I had samba working, then I tried (unsuccessfully) to setup ssh pam auth.
Now users are prompted for a password when accessing shares, but no password
works. I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3.
I forgot to backup pam file system-auth before modifying things, so I'm not
sure if that is the problem.
-------------------------------
These commands succeed:
wbinfo -u,
wbinfo -g
getent passwd
getent group
net ads info
Time is within 2 seconds between 'net time' and 'date'
-------------------------------
Running winbind in interactive mode while trying to connect,
winbindd -S -i -F -d 8 -Y
The end of the output (as there is a lot) looks like this:
...
remove_duplicate_gids: Enter 5 gids
remove_duplicate_gids: Exit 5 gids
[ 6411]: gid to sid 10001
[ 6411]: gid to sid 10066
[ 6411]: gid to sid 10067
[ 6411]: gid to sid 10265
[ 6411]: gid to sid 10274
read failed on sock 20, pid 6411: EOF
read failed on sock 19, pid 6411: EOF
-------------------------------
/etc/samba/smb.conf
[global]
server string = Samba Server
workgroup = MYREALM
realm = MYREALM.MY.DOMAIN.COM
security = ADS
username map = /etc/samba/smbusers
map to guest = Bad User
password server = *
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = no
local master = no
domain master = no
os level = 33
wins server = 128.32.68.75 128.32.67.118
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind use default domain = Yes
template primary group = "Domain Users"
template homedir = /home/%U
template shell = /bin/bash
load printers = no
log level = 1
syslog = 0
log file = /var/log/samba/%m.log
max log size = 0
-------------------------------
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_smb_auth.so use_first_pass
nolocal
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3
typepassword sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
------------------------------
John Stile wrote:>I had samba working, then I tried (unsuccessfully) to setup ssh pam auth. >Now users are prompted for a password when accessing shares, but no password >works. I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3. >I forgot to backup pam file system-auth before modifying things, so I'm not sure if that is the problem. >------------------------------- >These commands succeed: > wbinfo -u, > wbinfo -g > getent passwd > getent group > net ads info >Time is within 2 seconds between 'net time' and 'date' >------------------------------- >Running winbind in interactive mode while trying to connect, > winbindd -S -i -F -d 8 -Y >The end of the output (as there is a lot) looks like this: > ... > remove_duplicate_gids: Enter 5 gids > remove_duplicate_gids: Exit 5 gids > [ 6411]: gid to sid 10001 > [ 6411]: gid to sid 10066 > [ 6411]: gid to sid 10067 > [ 6411]: gid to sid 10265 > [ 6411]: gid to sid 10274 > read failed on sock 20, pid 6411: EOF > read failed on sock 19, pid 6411: EOF >------------------------------- >/etc/samba/smb.conf >[global] > server string = Samba Server > workgroup = MYREALM > realm = MYREALM.MY.DOMAIN.COM > security = ADS > username map = /etc/samba/smbusers > map to guest = Bad User > password server = * > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > preferred master = no > local master = no > domain master = no > os level = 33 > wins server = 128.32.68.75 128.32.67.118 > ldap ssl = no > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > winbind separator = + > winbind use default domain = Yes > template primary group = "Domain Users" > template homedir = /home/%U > template shell = /bin/bash > load printers = no > log level = 1 > syslog = 0 > log file = /var/log/samba/%m.log > max log size = 0 >------------------------------- >/etc/pam.d/system-auth >#%PAM-1.0 ># This file is auto-generated. ># User changes will be destroyed the next time authconfig is run. >auth required /lib/security/$ISA/pam_env.so >auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok >auth sufficient /lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal >auth required /lib/security/$ISA/pam_deny.so > >account required /lib/security/$ISA/pam_unix.so > >password required /lib/security/$ISA/pam_cracklib.so retry=3 type>password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow >password required /lib/security/$ISA/pam_deny.so > >session required /lib/security/$ISA/pam_limits.so >session required /lib/security/$ISA/pam_unix.so >------------------------------ > > >This sounds a lot like the kerberos incompatibility issue we know about with 2003 DC's....Are you using 2003 or 2000? Also, are you sure you are running the 1.3.x MIT kerberos packages? RHEL3 doesn't ship with them and if you managed to get it installed I'd be curious how you did so. Christian
On Wed, 2004-12-01 at 11:06 -0800, John Stile wrote:> I had samba working, then I tried (unsuccessfully) to setup ssh pam auth. > Now users are prompted for a password when accessing shares, but no password > works. I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3. > I forgot to backup pam file system-auth before modifying things, so I'm not sure if that is the problem. > ------------------------------- > These commands succeed: > wbinfo -u, > wbinfo -g > getent passwd > getent group > net ads info > Time is within 2 seconds between 'net time' and 'date' > ------------------------------- > Running winbind in interactive mode while trying to connect, > winbindd -S -i -F -d 8 -Y > The end of the output (as there is a lot) looks like this: > ... > remove_duplicate_gids: Enter 5 gids > remove_duplicate_gids: Exit 5 gids > [ 6411]: gid to sid 10001 > [ 6411]: gid to sid 10066 > [ 6411]: gid to sid 10067 > [ 6411]: gid to sid 10265 > [ 6411]: gid to sid 10274 > read failed on sock 20, pid 6411: EOF > read failed on sock 19, pid 6411: EOF > ------------------------------- > /etc/samba/smb.conf > [global] > server string = Samba Server > workgroup = MYREALM > realm = MYREALM.MY.DOMAIN.COM > security = ADS > username map = /etc/samba/smbusers > map to guest = Bad User > password server = * > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > preferred master = no > local master = no > domain master = no > os level = 33 > wins server = 128.32.68.75 128.32.67.118 > ldap ssl = no > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > winbind separator = + > winbind use default domain = Yes > template primary group = "Domain Users" > template homedir = /home/%U > template shell = /bin/bash > load printers = no > log level = 1 > syslog = 0 > log file = /var/log/samba/%m.log > max log size = 0 > ------------------------------- > /etc/pam.d/system-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > auth sufficient /lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal > auth required /lib/security/$ISA/pam_deny.so > > account required /lib/security/$ISA/pam_unix.so > > password required /lib/security/$ISA/pam_cracklib.so retry=3 type> password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow > password required /lib/security/$ISA/pam_deny.so > > session required /lib/security/$ISA/pam_limits.so > session required /lib/security/$ISA/pam_unix.so > ------------------------------I'm also seeing errors in /var/log/samba/winbindd.log [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390) ads_krb5_mk_req: krb5_get_credentials failed for actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm) [2004/12/01 11:14:40, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain CAMPUS failed: Cannot find KDC for requested realm [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390) ads_krb5_mk_req: krb5_get_credentials failed for actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm) [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390) ads_krb5_mk_req: krb5_get_credentials failed for actdir05$@CAMPUS.BERKELEY.EDU (Cannot find KDC for requested realm) [2004/12/01 11:14:40, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain CAMPUS failed: Cannot find KDC for requested realm
Maybe Matching Threads
- Can RH AS3 be a ADS member with winbind+nss+krb5?
- errors from ads_krb5_mk_req errors and util_sock.c:send_smb
- samba v3b3, SuSE 8.0 enterprise, heimdal 0.6, openssl ADS issues
- kerberos error when users in trusted win2k domain try to browse samba server
- winbind ubuntu 9.10 crashing machine