreinhardt@yahoo.com]
Sent: Wednesday, October 09, 2002 7:25 AM
To: samba@lists.samba.org
Cc: SRuth@LANDAM.com
Subject: Re: [Samba] Please assist with Winbind issues!
Sven,
Being somewhat of a newbie, I cannot comment on everything that you've
included here with authority, but I did notice a typographic error in the
pam_winbind.so line for PAM account checking in your
"/etc/pam.d/system-auth" file. It's pointed out below. Seems
like that
could be the problem since you can authenticate, but just not with the
correct account.
John Reinhardt
>Message: 14
>From: SRuth@LANDAM.com
>To: samba@lists.samba.org
>Date: Tue, 8 Oct 2002 17:29:23 -0400
>Subject: [Samba] Please assist with Winbind issues!
>
<<snip>>
>Here is my /etc/pam.d/system-auth
>
>auth required /lib/security/pam_env.so
>auth sufficient /lib/security/pam_winbind.so
>auth sufficient /lib/security/pam_unix.so likeauth nullok
>use_first_pa
>ss
>auth required /lib/security/pam_deny.so
>
>account sufficient /lib/secutiry/pam_winbind.so
^^^ <== Typo here...
>account required /lib/security/pam_unix.so
>
>password required /lib/security/pam_cracklib.so retry=3
>password sufficient /lib/security/pam_unix.so nullok use_authtok md5
>shado
>w
>password required /lib/security/pam_deny.so
>
>session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
>umask=0
>022
>session required /lib/security/pam_limits.so
>session required /lib/security/pam_unix.so
>
>Here is my /etc/samba/smb.conf:
>
>[global]
> workgroup = CHICAGO
> netbios name = SILCHRS03
> server string > security = DOMAIN
> encrypt passwords = Yes
> password server = *
> log level = 3
> log file = /var/log/samba/log.%m
> max log size = 50
> large readwrite = Yes
> name resolve order = host wins bcast
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> load printers = No
> preferred master = False
> local master = No
> domain master = False
> dns proxy = No
> wins server = 172.30.XXX.XXX
> winbind uid = 10000-50000
> winbind gid = 10000-50000
> template shell = /bin/bash
> guest account = ftp
> invalid users = root bin daemon adm sync shutdown halt mail news
> uucp operator gopher
> printer admin = +PrinterAdmins
> nt acl support = No
> printing = cups
>
>[homes]
> comment = Home Directories
> read only = No
> browseable = No
>
>[printers]
> comment = All Printers
> path = /var/spool/samba
> printable = Yes
> browseable = No
>
>
>I really want this to work, so any help is appreciated.
>Please include my e-mail address in any replies.
>
>Thank you!
>
>
>Sven
Thanks Andrew. I was actually under the (faulty) impression that --with-ssl was meant for SWAT. Since it isn't, could you point me to instructions for enabling swat to use ssl? Is it possible? Thank you. Sven -----Original Message----- From: Andrew Bartlett [mailto:abartlet@samba.org] Sent: Wednesday, October 09, 2002 4:58 PM To: SRuth@LANDAM.com Cc: samba@lists.samba.org Subject: Re: [Samba] Please assist with Winbind issues! SRuth@LANDAM.com wrote:> > Hello, > > I've been trying for a couple of weeks now to get Samba to authenticate via Winbind to an NT domain. I've scoured Google and the mailing lists to no avail. I've tried various configurations that I've found during my searches, but none of them have worked for me. > > I need to be able to authenticate users, that do not have an account on the Linux box, against the NT domain, and automatically create a home directory for them. This is the purpose of Winbind (except the home directory part, which pam_mkhomedir is supposed to do), as I understand it. Something between winbind and pam is failing since the connecting user gets authenticated as guest rather than an actual user. > > My current configuration is RedHat 7.3 and Samba 2.2.5. My most current samba installation is an RPM generated via the makerpms.sh script in the packaging/RedHat folder of the 2.2.5 samba distribution. > > I've added the following compilation flags in the samba2.spec file: This is my latest attempt, since nothing else seemed to work. > > --with-ssl \ > --with-sslinc=/usr/include/openssl \ > --with-ssllib=/usr/lib/ssl \SSL support is being removed in Samba 3.0, and is unsupported in 2.2. While this is probably unrelated to your problem, don't make you life more difficult than it needs to be. No Microsoft client supports SMB over SSL. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
> Message: 20 > From: SRuth@LANDAM.com > To: samba@lists.samba.org > Date: Thu, 10 Oct 2002 11:56:51 -0400 > Subject: [Samba] RE: Please assist with Winbind issues! > > Thanks Andrew. > > I was actually under the (faulty) impression that --with-ssl was meant for SWAT.SWAT does not have SSL support (AFAIK). Use webmin instead (and it also won't trash comments in your smb.conf). Hint: Mandrake 9.0 has winbind authentication support out-the-box, just do an 'expert' install, and choose 'Windows Domain' as authentication method (during installation), and enter your domain name in caps (it doens't get uppercase for making the /home/%D). Then, reboot, and log in with your domain account. Unfortunately, the GUI for this isn't avialable after installation (yet). Buchan -- |----------------Registered Linux User #182071-----------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
> The homes share must have /home/%D as the path. /home/%D/%U, and blank does not work. This connects the user to a share named after the login ID, but double-clicking that share shows all of the folders in the /home/%D path rather than just the contents of the user's folder. Which makes sense, but why doesn't /home/%D/%U or a blank entry work? > > Thanks to everyone for your assistance.A blank entry should work - in what way does it 'not work'? Try 2.2.6rc2 - a stat() check has been removed that might have caused the problem. Samba 3.0 has even more advanced logic here. Andrew Bartlett No username share appears upon connecting to the server. Can't map it either. I'm intending to put this server into production within the next week or two, so I'd like to avoid using a non-production release. When is the next production release due, or is the current rc stable enough for production use? Thanks. Sven Ruth