I apologize in advance if this is a FAQ, but I couldn't find the FAQ document for this list. I also could not find anything relevant in other Samba documentation sources like http://hr.uoregon.edu/davidrl/samba.html. There seems to be plenty of information about using Samba *as* a DC, but I want to know if I can use Samba *with* a Windows 2000 DC. We have two DCs running Windows 2000, a W2K file server and a Linux/Samba file server (in standalone mode). We have to manage users and groups separately on the Linux and Windows systems, and that's no fun. We are running Samba 2.2.7 on Red Hat 7.3 (although sometimes RH's version numbers are not quite in synch with the original developer's): ==$ rpm -qa | grep samba samba-common-2.2.7-1.7.3 samba-2.2.7-1.7.3 samba-swat-2.2.7-1.7.3 samba-client-2.2.7-1.7.3 == Is the feature I want in this version? Or, is the feature I want in development? Or, is there some other setup I can use to get authentication out of the DCs via LDAP (Windows 2000 uses a moderately bastardized LDAP for authentication), and then have Samba use that? Thanks in advance, -- Chris Palmer Systems Programmer GeneEd
I don't have a url handy at the moment, but you want to look at using winbind, it'll do what you're looking for. Dan On Sat, 2003-01-04 at 20:17, Chris Palmer wrote:> I apologize in advance if this is a FAQ, but I couldn't find the FAQ document for this list. I also could not find anything relevant in other Samba documentation sources like http://hr.uoregon.edu/davidrl/samba.html. > > There seems to be plenty of information about using Samba *as* a DC, but I want to know if I can use Samba *with* a Windows 2000 DC. We have two DCs running Windows 2000, a W2K file server and a Linux/Samba file server (in standalone mode). We have to manage users and groups separately on the Linux and Windows systems, and that's no fun. > > We are running Samba 2.2.7 on Red Hat 7.3 (although sometimes RH's version numbers are not quite in synch with the original developer's): > > ==> $ rpm -qa | grep samba > samba-common-2.2.7-1.7.3 > samba-2.2.7-1.7.3 > samba-swat-2.2.7-1.7.3 > samba-client-2.2.7-1.7.3 > ==> > Is the feature I want in this version? Or, is the feature I want in development? Or, is there some other setup I can use to get authentication out of the DCs via LDAP (Windows 2000 uses a moderately bastardized LDAP for authentication), and then have Samba use that? > > > Thanks in advance, > -- > Chris Palmer Systems Programmer GeneEd
> From: Daniel Wittenberg [mailto:daniel-wittenberg@uiowa.edu]> I don't have a url handy at the moment, but you want to look at using > winbind, it'll do what you're looking for.Thanks for the clue. :) I found documentation for it at http://myserver:901/swat/help/winbindd.8.html. I followed the directions there to the letter, although I only changed /etc/pam.d/samba, none of the others. (Should I change any of the others?) However, "getent passwd" and "getent group" show only the contents of my /etc/passwd and /etc/group, and not the stuff from my Windows domain. Also, I cannot log into SWAT anymore (!) -- although I can mount Samba shares on my Windows workstation using my Linux username and password (but not my Windows username/password). So clearly I'm missing some critical step. winbindd, smbd and nmbd are all running. My /etc/nsswitch.conf is as follows: ==passwd: files winbind shadow: files nisplus group: files winbind hosts: files nisplus dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files nisplus rpc: files services: files nisplus netgroup: files nisplus publickey: nisplus automount: files nisplus aliases: files nisplus == (I am not using nisplus, btw.) Here is /etc/pam.d/samba: ==#%PAM-1.0 account required /lib/security/pam_winbind.so session required pam_stack.so service=system-auth password required pam_stack.so service=system-auth auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok == And the [global] section of /etc/samba/smb.conf: ==[global] security = domain winbind separator = + winbind cache time = 10 template shell = /bin/bash template homedir = /home/%D/%U winbind uid = 10000-20000 winbind gid = 10000-20000 password server = * workgroup = GENEEDINC netbios name = DEV server string = Dev Samba Server encrypt passwords = Yes obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*al l*authentication*tokens*updated*successfully* unix password sync = Yes log file = /var/log/samba/%m.log max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No guest account printing = lprng == Does anyone have any idea what I'm missing? Thanks in advance, again. -- Chris Palmer Systems Programmer GeneEd
Here is some additional information from my /var/log/messages: ==Jan 4 19:04:07 dev winbind: winbindd startup succeeded Jan 4 19:04:08 dev smb: smbd startup succeeded Jan 4 19:04:09 dev smb: nmbd startup succeeded Jan 4 19:08:22 dev sshd(pam_unix)[935]: session opened for user chris by (uid=0) Jan 4 19:08:41 dev pam_winbind[978]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:08:41 dev pam_winbind[978]: internal module error (retval = 4, user = `root' Jan 4 19:09:05 dev pam_winbind[980]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:09:05 dev pam_winbind[980]: internal module error (retval = 4, user = `root' Jan 4 19:09:21 dev pam_winbind[983]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:09:21 dev pam_winbind[983]: internal module error (retval = 4, user = `zzzz bibble' Jan 4 19:09:21 dev PAM_pwdb[983]: check pass; user unknown Jan 4 19:09:42 dev su(pam_unix)[984]: session opened for user root by chris(uid=500) Jan 4 19:10:08 dev pam_winbind[1038]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:10:08 dev pam_winbind[1038]: internal module error (retval = 4, user = `zzzz bibble' Jan 4 19:10:08 dev PAM_pwdb[1038]: check pass; user unknown Jan 4 19:10:11 dev pam_winbind[1040]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:10:11 dev pam_winbind[1040]: internal module error (retval = 4, user `zzzz bibble' Jan 4 19:10:11 dev PAM_pwdb[1040]: check pass; user unknown Jan 4 19:10:22 dev smb: smbd shutdown succeeded Jan 4 19:10:22 dev smb: nmbd shutdown succeeded Jan 4 19:10:22 dev smb: smbd startup succeeded Jan 4 19:10:22 dev smb: nmbd startup succeeded Jan 4 19:10:26 dev winbind: winbindd shutdown succeeded Jan 4 19:10:26 dev winbind: winbindd startup succeeded Jan 4 19:10:42 dev pam_winbind[1098]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:10:42 dev pam_winbind[1098]: internal module error (retval = 4, user = `zzzz bibble' Jan 4 19:10:42 dev PAM_pwdb[1098]: check pass; user unknown Jan 4 19:10:55 dev pam_winbind[1100]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:10:55 dev pam_winbind[1100]: internal module error (retval = 4, user `root' Jan 4 19:14:51 dev pam_winbind[1124]: user 'chris' granted acces Jan 4 19:14:51 dev samba(pam_unix)[1124]: session opened for user chris by (uid=0) Jan 4 19:27:18 dev pam_winbind[1182]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:27:18 dev pam_winbind[1182]: internal module error (retval = 4, user `root' == I did not enter "zzzz bibble" as my user name, and yet that's what the log shows. "internal module error" sure sounds bad, but I don't know what it means. -- Chris Palmer Systems Programmer GeneEd
Daniel Wittenberg writes:> I thikn you got problems here the way you have it setup. Try this for > your /etc/pam.d/samba: > #%PAM-1.0 > auth sufficient /lib/security/pam_krb5.so debug > password required /lib/security/pam_krb5.so debug use_authtokAre you sure I should be using krb5 and not winbind?> Can you do a wbinfo -t? > How about wbinfo -u and wbinfo -g ?I tried these commands with all three of these /etc/pam.d/samba files: ==auth sufficient /lib/security/pam_krb5.so debug password required /lib/security/pam_krb5.so debug use_authtok == ==auth sufficient /lib/security/pam_winbind.so debug password required /lib/security/pam_winbind.so debug use_authtok == and my original: ==account required /lib/security/pam_winbind.so session required pam_stack.so service=system-auth password required pam_stack.so service=system-auth auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so password required /lib/security/pam_winbind.so auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok == I quit and restart smbd, nmbd and winbindd each time, and each time I got this exact output from wbinfo: ==# wbinfo -t Secret is good # wbinfo -u 0xc0000022 # wbinfo -g 0xc0000022 == -- Chris Palmer Systems Programmer GeneEd
Additional information:
==# wbinfo -a 'myacct%mypass'
plaintext password authentication failed
error code was NT_STATUS_INVALID_PARAMETER (0xc000000d)
Could not authenticate user chris.palmer%&then0n3 with plaintext password
==
wbinfo(1) says:
== -a username%password
Attempt to authenticate a user via winbindd. This
checks both authenticaion methods and reports its
results.
==
Yet wbinfo doesn't appear to have tried "both authenticaion
methods".
--
Chris Palmer Systems Programmer GeneEd