samba - Apr 2005 - Samba as domain member server cannot authenticate users

This problem was already described on a very similar way in Oct 2004
on the following message:
[http://lists.samba.org/archive/samba/2004-October/094683.html]
As no solution was found so far, I am re-posting it on the hope that
somebody can help.
================================================
Situation:
- A windows2000 domain with active directory up and running.
- A Samba server with fileshares and printers. Debian Sarge, Samba 3.0.10
- Windows clients

Objective:
- To have windows users being able to transparently map fileshares on
the linux server, and to print to these linux printers without having
to enter a separate password for the linux shares/printers. The linux
server should accept the windows logged-in user.


What I have accomplished:
Installed samba, it worked fine with local authentication.
Changed the samba configuration and installed winbind, and changed the
/etc/nsswitch.conf, /etc/pam.d/login, so I could log in to the linux
machine using the windows AD authentication.
With those changes, I can successfully log in to the linux server with
a windows user.


What is missing:
With this setup, I can't access the fileshares when I try to map them
from a windows client. The linux server requests the password, and I
try to enter "username", "domain\username",
"username@domain",
"\\domain\username", "DOMAIN\username", and nothing works.

Diagnostics:
When I try to access a share from a windows machine, the
/var/log/samba/log.machinename reports this:

---log---
[2005/04/25 18:51:13, 0] auth/pampass.c:smb_pam_accountcheck(781)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting
User MYDOMAIN\username!
---/log---

However, if I log on locally, the user MYDOMAIN\username is a valid one!


I have stripped out the comments, and post my my smb.conf
below(mydomain being my domain, and username# being valid usernames):

---smb.conf---
[global]
   workgroup = mydomain
   server string = %h server (Samba %v)
   include = /etc/samba/dhcp.conf
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

   security = domain
   password server = *

   encrypt passwords = true
   passdb backend = tdbsam guest

   obey pam restrictions = yes

   guest account = nobody
   invalid users = root
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .

   SO_RCVBUF=8192 SO_SNDBUF=8192
   socket options = TCP_NODELAY

domain master = no
local master = no
preferred master = no

   idmap uid = 10000-20000
   idmap gid = 10000-20000
   template shell = /bin/bash

[testshare]
    comment = Testing share
    writable = yes
    path = /fileshare/testshare
    write list = username1,username2
    force create mode = 0775
    force directory mode = 6775

---/smb.conf---



Something is wrong, I just couldnt figure out what. I believe it to be
something to make samba "talk" to winbindd, identifying the users.
If I find out the answer, will post it here.

Thanks very much for the attention!

Best Regards!

Breno Moiana.

Okay, I found the problem here.

The issue was with authentication, which samba was trying to do as if
it was talking to an NT domain, when it was actually an Active
Directory server.

To solve, I did these changes to smb.conf:

1. ADDED  "realm = fully.qualified.dom.ain"
2. CHANGED TO "security = ads"

With that, and the howto provided by Kent West on
http://faculty.acu.edu/westk/winbind.html , I was able to get things
working here.

I thank all for the help and patience :)

Best Regards,

Breno Moiana.


On 4/26/05, Breno Moiana <bm.lists@gmail.com>
wrote:
> This problem was already described on a very similar way in Oct 2004
> on the following message:
> [http://lists.samba.org/archive/samba/2004-October/094683.html]
> As no solution was found so far, I am re-posting it on the hope that
> somebody can help.
> ================================================> 
> Situation:
> - A windows2000 domain with active directory up and running.
> - A Samba server with fileshares and printers. Debian Sarge, Samba 3.0.10
> - Windows clients
> 
> Objective:
> - To have windows users being able to transparently map fileshares on
> the linux server, and to print to these linux printers without having
> to enter a separate password for the linux shares/printers. The linux
> server should accept the windows logged-in user.
> 
> What I have accomplished:
> Installed samba, it worked fine with local authentication.
> Changed the samba configuration and installed winbind, and changed the
> /etc/nsswitch.conf, /etc/pam.d/login, so I could log in to the linux
> machine using the windows AD authentication.
> With those changes, I can successfully log in to the linux server with
> a windows user.
> 
> What is missing:
> With this setup, I can't access the fileshares when I try to map them
> from a windows client. The linux server requests the password, and I
> try to enter "username", "domain\username",
"username@domain",
> "\\domain\username", "DOMAIN\username", and nothing
works.
> 
> Diagnostics:
> When I try to access a share from a windows machine, the
> /var/log/samba/log.machinename reports this:
> 
> ---log---
> [2005/04/25 18:51:13, 0] auth/pampass.c:smb_pam_accountcheck(781)
>   smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting
> User MYDOMAIN\username!
> ---/log---
> 
> However, if I log on locally, the user MYDOMAIN\username is a valid one!
> 
> I have stripped out the comments, and post my my smb.conf
> below(mydomain being my domain, and username# being valid usernames):
> 
> ---smb.conf---
> [global]
>    workgroup = mydomain
>    server string = %h server (Samba %v)
>    include = /etc/samba/dhcp.conf
>    dns proxy = no
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
> 
>    security = domain
>    password server = *
> 
>    encrypt passwords = true
>    passdb backend = tdbsam guest
> 
>    obey pam restrictions = yes
> 
>    guest account = nobody
>    invalid users = root
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUNIX\spassword:* %n\n .
> 
>    SO_RCVBUF=8192 SO_SNDBUF=8192
>    socket options = TCP_NODELAY
> 
> domain master = no
> local master = no
> preferred master = no
> 
>    idmap uid = 10000-20000
>    idmap gid = 10000-20000
>    template shell = /bin/bash
> 
> [testshare]
>     comment = Testing share
>     writable = yes
>     path = /fileshare/testshare
>     write list = username1,username2
>     force create mode = 0775
>     force directory mode = 6775
> 
> ---/smb.conf---
> 
> Something is wrong, I just couldnt figure out what. I believe it to be
> something to make samba "talk" to winbindd, identifying the
users.
> If I find out the answer, will post it here.
> 
> Thanks very much for the attention!
> 
> Best Regards!
> 
> Breno Moiana.
>