samba - Jul 2003 - Samba 2.2.8a/winbindd - 2K Domain users password challenged

I have a RedHat Linux 9 server that I would like to allow users in my Windows
2000 domain to be able to map shares from without actually having an account on
the system.  Compiled samba, configured with "./configure --with-pam".
Got the server into the domain, and regular "security = domain" seems
to be working appropriately - providing there's a local account with the
same username as the 2K Domain user.
	winbind appears to be providing the accounts appropriately - both wbinfo and
getent return what you'd expect them to; a wbinfo -a with a user on the
domain (the one trying to connect, in fact) gets:

plaintext password authentication succeeded

	It simply appears as if, when a user attempts to connect to the share, it fails
to try to match the W2K account (IE, DOM\user) to the winbind account (DOM+user)
and near as I can tell, fails since there isn't an account on the system
under "user".
	Here are the relevant smb.conf lines:

[global]
   netbios name = newweb
   load printers = no
   guest account = nobody
   workgroup = LIB
   security = domain
   password server = *
   encrypt passwords = yes
   local master = no
   os level = 1
   wins server = 131.247.112.6
   server string = LIB309 -Sys-Library Web Server
   preserve case = yes
   invalid users = root mail daemon
   log level = 3
   debug uid = yes
   debug pid = yes
   log file = /usr/local/samba/logs/log.%m
   lock directory = /usr/local/samba/var/locks
   share modes = yes
   winbind separator = +
   winbind uid = 12500-19999
   winbind gid = 12500-19999
   winbind enum users = yes
   winbind enum groups = yes
   template homedir = /dev/null

[webdocs]
   comment = Webdocs Share
   browseable = yes
   force create mode = 0664
   force directory mode = 0775
   path = /data1/webdocs
   valid users = @web,@wheel,@LIB+Technology
   read only = yes
   locking = no

	Not sure that this is set up right, or that I might be missing something else:

/etc/pam.d/samba
auth            sufficient      /lib/security/pam_winbind.so
auth            required        /lib/security/pam_pwdb.so use_first_pass
    shadow nullok
account         required        /lib/security/pam_winbind.so
session         required        /lib/security/pam_pwdb.so
password        required        /lib/security/pam_pwdb.so # shadow md5
    nullok audit

	When a user that doesn't have a matching Linux account tries to access the
share, they get challenged.
	Please let me know what I'm missing - either in my Samba configuration or
in the information I've attempted to provide to you.`
	Thanks muchly in advance for your assistance.

Eric Stewart - Network Admin - USF Tampa Library - eric@lib.usf.edu
SCUBA Diver: 220 Dives  Most Recent: 05/10/03 Chankanaab Park, Cozumel
GeoCacher:    58 Found  Most Recent: 07/04/03 GCGBHE - Fun in the Sun
http://www.scubadiving.com/talk/ and http://www.geocaching.com/

I know it's been less than a day but I'm kind of surprised that I
haven't gotten an answer on this one way or the other ... so let me ask a
simpler question:

	Are winbind served users of a Linux machine supposed to have access
to the samba shares served by that Linux machine?  If so, please provide
sample smb.conf's (if they differ from mine below) and pam.d/* files.  As
my users only need access to the samba shares, and not login access, I'm
hesitant to change any /etc/pam.d/ file aside from /etc/pam.d/samba ...

	A bit of further testing has shown that at the very least, samba
continues to attempt to look for "user" instead of
"DOM+user" when trying
to validate.  Please!  This is the last step I *must* get past before I
can move mission critical services from a Sun Solaris 8 box to this Redhat
Linux 9 machine ...

Eric Stewart - Network Admin - USF Tampa Library - eric@lib.usf.edu
SCUBA Diver: 220 Dives  Most Recent: 05/10/03 Chankanaab Park, Cozumel
GeoCacher:    58 Found  Most Recent: 07/04/03 GCGBHE - Fun in the Sun
http://www.scubadiving.com/talk/ and http://www.geocaching.com/
> -----Original Message-----
> From: Stewart, Eric 
> Sent: Wednesday, July 16, 2003 3:21 PM
> To: samba@lists.samba.org
> Subject: [Samba] Samba 2.2.8a/winbindd - 2K Domain users password
> challenged
> 
> 
> 	I have a RedHat Linux 9 server that I would like to 
> allow users in my Windows 2000 domain to be able to map 
> shares from without actually having an account on the system. 
>  Compiled samba, configured with "./configure --with-pam".  
> Got the server into the domain, and regular "security = 
> domain" seems to be working appropriately - providing there's 
> a local account with the same username as the 2K Domain user.
> 	winbind appears to be providing the accounts 
> appropriately - both wbinfo and getent return what you'd 
> expect them to; a wbinfo -a with a user on the domain (the 
> one trying to connect, in fact) gets:
> 
> plaintext password authentication succeeded
> 
> 	It simply appears as if, when a user attempts to 
> connect to the share, it fails to try to match the W2K 
> account (IE, DOM\user) to the winbind account (DOM+user) and 
> near as I can tell, fails since there isn't an account on the 
> system under "user".
> 	Here are the relevant smb.conf lines:
> 
> [global]
>    netbios name = newweb
>    load printers = no
>    guest account = nobody
>    workgroup = LIB
>    security = domain
>    password server = *
>    encrypt passwords = yes
>    local master = no
>    os level = 1
>    wins server = 131.247.112.6
>    server string = LIB309 -Sys-Library Web Server
>    preserve case = yes
>    invalid users = root mail daemon
>    log level = 3
>    debug uid = yes
>    debug pid = yes
>    log file = /usr/local/samba/logs/log.%m
>    lock directory = /usr/local/samba/var/locks
>    share modes = yes
>    winbind separator = +
>    winbind uid = 12500-19999
>    winbind gid = 12500-19999
>    winbind enum users = yes
>    winbind enum groups = yes
>    template homedir = /dev/null
> 
> [webdocs]
>    comment = Webdocs Share
>    browseable = yes
>    force create mode = 0664
>    force directory mode = 0775
>    path = /data1/webdocs
>    valid users = @web,@wheel,@LIB+Technology
>    read only = yes
>    locking = no
> 
> 	Not sure that this is set up right, or that I might be 
> missing something else:
> 
> /etc/pam.d/samba
> auth            sufficient      /lib/security/pam_winbind.so
> auth            required        /lib/security/pam_pwdb.so 
> use_first_pass
>     shadow nullok
> account         required        /lib/security/pam_winbind.so
> session         required        /lib/security/pam_pwdb.so
> password        required        /lib/security/pam_pwdb.so # shadow md5
>     nullok audit
> 
> 	When a user that doesn't have a matching Linux account 
> tries to access the share, they get challenged.
> 	Please let me know what I'm missing - either in my 
> Samba configuration or in the information I've attempted to 
> provide to you.`
> 	Thanks muchly in advance for your assistance.
> 
> Eric Stewart - Network Admin - USF Tampa Library - eric@lib.usf.edu
> SCUBA Diver: 220 Dives  Most Recent: 05/10/03 Chankanaab Park, Cozumel
> GeoCacher:    58 Found  Most Recent: 07/04/03 GCGBHE - Fun in the Sun
> http://www.scubadiving.com/talk/ and http://www.geocaching.com/
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
>