Oliver Neubauer
2005-Oct-19 16:30 UTC
[Samba] samba with ADS. winbindd ignore for user authentication
Hello,
I'm trying to set up samba using ADS for authentication.
I can successfully join the samba machine to the domain. Windows hosts
can "see" the samba machine.
After successfully joining, doing:
# wbinfo -u
shows me ADS-defined users. Same goes for groups.
However, when I try and assign one of those users ownership of a file, I
get:
# chown user1 /tmp/test
chown: test1: illegal user name
even though that user is a valid AD user.
Interestingly, I was able to do this successfully on another install. As
long as smbd/winbindd are running, I could assign file ownership to AD
users (from the samba machine). Accordingly, they would be mapped in the
winbindd_idmap.tdb file, and for all intents and purposes, were valid
filesystem users.
On this particular problem-install it seems that winbindd is never even
consulted when changing ownership (tracing the process shows no activity
during chowns). I have set the nsswitch.conf file accordingly:
# cat /etc/nsswitch.conf
group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
Similarly, trying to access the shares via a windows machine fails. The
pertinent log dump from smbd shows this:
[2005/10/19 11:46:12, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
Username NTFWIN\test1 is invalid on this system
So it's like the system doesn't know about the AD users at all, therefor
no authetication can take place, and the SID to User ID mappings are
irrelevant.
The most obvious difference between the working and not-working
installs are that the one I am having a problem with is operating in a
chrooted environment. (yes, the nsswitch.conf file is set within the
chroot as well ;).
It's also running on 4.x FreeBSD as opposed to 5.x.
Now, I know there were some issues with 4.x and AD with regards to
OpenSSL/Kerberos, but given that eveything compiled, I can connect to
the domain, list AD users, and see the correct user names in the smbd
log, I think all of that is working. Maybe I'm wrong.
If anyone has any insight or troubleshooting tips I would greatly
appreciate it.
cheers
Oliver
# smbd -b
<snip>
Paths:
SBINDIR: /usr/local/nf/sbin
BINDIR: /usr/local/nf/bin
SWATDIR: /usr/local/nf/swat
CONFIGFILE: /usr/local/nf/etc/smb.conf
LOGFILEBASE: /usr/local/nf/var/samba
LMHOSTSFILE: /usr/local/nf/etc/lmhosts
LIBDIR: /usr/local/nf/lib
SHLIBEXT: so
LOCKDIR: /usr/local/nf/var/samba/lock
PIDDIR: /usr/local/nf/var/samba/pid
SMB_PASSWD_FILE: /usr/local/nf/var/samba/private/smbpasswd
PRIVATE_DIR: /usr/local/nf/var/samba/private
System Headers:
HAVE_SYS_ACL_H
HAVE_SYS_CDEFS_H
HAVE_SYS_EXTATTR_H
HAVE_SYS_FCNTL_H
HAVE_SYS_FILIO_H
HAVE_SYS_IOCTL_H
HAVE_SYS_IPC_H
HAVE_SYS_MMAN_H
HAVE_SYS_MOUNT_H
HAVE_SYS_PARAM_H
HAVE_SYS_RESOURCE_H
HAVE_SYS_SELECT_H
HAVE_SYS_SHM_H
HAVE_SYS_SOCKET_H
HAVE_SYS_SOCKIO_H
HAVE_SYS_STAT_H
HAVE_SYS_SYSCALL_H
HAVE_SYS_SYSLOG_H
HAVE_SYS_TIME_H
HAVE_SYS_TYPES_H
HAVE_SYS_UIO_H
HAVE_SYS_UNISTD_H
HAVE_SYS_UN_H
HAVE_SYS_WAIT_H
Headers:
HAVE_AIO_H
HAVE_ARPA_INET_H
HAVE_COM_ERR_H
HAVE_CTYPE_H
HAVE_DIRENT_H
HAVE_DLFCN_H
HAVE_FCNTL_H
HAVE_GLOB_H
HAVE_GRP_H
HAVE_GSSAPI_H
HAVE_INTTYPES_H
HAVE_KRB5_H
HAVE_LANGINFO_H
HAVE_LBER_H
HAVE_LDAP_H
HAVE_LIMITS_H
HAVE_LOCALE_H
HAVE_MEMORY_H
HAVE_NETINET_IN_SYSTM_H
HAVE_NETINET_IP_H
HAVE_NETINET_TCP_H
HAVE_NET_IF_H
HAVE_POLL_H
HAVE_READLINE_HISTORY_H
HAVE_READLINE_READLINE_H
HAVE_RPCSVC_NIS_H
HAVE_RPCSVC_YPCLNT_H
HAVE_RPC_RPC_H
HAVE_SECURITY_PAM_APPL_H
HAVE_SECURITY_PAM_MODULES_H
HAVE_SECURITY__PAM_MACROS_H
HAVE_STDARG_H
HAVE_STDLIB_H
HAVE_STRINGS_H
HAVE_STRING_H
HAVE_SYSLOG_H
HAVE_TERMIOS_H
HAVE_UNISTD_H
HAVE_UTIME_H
UTMP Options:
HAVE_UTMP_H
HAVE_UT_UT_HOST
HAVE_UT_UT_NAME
HAVE_UT_UT_TIME
WITH_UTMP
HAVE_* Defines:
HAVE_ADDR_TYPE_IN_KRB5_ADDRESS
HAVE_AP_OPTS_USE_SUBKEY
HAVE_ASPRINTF
HAVE_ASPRINTF_DECL
HAVE_ATEXIT
HAVE_BER_SCANF
HAVE_C99_VSNPRINTF
HAVE_CHMOD
HAVE_CHOWN
HAVE_CHROOT
HAVE_CONNECT
HAVE_COPY_AUTHENTICATOR
HAVE_CRYPT
HAVE_DEVICE_MAJOR_FN
HAVE_DEVICE_MINOR_FN
HAVE_DLCLOSE
HAVE_DLERROR
HAVE_DLOPEN
HAVE_DLSYM
HAVE_DUP2
HAVE_ENCTYPE_ARCFOUR_HMAC_MD5
HAVE_ENDNETGRENT
HAVE_ERRNO_DECL
HAVE_EXECL
HAVE_EXPLICIT_LARGEFILE_SUPPORT
HAVE_FCHMOD
HAVE_FCHOWN
HAVE_FCNTL_LOCK
HAVE_FSTAT
HAVE_FSYNC
HAVE_FTRUNCATE
HAVE_FTRUNCATE_EXTEND
HAVE_FUNCTION_MACRO
HAVE_GETCWD
HAVE_GETDENTS
HAVE_GETDIRENTRIES
HAVE_GETGRENT
HAVE_GETGRNAM
HAVE_GETGROUPLIST
HAVE_GETNETGRENT
HAVE_GETRLIMIT
HAVE_GETTIMEOFDAY_TZ
HAVE_GLOB
HAVE_GSSAPI
HAVE_GSS_DISPLAY_STATUS
HAVE_ICONV
HAVE_IFACE_AIX
HAVE_IMMEDIATE_STRUCTURES
HAVE_INITGROUPS
HAVE_INNETGR
HAVE_KRB5
HAVE_KRB5_AUTH_CON_SETKEY
HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS
HAVE_KRB5_FREE_DATA_CONTENTS
HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES
HAVE_KRB5_GET_PW_SALT
HAVE_KRB5_KEYBLOCK_KEYVALUE
HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK
HAVE_KRB5_KRBHST_GET_ADDRINFO
HAVE_KRB5_KT_COMPARE
HAVE_KRB5_KT_FREE_ENTRY
HAVE_KRB5_MK_REQ_EXTENDED
HAVE_KRB5_PRINCIPAL_GET_COMP_STRING
HAVE_KRB5_SESSION_IN_CREDS
HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES
HAVE_KRB5_STRING_TO_KEY
HAVE_KRB5_STRING_TO_KEY_SALT
HAVE_LDAP
HAVE_LDAP_DOMAIN2HOSTLIST
HAVE_LDAP_INIT
HAVE_LDAP_INITIALIZE
HAVE_LDAP_SET_REBIND_PROC
HAVE_LIBASN1
HAVE_LIBCOM_ERR
HAVE_LIBGSSAPI
HAVE_LIBKRB5
HAVE_LIBLBER
HAVE_LIBLDAP
HAVE_LIBPAM
HAVE_LIBREADLINE
HAVE_LIBROKEN
HAVE_LINK
HAVE_LONGLONG
HAVE_MAKEDEV
HAVE_MEMMOVE
HAVE_MEMSET
HAVE_MKNOD
HAVE_MKTIME
HAVE_MMAP
HAVE_NANOSLEEP
HAVE_NATIVE_ICONV
HAVE_NL_LANGINFO
HAVE_NO_ACLS
HAVE_NO_AIO
HAVE_PATHCONF
HAVE_PIPE
HAVE_POLL
HAVE_PREAD
HAVE_PWRITE
HAVE_QUOTACTL_4B
HAVE_RAND
HAVE_RANDOM
HAVE_READLINK
HAVE_REALPATH
HAVE_RENAME
HAVE_ROKEN_GETADDRINFO_HOSTSPEC
HAVE_SECURE_MKSTEMP
HAVE_SELECT
HAVE_SENDFILE
HAVE_SETBUFFER
HAVE_SETENV
HAVE_SETGROUPS
HAVE_SETLINEBUF
HAVE_SETLOCALE
HAVE_SETNETGRENT
HAVE_SETPGID
HAVE_SETRESGID
HAVE_SETRESGID_DECL
HAVE_SETRESUID
HAVE_SETRESUID_DECL
HAVE_SETSID
HAVE_SHMGET
HAVE_SHM_OPEN
HAVE_SIGACTION
HAVE_SIGBLOCK
HAVE_SIGPROCMASK
HAVE_SIG_ATOMIC_T_TYPE
HAVE_SNPRINTF
HAVE_SNPRINTF_DECL
HAVE_SOCKLEN_T_TYPE
HAVE_SOCK_SIN_LEN
HAVE_SRAND
HAVE_SRANDOM
HAVE_STAT_ST_BLKSIZE
HAVE_STAT_ST_BLOCKS
HAVE_STRCASECMP
HAVE_STRCHR
HAVE_STRDUP
HAVE_STRERROR
HAVE_STRFTIME
HAVE_STRLCAT
HAVE_STRLCPY
HAVE_STRPBRK
HAVE_STRTOUL
HAVE_STRUCT_STAT_ST_RDEV
HAVE_STRUCT_TIMESPEC
HAVE_ST_RDEV
HAVE_SYMLINK
HAVE_SYSCALL
HAVE_SYSCONF
HAVE_SYSLOG
HAVE_TIMEGM
HAVE_UNIXSOCKET
HAVE_USLEEP
HAVE_UTIMBUF
HAVE_UTIME
HAVE_UTIMES
HAVE_VASPRINTF
HAVE_VASPRINTF_DECL
HAVE_VOLATILE
HAVE_VSNPRINTF
HAVE_VSNPRINTF_DECL
HAVE_VSYSLOG
HAVE_WAITPID
HAVE_YP_GET_DEFAULT_DOMAIN
HAVE__CHDIR
HAVE__CLOSE
HAVE__DUP
HAVE__DUP2
HAVE__ET_LIST
HAVE__FCHDIR
HAVE__FCNTL
HAVE__FORK
HAVE__FSTAT
HAVE__GETDENTS
HAVE__LSTAT
HAVE__OPEN
HAVE__READ
HAVE__SEEKDIR
HAVE__STAT
HAVE__WRITE
HAVE___GETCWD
--with Options:
WITH_ADS
WITH_LDAP_SAMCONFIG
WITH_PAM
WITH_QUOTAS
WITH_SENDFILE
WITH_SYSLOG
WITH_UTMP
WITH_WINBIND
Build Options:
BROKEN_EXTATTR
BROKEN_GETGRNAM
COMPILER_SUPPORTS_LL
DEFAULT_DISPLAY_CHARSET
DEFAULT_DOS_CHARSET
DEFAULT_UNIX_CHARSET
FREEBSD
FREEBSD_SENDFILE_API
KRB5_PRINC_REALM_RETURNS_REALM
LDAP_SET_REBIND_PROC_ARGS
PACKAGE_BUGREPORT
PACKAGE_NAME
PACKAGE_STRING
PACKAGE_TARNAME
PACKAGE_VERSION
REPLACE_GETPASS
RETSIGTYPE
SEEKDIR_RETURNS_VOID
SIZEOF_INT
SIZEOF_LONG
SIZEOF_OFF_T
SIZEOF_SHORT
STAT_STATFS2_BSIZE
STAT_ST_BLOCKSIZE
STDC_HEADERS
STRING_STATIC_MODULES
SYSCONF_SC_NGROUPS_MAX
TIME_WITH_SYS_TIME
USE_SETRESUID
WITH_ADS
WITH_LDAP_SAMCONFIG
WITH_PAM
WITH_QUOTAS
WITH_SENDFILE
WITH_SYSLOG
WITH_WINBIND
charset_CP437_init
charset_CP850_init
loff_t
offset_t
static_init_auth
static_init_charset
static_init_idmap
static_init_pdb
static_init_rpc
static_init_vfs
vfs_audit_init
vfs_cap_init
vfs_default_quota_init
vfs_expand_msdfs_init
vfs_extd_audit_init
vfs_fake_perms_init
vfs_full_audit_init
vfs_netatalk_init
vfs_readonly_init
vfs_recycle_init
vfs_shadow_copy_init
Type sizes:
sizeof(char): 1
sizeof(int): 4
sizeof(long): 4
sizeof(uint8): 1
sizeof(uint16): 2
sizeof(uint32): 4
sizeof(short): 2
sizeof(void*): 4
Builtin modules:
pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_guest rpc_lsa rpc_reg
rpc_lsa_ds rpc_wks rpc_svcctl rpc_net rpc_dfs rpc_srv rpc_spoolss
rpc_eventlog rpc_samr idmap_ldap idmap_tdb auth_rhosts auth_sam
auth_unix auth_winbind auth_server auth_domain auth_builtin
Rex Dieter
2005-Oct-19 17:51 UTC
[Samba] Re: samba with ADS. winbindd ignore for user authentication
Oliver Neubauer wrote:> I'm trying to set up samba using ADS for authentication. > > I can successfully join the samba machine to the domain. Windows hosts > can "see" the samba machine. > > After successfully joining, doing: > # wbinfo -u > shows me ADS-defined users. Same goes for groups. > > However, when I try and assign one of those users ownership of a file, I > get: > > # chown user1 /tmp/test > chown: test1: illegal user name > even though that user is a valid AD user.You need to configure pam to use nss_winbind, see http://us1.samba.org/samba/docs/man/Samba3-HOWTO/winbind.html#id2634773 for example, my /etc/pam.d/system-auth contains references to pam_winbind: auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass ... account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so ... password sufficient /lib/security/$ISA/pam_winbind.so use_authtok