samba - Jul 2004 - Trouble authenticating clients from ADS domain on Samba 3.0.5 file server

I'm so close I can feel it :-)

I'm having a problem connecting users to their home directories. Under
"My
Network Places" on XP clients I can see my Samba file server
("Hobbes")
just fine. When I double click on it to open it, I get a login/password
prompt that I can't bypass even though I try logins/passwords that exist
on the ADS server and/or the UNIX accounts. Do I have to add these users
under Samba specifically?

I am joined to the ADS domain, I can pull users/groups from wbinfo -t, -u,
and -g. When I use webmin I can even go into the Samba module to add users
to a share and see all the users from my ADS domain pop up in a window.

Here's a copy of my smb.conf (where I think my problem might lie):

workgroup = NLES
realm = NLES.LOCAL
security = ads
password server = calvin.nles.local
username map = /etc/samba/smbusers
os level = 10
dns proxy = No
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind separator = +
winbind use default domain = Yes

[homes]
comment = %U Home Folder
path = /home/%u
valid users = %U cgoff administrator
# force user = %u
writeable = yes
browseable = no

I think my problem is with the [homes] share, but I'm not sure. Can anyone
give me any pointers on what my issue might be? As I said I can talk to
the ADS server just fine, seeing lists of users and groups. I'm almost
positive I'm not setting up my shares correctly.

Chris Goff
NLES Network Administrator
cgoff at nles.k12.wi.us

Hmm,
What's your kerberos version?
I would bet it is MIT-kerberos and the version is something lower then 
1.3.3, isn't it?
If i'm correct you'll have to update your kerberos to a version
>=1.3.3
Christoph

Chris Goff schrieb:
> I'm so close I can feel it :-)
> 
> I'm having a problem connecting users to their home directories. Under
"My
> Network Places" on XP clients I can see my Samba file server
("Hobbes")
> just fine. When I double click on it to open it, I get a login/password
> prompt that I can't bypass even though I try logins/passwords that
exist
> on the ADS server and/or the UNIX accounts. Do I have to add these users
> under Samba specifically?
> 
> I am joined to the ADS domain, I can pull users/groups from wbinfo -t, -u,
> and -g. When I use webmin I can even go into the Samba module to add users
> to a share and see all the users from my ADS domain pop up in a window.
> 
> Here's a copy of my smb.conf (where I think my problem might lie):
> 
> workgroup = NLES
> realm = NLES.LOCAL
> security = ads
> password server = calvin.nles.local
> username map = /etc/samba/smbusers
> os level = 10
> dns proxy = No
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template shell = /bin/bash
> winbind separator = +
> winbind use default domain = Yes
> 
> [homes]
> comment = %U Home Folder
> path = /home/%u
> valid users = %U cgoff administrator
> # force user = %u
> writeable = yes
> browseable = no
> 
> I think my problem is with the [homes] share, but I'm not sure. Can
anyone
> give me any pointers on what my issue might be? As I said I can talk to
> the ADS server just fine, seeing lists of users and groups. I'm almost
> positive I'm not setting up my shares correctly.
> 
> Chris Goff
> NLES Network Administrator
> cgoff at nles.k12.wi.us
> 
>

On Fri, 2004-07-30 at 16:27, Chris Goff wrote:
[...]

Used MIT KRB5 v1.3.4, Samba 3.0.5, Also make sure that all the /lib and
/lib/security files related to each get replaced.

[global]
        workgroup = MYDOMAIN
        realm = MYDOMAIN.COM
        server string = BIG Storage
        security = ADS
        auth methods = winbind, sam
        obey pam restrictions = Yes
        password server = mydc1.mydomain.com
        username level = 3
        lanman auth = No
        ntlm auth = No
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        log level = 0
        syslog = 0
        log file = /var/log/samba/%m.log
        max log size = 10000
        smb ports = 445
        disable netbios = Yes
        max xmit = 65535
        name resolve order = wins hosts bcast
        server signing = auto
        deadtime = 10080
        socket options = IPTOS_LOWDELAY TCP_NODELAY
        logon path         logon home         preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        ldap ssl = no
        idmap uid = 10000-40000
        idmap gid = 10000-40000
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind separator = +
        winbind cache time = 20
        winbind nested groups = Yes
        ea support = Yes
        use client driver = Yes
        hide special files = Yes
        map archive = No

[homes]
        comment = Home Directories
        read only = No
        create mask = 0700
        directory mask = 0700
        browseable = No


My krb5.conf
======================================[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = MYNETWORK.COM
 default_tkt_enctypes = des-cbc-md5 des-cbc-crc
 default_tgs_enctypes = des-cbc-md5 des-cbc-crc
 kdc_timesync = 1
 dns_lookup_realm = true
 dns_lookup_kdc = true
 forward = true
 forwardable = true
 proxiable = true
 autologin = true
 encrypt = true

[realms]
 NETWORKMCS.COM = {
  kdc = mydc1.mynetwork.com:88
  admin_server = mydc1.mynetwork.com:749
  default_domain = mynetwork.com
 }

[domain_realm]
 .mynetwork.com = MYNETWORK.COM
 mynetwork.com = MYNETWORK.COM

[pam]
 debug = false
 ticket_lifetime = 24000
 renew_lifetime = 24000
 forward = true
 forwardable = true
 autologin = true
 encrypt = true
 krb4_convert = false

My /etc/pam.d/login
=====================#%PAM-1.0
auth       required     pam_securetty.so
auth       sufficient   pam_winbind.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    sufficient   pam_winbind.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0022
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so


-- 
greg, greg@gregfolkert.net

The technology that is
Stronger, better, faster:  Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20040730/02e29472/attachment.bin

Did you install the PAM from the Samba FTP server, or PAM from padl.com?

I ended up following another tutorial than my original post here on the
mailing list a day or so back:

http://www.rongage.org/manual_samba_howto.html

Everything has worked like a charm, although there was no mention of PAM.

Chris Goff
NLES Network Administrator
cgoff at nles.k12.wi.us



greg@gregfolkert.net writes:
>My /etc/pam.d/login
>=====================>#%PAM-1.0
>auth       required     pam_securetty.so
>auth       sufficient   pam_winbind.so
>auth       required     pam_stack.so service=system-auth
>auth       required     pam_nologin.so
>account    sufficient   pam_winbind.so
>account    required     pam_stack.so service=system-auth
>password   required     pam_stack.so service=system-auth
>session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0022
>session    required     pam_stack.so service=system-auth
>session    optional     pam_console.so

On Fri, 2004-07-30 at 17:08, Chris Goff wrote:
> Did you install the PAM from the Samba FTP server, or PAM from padl.com?
> 
> I ended up following another tutorial than my original post here on the
> mailing list a day or so back:
> 
> http://www.rongage.org/manual_samba_howto.html
> 
> Everything has worked like a charm, although there was no mention of PAM.
I actually used the pam src rpm from fedora core 1/2 which ever was
0.77.

rpmbuild --rebuild that.src.rpm

Then install it.
-- 
greg, greg@gregfolkert.net

The technology that is
Stronger, better, faster:  Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20040730/ab0b8c79/attachment-0001.bin