I had samba working, then I tried (unsuccessfully) to setup ssh pam auth. Now users are prompted for a password when accessing shares, but no password works. I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3. I forgot to backup pam file system-auth before modifying things, so I'm not sure if that is the problem. ------------------------------- These commands succeed: wbinfo -u, wbinfo -g getent passwd getent group net ads info Time is within 2 seconds between 'net time' and 'date' ------------------------------- Running winbind in interactive mode while trying to connect, winbindd -S -i -F -d 8 -Y The end of the output (as there is a lot) looks like this: ... remove_duplicate_gids: Enter 5 gids remove_duplicate_gids: Exit 5 gids [ 6411]: gid to sid 10001 [ 6411]: gid to sid 10066 [ 6411]: gid to sid 10067 [ 6411]: gid to sid 10265 [ 6411]: gid to sid 10274 read failed on sock 20, pid 6411: EOF read failed on sock 19, pid 6411: EOF ------------------------------- /etc/samba/smb.conf [global] server string = Samba Server workgroup = MYREALM realm = MYREALM.MY.DOMAIN.COM security = ADS username map = /etc/samba/smbusers map to guest = Bad User password server = * socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 preferred master = no local master = no domain master = no os level = 33 wins server = 128.32.68.75 128.32.67.118 ldap ssl = no idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind separator = + winbind use default domain = Yes template primary group = "Domain Users" template homedir = /home/%U template shell = /bin/bash load printers = no log level = 1 syslog = 0 log file = /var/log/samba/%m.log max log size = 0 ------------------------------- /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so password required /lib/security/$ISA/pam_cracklib.so retry=3 typepassword sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so ------------------------------
John Stile wrote:>I had samba working, then I tried (unsuccessfully) to setup ssh pam auth. >Now users are prompted for a password when accessing shares, but no password >works. I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3. >I forgot to backup pam file system-auth before modifying things, so I'm not sure if that is the problem. >------------------------------- >These commands succeed: > wbinfo -u, > wbinfo -g > getent passwd > getent group > net ads info >Time is within 2 seconds between 'net time' and 'date' >------------------------------- >Running winbind in interactive mode while trying to connect, > winbindd -S -i -F -d 8 -Y >The end of the output (as there is a lot) looks like this: > ... > remove_duplicate_gids: Enter 5 gids > remove_duplicate_gids: Exit 5 gids > [ 6411]: gid to sid 10001 > [ 6411]: gid to sid 10066 > [ 6411]: gid to sid 10067 > [ 6411]: gid to sid 10265 > [ 6411]: gid to sid 10274 > read failed on sock 20, pid 6411: EOF > read failed on sock 19, pid 6411: EOF >------------------------------- >/etc/samba/smb.conf >[global] > server string = Samba Server > workgroup = MYREALM > realm = MYREALM.MY.DOMAIN.COM > security = ADS > username map = /etc/samba/smbusers > map to guest = Bad User > password server = * > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > preferred master = no > local master = no > domain master = no > os level = 33 > wins server = 128.32.68.75 128.32.67.118 > ldap ssl = no > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > winbind separator = + > winbind use default domain = Yes > template primary group = "Domain Users" > template homedir = /home/%U > template shell = /bin/bash > load printers = no > log level = 1 > syslog = 0 > log file = /var/log/samba/%m.log > max log size = 0 >------------------------------- >/etc/pam.d/system-auth >#%PAM-1.0 ># This file is auto-generated. ># User changes will be destroyed the next time authconfig is run. >auth required /lib/security/$ISA/pam_env.so >auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok >auth sufficient /lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal >auth required /lib/security/$ISA/pam_deny.so > >account required /lib/security/$ISA/pam_unix.so > >password required /lib/security/$ISA/pam_cracklib.so retry=3 type>password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow >password required /lib/security/$ISA/pam_deny.so > >session required /lib/security/$ISA/pam_limits.so >session required /lib/security/$ISA/pam_unix.so >------------------------------ > > >This sounds a lot like the kerberos incompatibility issue we know about with 2003 DC's....Are you using 2003 or 2000? Also, are you sure you are running the 1.3.x MIT kerberos packages? RHEL3 doesn't ship with them and if you managed to get it installed I'd be curious how you did so. Christian
On Wed, 2004-12-01 at 11:06 -0800, John Stile wrote:> I had samba working, then I tried (unsuccessfully) to setup ssh pam auth. > Now users are prompted for a password when accessing shares, but no password > works. I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3. > I forgot to backup pam file system-auth before modifying things, so I'm not sure if that is the problem. > ------------------------------- > These commands succeed: > wbinfo -u, > wbinfo -g > getent passwd > getent group > net ads info > Time is within 2 seconds between 'net time' and 'date' > ------------------------------- > Running winbind in interactive mode while trying to connect, > winbindd -S -i -F -d 8 -Y > The end of the output (as there is a lot) looks like this: > ... > remove_duplicate_gids: Enter 5 gids > remove_duplicate_gids: Exit 5 gids > [ 6411]: gid to sid 10001 > [ 6411]: gid to sid 10066 > [ 6411]: gid to sid 10067 > [ 6411]: gid to sid 10265 > [ 6411]: gid to sid 10274 > read failed on sock 20, pid 6411: EOF > read failed on sock 19, pid 6411: EOF > ------------------------------- > /etc/samba/smb.conf > [global] > server string = Samba Server > workgroup = MYREALM > realm = MYREALM.MY.DOMAIN.COM > security = ADS > username map = /etc/samba/smbusers > map to guest = Bad User > password server = * > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > preferred master = no > local master = no > domain master = no > os level = 33 > wins server = 128.32.68.75 128.32.67.118 > ldap ssl = no > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > winbind separator = + > winbind use default domain = Yes > template primary group = "Domain Users" > template homedir = /home/%U > template shell = /bin/bash > load printers = no > log level = 1 > syslog = 0 > log file = /var/log/samba/%m.log > max log size = 0 > ------------------------------- > /etc/pam.d/system-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > auth sufficient /lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal > auth required /lib/security/$ISA/pam_deny.so > > account required /lib/security/$ISA/pam_unix.so > > password required /lib/security/$ISA/pam_cracklib.so retry=3 type> password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow > password required /lib/security/$ISA/pam_deny.so > > session required /lib/security/$ISA/pam_limits.so > session required /lib/security/$ISA/pam_unix.so > ------------------------------I'm also seeing errors in /var/log/samba/winbindd.log [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390) ads_krb5_mk_req: krb5_get_credentials failed for actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm) [2004/12/01 11:14:40, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain CAMPUS failed: Cannot find KDC for requested realm [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390) ads_krb5_mk_req: krb5_get_credentials failed for actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm) [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390) ads_krb5_mk_req: krb5_get_credentials failed for actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm) [2004/12/01 11:14:40, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain CAMPUS failed: Cannot find KDC for requested realm
Reasonably Related Threads
- Can RH AS3 be a ADS member with winbind+nss+krb5?
- errors from ads_krb5_mk_req errors and util_sock.c:send_smb
- samba v3b3, SuSE 8.0 enterprise, heimdal 0.6, openssl ADS issues
- kerberos error when users in trusted win2k domain try to browse samba server
- winbind ubuntu 9.10 crashing machine