samba - Oct 2003 - FW: Re: domain groups accessing samba share

-----Original Message-----
From: VR-Bug Support 
Sent: 15 October 2003 13:42
To: 'Gavin Davenport'
Subject: RE: [Samba] Re: domain groups accessing samba share


Hi Gavin,

This is what I have for my /etc/pam.d/login

#%PAM-1.0
auth       required     pam_securetty.so
auth       sufficient   /lib/security/pam_winbind.so
auth       sufficient   /lib/security/pam_unix.so nodelay use_first_pass
auth       sufficient   /lib/security/pam_krb5.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    sufficient   /lib/security/pam_winbind.so
account    sufficient   /lib/security/pam_krb5.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so

And when I issue getent group or getent passwd it lists both local and ADS
users.

Regards,

Luke


-----Original Message-----
From: Gavin Davenport [mailto:gavdav@gavdav.demon.co.uk]
Sent: 15 October 2003 09:05
To: samba@lists.samba.org
Cc: Tim Jordan, Network Services
Subject: RE: [Samba] Re: domain groups accessing samba share


Hiya Tim, Thanks for helping.


Can you post your
smb.conf 
/etc/pam.d/login
wbinfo -g
wbinfo -u
getent passwd
getent group

Here we go:
# Global parameters
[global]
        workgroup = MYDOMAIN
        realm = MYNETWORK.ISP.CO.UK
        server string = Linux Samba Server
        security = ADS
        password server = bashful
        log level = 3
        log file = /var/log/samba/log.%m
        max log size = 100
        smb ports = 445
        announce as = NT Workstation
        name resolve order = host bcast
        wins server = 10.0.0.104
        client signing = Yes
        server signing = Yes
        client use spnego = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        load printers = No
        os level = 10
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
#       winbind separator = +
        winbind cache time = 2
#       winbind use default domain = Yes
        comment = Redhat 7.1 Samba
        hosts allow = 127., 10.0.0.

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[Software]
        comment = Software Library
        path = /mnt/largeprimary/software
#       valid users = @MYNETWORK.ISP.CO.UK\"Domain Users"
#       Admin users = @MYNETWORK.ISP.CO.UK\gavdav

[root@potato /root]# more /etc/pam.d/login
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so

wbinfo -u
[root@potato /root]# wbinfo -u
MYDOMAIN\gavdav
MYDOMAIN\Guest
MYDOMAIN\Administrator
MYDOMAIN\krbtgt
MYDOMAIN\SUPPORT_388945a0
MYDOMAIN\fbloggs
<snip>

wbinfo -g
[root@potato /root]# wbinfo -g
MYDOMAIN\Domain Computers
MYDOMAIN\Cert Publishers
MYDOMAIN\Domain Users
MYDOMAIN\Domain Guests
MYDOMAIN\RAS and IAS Servers
MYDOMAIN\Group Policy Creator Owners
MYDOMAIN\Schema Admins
MYDOMAIN\Enterprise Admins
MYDOMAIN\Domain Admins
MYDOMAIN\Domain Controllers
<snip>

[root@potato /root]# getent passwd
root:x:0:0:root:/root:/bin/bash
<snip>
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
gdm:x:42:42::/home/gdm:/bin/bash
gavdav:x:500:500:Gavin Davenport:/home/gavdav:/bin/bash
named:x:200:200:Nameserver:/var/named:/bin/false
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin

[root@potato /root]# getent group
root:x:0:root
<snip>
nobody:x:99:
users:x:100:gavdav
<snip>
xfs:x:43:
gdm:x:42:
gavdav:x:500:
vcsa:x:69:

getent and setent are listing local users and groups.

What do I need to change in /etc/pam.d/login to fix it ?
Where should I be looking for help ?

Thanks very much

Gavin Davenport
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

_____________________________________________________________________
This e-mail and all attachments have been scanned by the HighSpeed Office virus
scanning service powered by MessageLabs and no known viruses were detected.

______________________________________________________________________
Any views or opinions expressed in this e-mail are solely those of the author
and do not necessarily represent those of ENDEMOL UK plc unless specifically
stated.
This email and the information it contains are confidential and intended solely
for the use of the individual or entity to which it is addressed. If you have
received this email in error please notify us immediately and delete the copy
you have received from your system.
You should not copy it for any purpose, re-transmit it, use it or disclose its
contents to any other person. If you suspect the message may have been
intercepted or amended please call the sender.

Ok - I replaced my /etc/pam.d/login with the one you've posted.

getent still lists me just local machine users and groups.

Trying to attach to the machine results in this in the hosts samba log:

  Doing spnego session setup
  NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002
5.1]
  Got OID 1 2 840 48018 1 2 2
  Got OID 1 2 840 113554 1 2 2
  Got OID 1 3 6 1 4 1 311 2 2 10
  Got secblob of size 1235
  Ticket name is [gavdav@MYNETWORK.ISP.CO.UK]
  Username gavdav is invalid on this system
  error string = No such file or directory
  error packet at smbd/sesssetup.c(220) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
  timeout_processing: End of file from client (client has disconnected).
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
  Closing connections
  Yielding connection to
  yield_connection: tdb_delete for name  failed with error Record does not
exist.
  Server exit (normal exit)

Still stuck - what should I have in /etc/pam_smb.conf, and
/etc/pam.d/system-auth ??

smb.conf now:
# Global parameters
[global]
        workgroup = MYDOMAIN
        realm = MYNETWORK.ISP.CO.UK
        server string = Revolver
        security = ADS
        password server = bashful
        log level = 3
        log file = /var/log/samba/log.%m
        max log size = 100
        smb ports = 139 445
        announce as = NT Workstation
        name resolve order = host bcast
        client signing = Yes
        server signing = Yes
        client use spnego = Yes
        use spnego = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        load printers = No
        os level = 10
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
        winbind separator = +
        winbind cache time = 2
        winbind use default domain = Yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind enum users = yes
        winbind enum groups = yeS
        comment = Redhat 8.0 Samba
        hosts allow = 127., 10.0.0.

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[usr-local]
        path = /usr/local
        read only = Yes
        valid users = @MYNETWORK.ISP.CO.UK\"Domain Users"
        Admin users = @MYNETWORK.ISP.CO.UK\gavdav

###################################################
Re: domain groups accessing samba share


Hi Gavin,

This is what I have for my /etc/pam.d/login

#%PAM-1.0
auth       required     pam_securetty.so
auth       sufficient   /lib/security/pam_winbind.so
auth       sufficient   /lib/security/pam_unix.so nodelay use_first_pass
auth       sufficient   /lib/security/pam_krb5.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    sufficient   /lib/security/pam_winbind.so
account    sufficient   /lib/security/pam_krb5.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so

And when I issue getent group or getent passwd it lists both local and ADS
users.

Regards,

Luke


-----Original Message-----
From: Gavin Davenport [mailto:gavdav@gavdav.demon.co.uk]
Sent: 15 October 2003 09:05
To: samba@lists.samba.org
Cc: Tim Jordan, Network Services
Subject: RE: [Samba] Re: domain groups accessing samba share


Hiya Tim, Thanks for helping.


Can you post your
smb.conf
/etc/pam.d/login
wbinfo -g
wbinfo -u
getent passwd
getent group

Here we go:
# Global parameters
[global]
        workgroup = MYDOMAIN
        realm = MYNETWORK.ISP.CO.UK
        server string = Linux Samba Server
        security = ADS
        password server = bashful
        log level = 3
        log file = /var/log/samba/log.%m
        max log size = 100
        smb ports = 445
        announce as = NT Workstation
        name resolve order = host bcast
        wins server = 10.0.0.104
        client signing = Yes
        server signing = Yes
        client use spnego = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        load printers = No
        os level = 10
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
#       winbind separator = +
        winbind cache time = 2
#       winbind use default domain = Yes
        comment = Redhat 7.1 Samba
        hosts allow = 127., 10.0.0.

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[Software]
        comment = Software Library
        path = /mnt/largeprimary/software
#       valid users = @MYNETWORK.ISP.CO.UK\"Domain Users"
#       Admin users = @MYNETWORK.ISP.CO.UK\gavdav

[root@potato /root]# more /etc/pam.d/login
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so

wbinfo -u
[root@potato /root]# wbinfo -u
MYDOMAIN\gavdav
MYDOMAIN\Guest
MYDOMAIN\Administrator
MYDOMAIN\krbtgt
MYDOMAIN\SUPPORT_388945a0
MYDOMAIN\fbloggs
<snip>

wbinfo -g
[root@potato /root]# wbinfo -g
MYDOMAIN\Domain Computers
MYDOMAIN\Cert Publishers
MYDOMAIN\Domain Users
MYDOMAIN\Domain Guests
MYDOMAIN\RAS and IAS Servers
MYDOMAIN\Group Policy Creator Owners
MYDOMAIN\Schema Admins
MYDOMAIN\Enterprise Admins
MYDOMAIN\Domain Admins
MYDOMAIN\Domain Controllers
<snip>

[root@potato /root]# getent passwd
root:x:0:0:root:/root:/bin/bash
<snip>
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
gdm:x:42:42::/home/gdm:/bin/bash
gavdav:x:500:500:Gavin Davenport:/home/gavdav:/bin/bash
named:x:200:200:Nameserver:/var/named:/bin/false
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin

[root@potato /root]# getent group
root:x:0:root
<snip>
nobody:x:99:
users:x:100:gavdav
<snip>
xfs:x:43:
gdm:x:42:
gavdav:x:500:
vcsa:x:69:

getent and setent are listing local users and groups.

What do I need to change in /etc/pam.d/login to fix it ?
Where should I be looking for help ?