samba - Dec 2004 - AD Domain member not authenticating

I had samba working, then I tried (unsuccessfully) to setup ssh pam auth.
Now users are prompted for a password when accessing shares, but no password
works.  I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3.  
I forgot to backup pam file system-auth before modifying things, so I'm not
sure if that is the problem.
-------------------------------
These commands succeed:
  wbinfo -u, 
  wbinfo -g  
  getent passwd
  getent group
  net ads info 
Time is within 2 seconds between 'net time' and 'date'
-------------------------------
Running winbind in interactive mode while trying to connect, 
    winbindd -S -i -F -d 8 -Y
The end of the output (as there is a lot) looks like this:
    ...
    remove_duplicate_gids: Enter 5 gids
    remove_duplicate_gids: Exit 5 gids
    [ 6411]: gid to sid 10001
    [ 6411]: gid to sid 10066
    [ 6411]: gid to sid 10067
    [ 6411]: gid to sid 10265
    [ 6411]: gid to sid 10274
    read failed on sock 20, pid 6411: EOF
    read failed on sock 19, pid 6411: EOF
-------------------------------
/etc/samba/smb.conf 
[global]
   server string = Samba Server
   workgroup = MYREALM
   realm = MYREALM.MY.DOMAIN.COM
   security = ADS
   username map = /etc/samba/smbusers
   map to guest = Bad User
   password server = *
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   preferred master = no
   local master = no
   domain master = no
   os level = 33
   wins server = 128.32.68.75 128.32.67.118
   ldap ssl = no
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   winbind separator = +
   winbind use default domain = Yes
   template primary group = "Domain Users"
   template homedir = /home/%U
   template shell = /bin/bash
   load printers = no
   log level = 1
   syslog = 0
   log file = /var/log/samba/%m.log
   max log size = 0
-------------------------------
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_smb_auth.so use_first_pass
nolocal
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3
typepassword    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
------------------------------

John Stile wrote:
>I had samba working, then I tried (unsuccessfully) to setup ssh pam auth.
>Now users are prompted for a password when accessing shares, but no password
>works.  I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3.  
>I forgot to backup pam file system-auth before modifying things, so I'm
not sure if that is the problem.
>-------------------------------
>These commands succeed:
>  wbinfo -u, 
>  wbinfo -g  
>  getent passwd
>  getent group
>  net ads info 
>Time is within 2 seconds between 'net time' and 'date'
>-------------------------------
>Running winbind in interactive mode while trying to connect, 
>    winbindd -S -i -F -d 8 -Y
>The end of the output (as there is a lot) looks like this:
>    ...
>    remove_duplicate_gids: Enter 5 gids
>    remove_duplicate_gids: Exit 5 gids
>    [ 6411]: gid to sid 10001
>    [ 6411]: gid to sid 10066
>    [ 6411]: gid to sid 10067
>    [ 6411]: gid to sid 10265
>    [ 6411]: gid to sid 10274
>    read failed on sock 20, pid 6411: EOF
>    read failed on sock 19, pid 6411: EOF
>-------------------------------
>/etc/samba/smb.conf 
>[global]
>   server string = Samba Server
>   workgroup = MYREALM
>   realm = MYREALM.MY.DOMAIN.COM
>   security = ADS
>   username map = /etc/samba/smbusers
>   map to guest = Bad User
>   password server = *
>   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>   preferred master = no
>   local master = no
>   domain master = no
>   os level = 33
>   wins server = 128.32.68.75 128.32.67.118
>   ldap ssl = no
>   idmap uid = 10000-20000
>   idmap gid = 10000-20000
>   winbind enum users = yes
>   winbind enum groups = yes
>   winbind separator = +
>   winbind use default domain = Yes
>   template primary group = "Domain Users"
>   template homedir = /home/%U
>   template shell = /bin/bash
>   load printers = no
>   log level = 1
>   syslog = 0
>   log file = /var/log/samba/%m.log
>   max log size = 0
>-------------------------------
>/etc/pam.d/system-auth
>#%PAM-1.0
># This file is auto-generated.
># User changes will be destroyed the next time authconfig is run.
>auth        required      /lib/security/$ISA/pam_env.so
>auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
>auth        sufficient    /lib/security/$ISA/pam_smb_auth.so use_first_pass
nolocal
>auth        required      /lib/security/$ISA/pam_deny.so
>
>account     required      /lib/security/$ISA/pam_unix.so
>
>password    required      /lib/security/$ISA/pam_cracklib.so retry=3
type>password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
>password    required      /lib/security/$ISA/pam_deny.so
>
>session     required      /lib/security/$ISA/pam_limits.so
>session     required      /lib/security/$ISA/pam_unix.so
>------------------------------
>
>  
>
This sounds a lot like the kerberos incompatibility issue we know about 
with 2003 DC's....Are you using 2003 or 2000?  Also, are you sure you 
are running the 1.3.x MIT kerberos packages?  RHEL3 doesn't ship with 
them and if you managed to get it installed I'd be curious how you did so.

Christian

On Wed, 2004-12-01 at 11:06 -0800, John Stile wrote:
> I had samba working, then I tried (unsuccessfully) to setup ssh pam auth.
> Now users are prompted for a password when accessing shares, but no
password
> works.  I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3.  
> I forgot to backup pam file system-auth before modifying things, so I'm
not sure if that is the problem.
> -------------------------------
> These commands succeed:
>   wbinfo -u, 
>   wbinfo -g  
>   getent passwd
>   getent group
>   net ads info 
> Time is within 2 seconds between 'net time' and 'date'
> -------------------------------
> Running winbind in interactive mode while trying to connect, 
>     winbindd -S -i -F -d 8 -Y
> The end of the output (as there is a lot) looks like this:
>     ...
>     remove_duplicate_gids: Enter 5 gids
>     remove_duplicate_gids: Exit 5 gids
>     [ 6411]: gid to sid 10001
>     [ 6411]: gid to sid 10066
>     [ 6411]: gid to sid 10067
>     [ 6411]: gid to sid 10265
>     [ 6411]: gid to sid 10274
>     read failed on sock 20, pid 6411: EOF
>     read failed on sock 19, pid 6411: EOF
> -------------------------------
> /etc/samba/smb.conf 
> [global]
>    server string = Samba Server
>    workgroup = MYREALM
>    realm = MYREALM.MY.DOMAIN.COM
>    security = ADS
>    username map = /etc/samba/smbusers
>    map to guest = Bad User
>    password server = *
>    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>    preferred master = no
>    local master = no
>    domain master = no
>    os level = 33
>    wins server = 128.32.68.75 128.32.67.118
>    ldap ssl = no
>    idmap uid = 10000-20000
>    idmap gid = 10000-20000
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind separator = +
>    winbind use default domain = Yes
>    template primary group = "Domain Users"
>    template homedir = /home/%U
>    template shell = /bin/bash
>    load printers = no
>    log level = 1
>    syslog = 0
>    log file = /var/log/samba/%m.log
>    max log size = 0
> -------------------------------
> /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/$ISA/pam_smb_auth.so use_first_pass
nolocal
> auth        required      /lib/security/$ISA/pam_deny.so
> 
> account     required      /lib/security/$ISA/pam_unix.so
> 
> password    required      /lib/security/$ISA/pam_cracklib.so retry=3
type> password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
> password    required      /lib/security/$ISA/pam_deny.so
> 
> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
> ------------------------------
I'm also seeing errors in /var/log/samba/winbindd.log
  [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
    ads_krb5_mk_req: krb5_get_credentials failed for
actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm)
  [2004/12/01 11:14:40, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
    ads_connect for domain CAMPUS failed: Cannot find KDC for requested realm
  [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
    ads_krb5_mk_req: krb5_get_credentials failed for
actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm)
  [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
    ads_krb5_mk_req: krb5_get_credentials failed for
actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm)
  [2004/12/01 11:14:40, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
    ads_connect for domain CAMPUS failed: Cannot find KDC for requested realm