Guillermo Gutierrez
2006-Mar-08 19:03 UTC
[Samba] getting samba to authenticate with kerberos/PAM
Hello, I reeeeally need someone's help here. I guide after guide from all sorts of sources but I still cannot get samba to authenticate a domain login via winbind off of the windows 2003 DC on our network. Here is what I can do: I can successfully do a kinit command and can verify the existance on the samba server in active directory on the DC. I can login using domain profiles on the samba server linux box's (Gentoo) console. I can login as root from ssh only, not at the console. I can not login with domain profiles through ssh (haven't tried to modify /etc/pam.d/sshd for fear of not being able to login as root at all). I can get to my /home/samba/public samba share through netBIOS. I can not get into my /home/<DOMAIN>/<domainuser> samba share, I recieve a "network path not found" error in windows. When the above happens, one samba log (log.<machinename>) will say: [2006/03/08 10:36:19, 5] smbd/reply.c:reply_special(537) init msg_type=0x81 msg_flags=0x0 [2006/03/08 10:36:19, 0] lib/util_sock.c:write_data(557) write_data: write failure in writing to client 10.11.7.56. Error Connection reset by peer [2006/03/08 10:36:19, 0] lib/util_sock.c:send_smb(765) Error writing 4 bytes to client. -1. (Connection reset by peer) [2006/03/08 10:36:19, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/03/08 10:36:19, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/03/08 10:36:19, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/03/08 10:36:19, 5] smbd/uid.c:change_to_root_user(324) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/03/08 10:36:19, 2] smbd/server.c:exit_server(614) Closing connections [2006/03/08 10:36:19, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2006/03/08 10:36:19, 3] smbd/connection.c:yield_connection(76) yield_connection: tdb_delete for name failed with error Record does not exist. [2006/03/08 10:36:19, 3] smbd/server.c:exit_server(655) Server exit (process_smb: send_smb failed.) The other samba log (log.<IPAddress>) will say: [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/03/08 10:40:26, 5] smbd/uid.c:change_to_root_user(324) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/03/08 10:40:26, 5] lib/util.c:show_msg(454) [2006/03/08 10:40:26, 5] lib/util.c:show_msg(464) size=35 smb_com=0x71 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=1 smb_pid=65279 smb_uid=101 smb_mid=448 smt_wct=0 smb_bcc=0 [2006/03/08 10:40:26, 3] smbd/process.c:timeout_processing(1447) timeout_processing: End of file from client (client has disconnected). [2006/03/08 10:40:26, 5] lib/gencache.c:gencache_shutdown(89) Closing cache file [2006/03/08 10:40:26, 5] libsmb/namecache.c:namecache_shutdown(79) namecache_shutdown: netbios namecache closed successfully. [2006/03/08 10:40:26, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/03/08 10:40:26, 5] smbd/uid.c:change_to_root_user(324) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/03/08 10:40:26, 2] smbd/server.c:exit_server(614) Closing connections [2006/03/08 10:40:26, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2006/03/08 10:40:26, 3] smbd/server.c:exit_server(655) Server exit (normal exit) and a whole bunch of other stuff that extends into the .old archive of this log. Please help me figure out what the source of my issue is or point me to a step-by-step set of instructions that will work. Here is some info on my setup: Samba Server: samba 3.0.21c on a Gentoo Linux system Network: windows 2003 Active Directory domain with a Novell Server on the network. OS of client used for testing connection: windows XP SP2 thanks in advance, Guillermo Gutierrez Development Systems Engineer Market Scan Information Systems (818) 575-2000 x2427 ggutierrez@marketscan.com
Guillermo Gutierrez
2006-Mar-09 01:31 UTC
[Samba] getting samba to authenticate with kerberos/PAM
Oops, forgot to include the list. I dont seem to have pam_unix2.so or pam_unix2.conf, just pam_unix.so. Will pam_unix.so read a conf file? -----Original Message----- From: Trimble, Ronald D [mailto:Ronald.Trimble@unisys.com] Sent: Wednesday, March 08, 2006 5:23 PM To: Guillermo Gutierrez Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM You should be able to do both. These are the instructions I used when I configured my server. The only note I didn't make yet is that if you are not using a winbind separator, you will need to specify a double backslash when logging in. I can give you an example if you are not sure what I am talking about. -----Original Message----- From: Guillermo Gutierrez [mailto:ggutierrez@marketscan.com] Sent: Wednesday, March 08, 2006 8:14 PM To: Trimble, Ronald D Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM This is great, I am about to try it out. One question, should I still be able to login as a local account through SSH? I am paranoid about getting locked out as root (this happened once before and I reinstalled gentoo). -----Original Message----- From: Trimble, Ronald D [mailto:Ronald.Trimble@unisys.com] Sent: Wednesday, March 08, 2006 4:25 PM To: Guillermo Gutierrez Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM Setting up SSH to use AD accounts Follow the directions in the Samba section of this wiki before continuing with these steps since SSH logins will require the use of winbind. Make a backup of all files before editing anything since a mistake in a PAM module could render your machine unuseable. Edit the /etc/pam.d/sshd file. Ours looks like this: #%PAM-1.0 auth required pam_unix2.so # set_secrpc auth required pam_nologin.so auth required pam_env.so account required pam_unix2.so account required pam_nologin.so password required pam_pwcheck.so password required pam_unix2.so use_first_pass use_authtok session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_unix2.so none # trace or debug session required pam_limits.so Next, edit /etc/security/pam_unix2.conf. Ours looks like this: auth: call_modules=winbind account: call_modules=winbind password: blowfish session: none Finally, create the top level home directory and assign the proper permissions. Your default home directories will be created in /home/domain/username. mkdir /home/domain chmod 755 /home/domain When you login via SSH, use your AD account. Remember in Samba we configured the winbind separator to be a '+'. I, for example, would log in as NA+trimblrd and then specify my NA password. Once I do this, a home directory will be created for me. If everything works, your login will look like this. login as: NA+trimblrd Using keyboard-interactive authentication. Password: Last login: Tue Dec 20 12:29:08 2005 from ustr-trimblrd.na.uis.unisys.com NA+trimblrd@USTR-LINUXTEST:~> [edit]Logging into the server with an AD account If you want to take this example a step further, you can also configure your server so that you can use your AD account to logon locally of through VNC. To enable this requires modifying only one more file. Edit /etc/pam.d/login. (Remember to make a backup.) Ours looks like this: #%PAM-1.0 auth requisite pam_unix2.so nullok #set_secrpc auth required pam_securetty.so auth required pam_nologin.so auth required pam_env.so auth required pam_mail.so account required pam_unix2.so password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_unix2.so none # debug or trace session required pam_limits.so session required pam_resmgr.so Now you will be able to log onto the server without the use of a local account. Retrieved from "http://ustr-linux-1/wiki/index.php/SSH" -----Original Message----- From: samba-bounces+ronald.trimble=unisys.com@lists.samba.org [mailto:samba-bounces+ronald.trimble=unisys.com@lists.samba.org] On Behalf Of Guillermo Gutierrez Sent: Wednesday, March 08, 2006 6:14 PM To: samba@lists.samba.org Subject: FW: [Samba] getting samba to authenticate with kerberos/PAM ummm....is there certain info that I need to be including the first time through? I have been fighting with this problem for a week now and I have not gotten any responses since my first or second thread. I am stuck/lost/frustrated and at the mercy of the everyone in this list who knows samba much better than me. Please help me, I am pretty sure this is just some misconfiguration on my part. -----Original Message----- From: samba-bounces+ggutierrez=marketscan.com@lists.samba.org [mailto:samba-bounces+ggutierrez=marketscan.com@lists.samba.org]On Behalf Of Guillermo Gutierrez Sent: Wednesday, March 08, 2006 11:02 AM To: samba@lists.samba.org Subject: [Samba] getting samba to authenticate with kerberos/PAM Hello, I reeeeally need someone's help here. I guide after guide from all sorts of sources but I still cannot get samba to authenticate a domain login via winbind off of the windows 2003 DC on our network. Here is what I can do: I can successfully do a kinit command and can verify the existance on the samba server in active directory on the DC. I can login using domain profiles on the samba server linux box's (Gentoo) console. I can login as root from ssh only, not at the console. I can not login with domain profiles through ssh (haven't tried to modify /etc/pam.d/sshd for fear of not being able to login as root at all). I can get to my /home/samba/public samba share through netBIOS. I can not get into my /home/<DOMAIN>/<domainuser> samba share, I recieve a "network path not found" error in windows. When the above happens, one samba log (log.<machinename>) will say: [2006/03/08 10:36:19, 5] smbd/reply.c:reply_special(537) init msg_type=0x81 msg_flags=0x0 [2006/03/08 10:36:19, 0] lib/util_sock.c:write_data(557) write_data: write failure in writing to client 10.11.7.56. Error Connection reset by peer [2006/03/08 10:36:19, 0] lib/util_sock.c:send_smb(765) Error writing 4 bytes to client. -1. (Connection reset by peer) [2006/03/08 10:36:19, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/03/08 10:36:19, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/03/08 10:36:19, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/03/08 10:36:19, 5] smbd/uid.c:change_to_root_user(324) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/03/08 10:36:19, 2] smbd/server.c:exit_server(614) Closing connections [2006/03/08 10:36:19, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2006/03/08 10:36:19, 3] smbd/connection.c:yield_connection(76) yield_connection: tdb_delete for name failed with error Record does not exist. [2006/03/08 10:36:19, 3] smbd/server.c:exit_server(655) Server exit (process_smb: send_smb failed.) The other samba log (log.<IPAddress>) will say: [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/03/08 10:40:26, 5] smbd/uid.c:change_to_root_user(324) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/03/08 10:40:26, 5] lib/util.c:show_msg(454) [2006/03/08 10:40:26, 5] lib/util.c:show_msg(464) size=35 smb_com=0x71 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=1 smb_pid=65279 smb_uid=101 smb_mid=448 smt_wct=0 smb_bcc=0 [2006/03/08 10:40:26, 3] smbd/process.c:timeout_processing(1447) timeout_processing: End of file from client (client has disconnected). [2006/03/08 10:40:26, 5] lib/gencache.c:gencache_shutdown(89) Closing cache file [2006/03/08 10:40:26, 5] libsmb/namecache.c:namecache_shutdown(79) namecache_shutdown: netbios namecache closed successfully. [2006/03/08 10:40:26, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/03/08 10:40:26, 5] smbd/uid.c:change_to_root_user(324) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/03/08 10:40:26, 2] smbd/server.c:exit_server(614) Closing connections [2006/03/08 10:40:26, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2006/03/08 10:40:26, 3] smbd/server.c:exit_server(655) Server exit (normal exit) and a whole bunch of other stuff that extends into the .old archive of this log. Please help me figure out what the source of my issue is or point me to a step-by-step set of instructions that will work. Here is some info on my setup: Samba Server: samba 3.0.21c on a Gentoo Linux system Network: windows 2003 Active Directory domain with a Novell Server on the network. OS of client used for testing connection: windows XP SP2 thanks in advance, Guillermo Gutierrez Development Systems Engineer Market Scan Information Systems (818) 575-2000 x2427 ggutierrez@marketscan.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Guillermo Gutierrez
2006-Mar-09 01:32 UTC
[Samba] getting samba to authenticate with kerberos/PAM
ahh I see, then it is definitely a remote vs console thing, because on my system anyways the console login doesn't require "\\". -----Original Message----- From: Trimble, Ronald D [mailto:Ronald.Trimble@unisys.com] Sent: Wednesday, March 08, 2006 5:29 PM To: Guillermo Gutierrez Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM I haven't logged in from the console for a long time so I don't remember if it requires a double backslash. SSH definitely requires it though as a single backslash is considered a control character in linux. -----Original Message----- From: Guillermo Gutierrez [mailto:ggutierrez@marketscan.com] Sent: Wednesday, March 08, 2006 8:26 PM To: Trimble, Ronald D Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM Really??? double backslash? hmmm..I will have to remember that, odd though because it lets me use one backslash from the console. But maybe that is the difference between remote and console logins? -----Original Message----- From: Trimble, Ronald D [mailto:Ronald.Trimble@unisys.com] Sent: Wednesday, March 08, 2006 5:23 PM To: Guillermo Gutierrez Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM You should be able to do both. These are the instructions I used when I configured my server. The only note I didn't make yet is that if you are not using a winbind separator, you will need to specify a double backslash when logging in. I can give you an example if you are not sure what I am talking about. -----Original Message----- From: Guillermo Gutierrez [mailto:ggutierrez@marketscan.com] Sent: Wednesday, March 08, 2006 8:14 PM To: Trimble, Ronald D Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM This is great, I am about to try it out. One question, should I still be able to login as a local account through SSH? I am paranoid about getting locked out as root (this happened once before and I reinstalled gentoo). -----Original Message----- From: Trimble, Ronald D [mailto:Ronald.Trimble@unisys.com] Sent: Wednesday, March 08, 2006 4:25 PM To: Guillermo Gutierrez Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM Setting up SSH to use AD accounts Follow the directions in the Samba section of this wiki before continuing with these steps since SSH logins will require the use of winbind. Make a backup of all files before editing anything since a mistake in a PAM module could render your machine unuseable. Edit the /etc/pam.d/sshd file. Ours looks like this: #%PAM-1.0 auth required pam_unix2.so # set_secrpc auth required pam_nologin.so auth required pam_env.so account required pam_unix2.so account required pam_nologin.so password required pam_pwcheck.so password required pam_unix2.so use_first_pass use_authtok session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_unix2.so none # trace or debug session required pam_limits.so Next, edit /etc/security/pam_unix2.conf. Ours looks like this: auth: call_modules=winbind account: call_modules=winbind password: blowfish session: none Finally, create the top level home directory and assign the proper permissions. Your default home directories will be created in /home/domain/username. mkdir /home/domain chmod 755 /home/domain When you login via SSH, use your AD account. Remember in Samba we configured the winbind separator to be a '+'. I, for example, would log in as NA+trimblrd and then specify my NA password. Once I do this, a home directory will be created for me. If everything works, your login will look like this. login as: NA+trimblrd Using keyboard-interactive authentication. Password: Last login: Tue Dec 20 12:29:08 2005 from ustr-trimblrd.na.uis.unisys.com NA+trimblrd@USTR-LINUXTEST:~> [edit]Logging into the server with an AD account If you want to take this example a step further, you can also configure your server so that you can use your AD account to logon locally of through VNC. To enable this requires modifying only one more file. Edit /etc/pam.d/login. (Remember to make a backup.) Ours looks like this: #%PAM-1.0 auth requisite pam_unix2.so nullok #set_secrpc auth required pam_securetty.so auth required pam_nologin.so auth required pam_env.so auth required pam_mail.so account required pam_unix2.so password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_unix2.so none # debug or trace session required pam_limits.so session required pam_resmgr.so Now you will be able to log onto the server without the use of a local account. Retrieved from "http://ustr-linux-1/wiki/index.php/SSH" -----Original Message----- From: samba-bounces+ronald.trimble=unisys.com@lists.samba.org [mailto:samba-bounces+ronald.trimble=unisys.com@lists.samba.org] On Behalf Of Guillermo Gutierrez Sent: Wednesday, March 08, 2006 6:14 PM To: samba@lists.samba.org Subject: FW: [Samba] getting samba to authenticate with kerberos/PAM ummm....is there certain info that I need to be including the first time through? I have been fighting with this problem for a week now and I have not gotten any responses since my first or second thread. I am stuck/lost/frustrated and at the mercy of the everyone in this list who knows samba much better than me. Please help me, I am pretty sure this is just some misconfiguration on my part. -----Original Message----- From: samba-bounces+ggutierrez=marketscan.com@lists.samba.org [mailto:samba-bounces+ggutierrez=marketscan.com@lists.samba.org]On Behalf Of Guillermo Gutierrez Sent: Wednesday, March 08, 2006 11:02 AM To: samba@lists.samba.org Subject: [Samba] getting samba to authenticate with kerberos/PAM Hello, I reeeeally need someone's help here. I guide after guide from all sorts of sources but I still cannot get samba to authenticate a domain login via winbind off of the windows 2003 DC on our network. Here is what I can do: I can successfully do a kinit command and can verify the existance on the samba server in active directory on the DC. I can login using domain profiles on the samba server linux box's (Gentoo) console. I can login as root from ssh only, not at the console. I can not login with domain profiles through ssh (haven't tried to modify /etc/pam.d/sshd for fear of not being able to login as root at all). I can get to my /home/samba/public samba share through netBIOS. I can not get into my /home/<DOMAIN>/<domainuser> samba share, I recieve a "network path not found" error in windows. When the above happens, one samba log (log.<machinename>) will say: [2006/03/08 10:36:19, 5] smbd/reply.c:reply_special(537) init msg_type=0x81 msg_flags=0x0 [2006/03/08 10:36:19, 0] lib/util_sock.c:write_data(557) write_data: write failure in writing to client 10.11.7.56. Error Connection reset by peer [2006/03/08 10:36:19, 0] lib/util_sock.c:send_smb(765) Error writing 4 bytes to client. -1. (Connection reset by peer) [2006/03/08 10:36:19, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/03/08 10:36:19, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/03/08 10:36:19, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/03/08 10:36:19, 5] smbd/uid.c:change_to_root_user(324) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/03/08 10:36:19, 2] smbd/server.c:exit_server(614) Closing connections [2006/03/08 10:36:19, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2006/03/08 10:36:19, 3] smbd/connection.c:yield_connection(76) yield_connection: tdb_delete for name failed with error Record does not exist. [2006/03/08 10:36:19, 3] smbd/server.c:exit_server(655) Server exit (process_smb: send_smb failed.) The other samba log (log.<IPAddress>) will say: [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/03/08 10:40:26, 5] smbd/uid.c:change_to_root_user(324) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/03/08 10:40:26, 5] lib/util.c:show_msg(454) [2006/03/08 10:40:26, 5] lib/util.c:show_msg(464) size=35 smb_com=0x71 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=1 smb_pid=65279 smb_uid=101 smb_mid=448 smt_wct=0 smb_bcc=0 [2006/03/08 10:40:26, 3] smbd/process.c:timeout_processing(1447) timeout_processing: End of file from client (client has disconnected). [2006/03/08 10:40:26, 5] lib/gencache.c:gencache_shutdown(89) Closing cache file [2006/03/08 10:40:26, 5] libsmb/namecache.c:namecache_shutdown(79) namecache_shutdown: netbios namecache closed successfully. [2006/03/08 10:40:26, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/03/08 10:40:26, 5] smbd/uid.c:change_to_root_user(324) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/03/08 10:40:26, 2] smbd/server.c:exit_server(614) Closing connections [2006/03/08 10:40:26, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2006/03/08 10:40:26, 3] smbd/server.c:exit_server(655) Server exit (normal exit) and a whole bunch of other stuff that extends into the .old archive of this log. Please help me figure out what the source of my issue is or point me to a step-by-step set of instructions that will work. Here is some info on my setup: Samba Server: samba 3.0.21c on a Gentoo Linux system Network: windows 2003 Active Directory domain with a Novell Server on the network. OS of client used for testing connection: windows XP SP2 thanks in advance, Guillermo Gutierrez Development Systems Engineer Market Scan Information Systems (818) 575-2000 x2427 ggutierrez@marketscan.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Guillermo Gutierrez
2006-Mar-09 03:09 UTC
[Samba] getting samba to authenticate with kerberos/PAM
well... after some playing around with the example you provided to me, I finally got it to work. I did have to do things a little different, but I finally got it to work. thank you sooo much for your help, here is how my /etc/pam.d/sshd looks: #%PAM-1.0 auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so use_first_pass likeauth nullok auth required /lib/security/pam_shells.so auth required /lib/security/pam_deny.so auth required /lib/security/pam_nologin.so auth required /lib/security/pam_env.so account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_unix.so account required /lib/security/pam_nologin.so #password required /lib/security/pam_pwcheck.so password required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_unix.so use_first_pass use_authtok session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0077 I realize that some of these lines might not be needed, I just have to figure out which ones and remove them for clean up. thanks again, Guillermo Gutierrez -----Original Message----- From: Trimble, Ronald D [mailto:Ronald.Trimble@unisys.com] Sent: Wednesday, March 08, 2006 4:25 PM To: Guillermo Gutierrez Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM Setting up SSH to use AD accounts Follow the directions in the Samba section of this wiki before continuing with these steps since SSH logins will require the use of winbind. Make a backup of all files before editing anything since a mistake in a PAM module could render your machine unuseable. Edit the /etc/pam.d/sshd file. Ours looks like this: #%PAM-1.0 auth required pam_unix2.so # set_secrpc auth required pam_nologin.so auth required pam_env.so account required pam_unix2.so account required pam_nologin.so password required pam_pwcheck.so password required pam_unix2.so use_first_pass use_authtok session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_unix2.so none # trace or debug session required pam_limits.so Next, edit /etc/security/pam_unix2.conf. Ours looks like this: auth: call_modules=winbind account: call_modules=winbind password: blowfish session: none Finally, create the top level home directory and assign the proper permissions. Your default home directories will be created in /home/domain/username. mkdir /home/domain chmod 755 /home/domain When you login via SSH, use your AD account. Remember in Samba we configured the winbind separator to be a '+'. I, for example, would log in as NA+trimblrd and then specify my NA password. Once I do this, a home directory will be created for me. If everything works, your login will look like this. login as: NA+trimblrd Using keyboard-interactive authentication. Password: Last login: Tue Dec 20 12:29:08 2005 from ustr-trimblrd.na.uis.unisys.com NA+trimblrd@USTR-LINUXTEST:~> [edit]Logging into the server with an AD account If you want to take this example a step further, you can also configure your server so that you can use your AD account to logon locally of through VNC. To enable this requires modifying only one more file. Edit /etc/pam.d/login. (Remember to make a backup.) Ours looks like this: #%PAM-1.0 auth requisite pam_unix2.so nullok #set_secrpc auth required pam_securetty.so auth required pam_nologin.so auth required pam_env.so auth required pam_mail.so account required pam_unix2.so password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_unix2.so none # debug or trace session required pam_limits.so session required pam_resmgr.so Now you will be able to log onto the server without the use of a local account. Retrieved from "http://ustr-linux-1/wiki/index.php/SSH" -----Original Message----- From: samba-bounces+ronald.trimble=unisys.com@lists.samba.org [mailto:samba-bounces+ronald.trimble=unisys.com@lists.samba.org] On Behalf Of Guillermo Gutierrez Sent: Wednesday, March 08, 2006 6:14 PM To: samba@lists.samba.org Subject: FW: [Samba] getting samba to authenticate with kerberos/PAM ummm....is there certain info that I need to be including the first time through? I have been fighting with this problem for a week now and I have not gotten any responses since my first or second thread. I am stuck/lost/frustrated and at the mercy of the everyone in this list who knows samba much better than me. Please help me, I am pretty sure this is just some misconfiguration on my part. -----Original Message----- From: samba-bounces+ggutierrez=marketscan.com@lists.samba.org [mailto:samba-bounces+ggutierrez=marketscan.com@lists.samba.org]On Behalf Of Guillermo Gutierrez Sent: Wednesday, March 08, 2006 11:02 AM To: samba@lists.samba.org Subject: [Samba] getting samba to authenticate with kerberos/PAM Hello, I reeeeally need someone's help here. I guide after guide from all sorts of sources but I still cannot get samba to authenticate a domain login via winbind off of the windows 2003 DC on our network. Here is what I can do: I can successfully do a kinit command and can verify the existance on the samba server in active directory on the DC. I can login using domain profiles on the samba server linux box's (Gentoo) console. I can login as root from ssh only, not at the console. I can not login with domain profiles through ssh (haven't tried to modify /etc/pam.d/sshd for fear of not being able to login as root at all). I can get to my /home/samba/public samba share through netBIOS. I can not get into my /home/<DOMAIN>/<domainuser> samba share, I recieve a "network path not found" error in windows. When the above happens, one samba log (log.<machinename>) will say: [2006/03/08 10:36:19, 5] smbd/reply.c:reply_special(537) init msg_type=0x81 msg_flags=0x0 [2006/03/08 10:36:19, 0] lib/util_sock.c:write_data(557) write_data: write failure in writing to client 10.11.7.56. Error Connection reset by peer [2006/03/08 10:36:19, 0] lib/util_sock.c:send_smb(765) Error writing 4 bytes to client. -1. (Connection reset by peer) [2006/03/08 10:36:19, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/03/08 10:36:19, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/03/08 10:36:19, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/03/08 10:36:19, 5] smbd/uid.c:change_to_root_user(324) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/03/08 10:36:19, 2] smbd/server.c:exit_server(614) Closing connections [2006/03/08 10:36:19, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2006/03/08 10:36:19, 3] smbd/connection.c:yield_connection(76) yield_connection: tdb_delete for name failed with error Record does not exist. [2006/03/08 10:36:19, 3] smbd/server.c:exit_server(655) Server exit (process_smb: send_smb failed.) The other samba log (log.<IPAddress>) will say: [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/03/08 10:40:26, 5] smbd/uid.c:change_to_root_user(324) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/03/08 10:40:26, 5] lib/util.c:show_msg(454) [2006/03/08 10:40:26, 5] lib/util.c:show_msg(464) size=35 smb_com=0x71 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=1 smb_pid=65279 smb_uid=101 smb_mid=448 smt_wct=0 smb_bcc=0 [2006/03/08 10:40:26, 3] smbd/process.c:timeout_processing(1447) timeout_processing: End of file from client (client has disconnected). [2006/03/08 10:40:26, 5] lib/gencache.c:gencache_shutdown(89) Closing cache file [2006/03/08 10:40:26, 5] libsmb/namecache.c:namecache_shutdown(79) namecache_shutdown: netbios namecache closed successfully. [2006/03/08 10:40:26, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/03/08 10:40:26, 5] smbd/uid.c:change_to_root_user(324) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/03/08 10:40:26, 2] smbd/server.c:exit_server(614) Closing connections [2006/03/08 10:40:26, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2006/03/08 10:40:26, 3] smbd/server.c:exit_server(655) Server exit (normal exit) and a whole bunch of other stuff that extends into the .old archive of this log. Please help me figure out what the source of my issue is or point me to a step-by-step set of instructions that will work. Here is some info on my setup: Samba Server: samba 3.0.21c on a Gentoo Linux system Network: windows 2003 Active Directory domain with a Novell Server on the network. OS of client used for testing connection: windows XP SP2 thanks in advance, Guillermo Gutierrez Development Systems Engineer Market Scan Information Systems (818) 575-2000 x2427 ggutierrez@marketscan.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Trimble, Ronald D
2006-Mar-09 04:09 UTC
[Samba] getting samba to authenticate with kerberos/PAM
No problem. Glad I could point you in the tight direction. -----Original Message----- From: Guillermo Gutierrez [mailto:ggutierrez@marketscan.com] Sent: Wednesday, March 08, 2006 10:08 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM well... after some playing around with the example you provided to me, I finally got it to work. I did have to do things a little different, but I finally got it to work. thank you sooo much for your help, here is how my /etc/pam.d/sshd looks: #%PAM-1.0 auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so use_first_pass likeauth nullok auth required /lib/security/pam_shells.so auth required /lib/security/pam_deny.so auth required /lib/security/pam_nologin.so auth required /lib/security/pam_env.so account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_unix.so account required /lib/security/pam_nologin.so #password required /lib/security/pam_pwcheck.so password required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_unix.so use_first_pass use_authtok session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0077 I realize that some of these lines might not be needed, I just have to figure out which ones and remove them for clean up. thanks again, Guillermo Gutierrez -----Original Message----- From: Trimble, Ronald D [mailto:Ronald.Trimble@unisys.com] Sent: Wednesday, March 08, 2006 4:25 PM To: Guillermo Gutierrez Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM Setting up SSH to use AD accounts Follow the directions in the Samba section of this wiki before continuing with these steps since SSH logins will require the use of winbind. Make a backup of all files before editing anything since a mistake in a PAM module could render your machine unuseable. Edit the /etc/pam.d/sshd file. Ours looks like this: #%PAM-1.0 auth required pam_unix2.so # set_secrpc auth required pam_nologin.so auth required pam_env.so account required pam_unix2.so account required pam_nologin.so password required pam_pwcheck.so password required pam_unix2.so use_first_pass use_authtok session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_unix2.so none # trace or debug session required pam_limits.so Next, edit /etc/security/pam_unix2.conf. Ours looks like this: auth: call_modules=winbind account: call_modules=winbind password: blowfish session: none Finally, create the top level home directory and assign the proper permissions. Your default home directories will be created in /home/domain/username. mkdir /home/domain chmod 755 /home/domain When you login via SSH, use your AD account. Remember in Samba we configured the winbind separator to be a '+'. I, for example, would log in as NA+trimblrd and then specify my NA password. Once I do this, a home directory will be created for me. If everything works, your login will look like this. login as: NA+trimblrd Using keyboard-interactive authentication. Password: Last login: Tue Dec 20 12:29:08 2005 from ustr-trimblrd.na.uis.unisys.com NA+trimblrd@USTR-LINUXTEST:~> [edit]Logging into the server with an AD account If you want to take this example a step further, you can also configure your server so that you can use your AD account to logon locally of through VNC. To enable this requires modifying only one more file. Edit /etc/pam.d/login. (Remember to make a backup.) Ours looks like this: #%PAM-1.0 auth requisite pam_unix2.so nullok #set_secrpc auth required pam_securetty.so auth required pam_nologin.so auth required pam_env.so auth required pam_mail.so account required pam_unix2.so password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_unix2.so none # debug or trace session required pam_limits.so session required pam_resmgr.so Now you will be able to log onto the server without the use of a local account. Retrieved from "http://ustr-linux-1/wiki/index.php/SSH" -----Original Message----- From: samba-bounces+ronald.trimble=unisys.com@lists.samba.org [mailto:samba-bounces+ronald.trimble=unisys.com@lists.samba.org] On Behalf Of Guillermo Gutierrez Sent: Wednesday, March 08, 2006 6:14 PM To: samba@lists.samba.org Subject: FW: [Samba] getting samba to authenticate with kerberos/PAM ummm....is there certain info that I need to be including the first time through? I have been fighting with this problem for a week now and I have not gotten any responses since my first or second thread. I am stuck/lost/frustrated and at the mercy of the everyone in this list who knows samba much better than me. Please help me, I am pretty sure this is just some misconfiguration on my part. -----Original Message----- From: samba-bounces+ggutierrez=marketscan.com@lists.samba.org [mailto:samba-bounces+ggutierrez=marketscan.com@lists.samba.org]On Behalf Of Guillermo Gutierrez Sent: Wednesday, March 08, 2006 11:02 AM To: samba@lists.samba.org Subject: [Samba] getting samba to authenticate with kerberos/PAM Hello, I reeeeally need someone's help here. I guide after guide from all sorts of sources but I still cannot get samba to authenticate a domain login via winbind off of the windows 2003 DC on our network. Here is what I can do: I can successfully do a kinit command and can verify the existance on the samba server in active directory on the DC. I can login using domain profiles on the samba server linux box's (Gentoo) console. I can login as root from ssh only, not at the console. I can not login with domain profiles through ssh (haven't tried to modify /etc/pam.d/sshd for fear of not being able to login as root at all). I can get to my /home/samba/public samba share through netBIOS. I can not get into my /home/<DOMAIN>/<domainuser> samba share, I recieve a "network path not found" error in windows. When the above happens, one samba log (log.<machinename>) will say: [2006/03/08 10:36:19, 5] smbd/reply.c:reply_special(537) init msg_type=0x81 msg_flags=0x0 [2006/03/08 10:36:19, 0] lib/util_sock.c:write_data(557) write_data: write failure in writing to client 10.11.7.56. Error Connection reset by peer [2006/03/08 10:36:19, 0] lib/util_sock.c:send_smb(765) Error writing 4 bytes to client. -1. (Connection reset by peer) [2006/03/08 10:36:19, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/03/08 10:36:19, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/03/08 10:36:19, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/03/08 10:36:19, 5] smbd/uid.c:change_to_root_user(324) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/03/08 10:36:19, 2] smbd/server.c:exit_server(614) Closing connections [2006/03/08 10:36:19, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2006/03/08 10:36:19, 3] smbd/connection.c:yield_connection(76) yield_connection: tdb_delete for name failed with error Record does not exist. [2006/03/08 10:36:19, 3] smbd/server.c:exit_server(655) Server exit (process_smb: send_smb failed.) The other samba log (log.<IPAddress>) will say: [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/03/08 10:40:26, 5] smbd/uid.c:change_to_root_user(324) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/03/08 10:40:26, 5] lib/util.c:show_msg(454) [2006/03/08 10:40:26, 5] lib/util.c:show_msg(464) size=35 smb_com=0x71 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=1 smb_pid=65279 smb_uid=101 smb_mid=448 smt_wct=0 smb_bcc=0 [2006/03/08 10:40:26, 3] smbd/process.c:timeout_processing(1447) timeout_processing: End of file from client (client has disconnected). [2006/03/08 10:40:26, 5] lib/gencache.c:gencache_shutdown(89) Closing cache file [2006/03/08 10:40:26, 5] libsmb/namecache.c:namecache_shutdown(79) namecache_shutdown: netbios namecache closed successfully. [2006/03/08 10:40:26, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/03/08 10:40:26, 5] smbd/uid.c:change_to_root_user(324) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/03/08 10:40:26, 2] smbd/server.c:exit_server(614) Closing connections [2006/03/08 10:40:26, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2006/03/08 10:40:26, 3] smbd/server.c:exit_server(655) Server exit (normal exit) and a whole bunch of other stuff that extends into the .old archive of this log. Please help me figure out what the source of my issue is or point me to a step-by-step set of instructions that will work. Here is some info on my setup: Samba Server: samba 3.0.21c on a Gentoo Linux system Network: windows 2003 Active Directory domain with a Novell Server on the network. OS of client used for testing connection: windows XP SP2 thanks in advance, Guillermo Gutierrez Development Systems Engineer Market Scan Information Systems (818) 575-2000 x2427 ggutierrez@marketscan.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Guillermo Gutierrez
2006-Mar-09 13:55 UTC
[Samba] getting samba to authenticate with kerberos/PAM
One more piece to this mystery that is pam, now that I have ssh and console logins working, how can I get navigation of the samba server to properly authenticate? I cannot access my home directory and in the samba log for the system I use to try to connect it says something about "tdb_delete for name failed with error Record does not exists". I cannot validate my domain login for samba, it is almost like I need to be able to add the domain profile to the smbpasswd file (atleast that is my thought). Again, I am at the mercy of those on this list who know samba so much better than I. -----Original Message----- From: Trimble, Ronald D [mailto:Ronald.Trimble@unisys.com] Sent: Wednesday, March 08, 2006 8:08 PM To: Guillermo Gutierrez Cc: samba@lists.samba.org Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM No problem. Glad I could point you in the tight direction. -----Original Message----- From: Guillermo Gutierrez [mailto:ggutierrez@marketscan.com] Sent: Wednesday, March 08, 2006 10:08 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM well... after some playing around with the example you provided to me, I finally got it to work. I did have to do things a little different, but I finally got it to work. thank you sooo much for your help, here is how my /etc/pam.d/sshd looks: #%PAM-1.0 auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so use_first_pass likeauth nullok auth required /lib/security/pam_shells.so auth required /lib/security/pam_deny.so auth required /lib/security/pam_nologin.so auth required /lib/security/pam_env.so account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_unix.so account required /lib/security/pam_nologin.so #password required /lib/security/pam_pwcheck.so password required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_unix.so use_first_pass use_authtok session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0077 I realize that some of these lines might not be needed, I just have to figure out which ones and remove them for clean up. thanks again, Guillermo Gutierrez -----Original Message----- From: Trimble, Ronald D [mailto:Ronald.Trimble@unisys.com] Sent: Wednesday, March 08, 2006 4:25 PM To: Guillermo Gutierrez Subject: RE: [Samba] getting samba to authenticate with kerberos/PAM Setting up SSH to use AD accounts Follow the directions in the Samba section of this wiki before continuing with these steps since SSH logins will require the use of winbind. Make a backup of all files before editing anything since a mistake in a PAM module could render your machine unuseable. Edit the /etc/pam.d/sshd file. Ours looks like this: #%PAM-1.0 auth required pam_unix2.so # set_secrpc auth required pam_nologin.so auth required pam_env.so account required pam_unix2.so account required pam_nologin.so password required pam_pwcheck.so password required pam_unix2.so use_first_pass use_authtok session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_unix2.so none # trace or debug session required pam_limits.so Next, edit /etc/security/pam_unix2.conf. Ours looks like this: auth: call_modules=winbind account: call_modules=winbind password: blowfish session: none Finally, create the top level home directory and assign the proper permissions. Your default home directories will be created in /home/domain/username. mkdir /home/domain chmod 755 /home/domain When you login via SSH, use your AD account. Remember in Samba we configured the winbind separator to be a '+'. I, for example, would log in as NA+trimblrd and then specify my NA password. Once I do this, a home directory will be created for me. If everything works, your login will look like this. login as: NA+trimblrd Using keyboard-interactive authentication. Password: Last login: Tue Dec 20 12:29:08 2005 from ustr-trimblrd.na.uis.unisys.com NA+trimblrd@USTR-LINUXTEST:~> [edit]Logging into the server with an AD account If you want to take this example a step further, you can also configure your server so that you can use your AD account to logon locally of through VNC. To enable this requires modifying only one more file. Edit /etc/pam.d/login. (Remember to make a backup.) Ours looks like this: #%PAM-1.0 auth requisite pam_unix2.so nullok #set_secrpc auth required pam_securetty.so auth required pam_nologin.so auth required pam_env.so auth required pam_mail.so account required pam_unix2.so password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_unix2.so none # debug or trace session required pam_limits.so session required pam_resmgr.so Now you will be able to log onto the server without the use of a local account. Retrieved from "http://ustr-linux-1/wiki/index.php/SSH" -----Original Message----- From: samba-bounces+ronald.trimble=unisys.com@lists.samba.org [mailto:samba-bounces+ronald.trimble=unisys.com@lists.samba.org] On Behalf Of Guillermo Gutierrez Sent: Wednesday, March 08, 2006 6:14 PM To: samba@lists.samba.org Subject: FW: [Samba] getting samba to authenticate with kerberos/PAM ummm....is there certain info that I need to be including the first time through? I have been fighting with this problem for a week now and I have not gotten any responses since my first or second thread. I am stuck/lost/frustrated and at the mercy of the everyone in this list who knows samba much better than me. Please help me, I am pretty sure this is just some misconfiguration on my part. -----Original Message----- From: samba-bounces+ggutierrez=marketscan.com@lists.samba.org [mailto:samba-bounces+ggutierrez=marketscan.com@lists.samba.org]On Behalf Of Guillermo Gutierrez Sent: Wednesday, March 08, 2006 11:02 AM To: samba@lists.samba.org Subject: [Samba] getting samba to authenticate with kerberos/PAM Hello, I reeeeally need someone's help here. I guide after guide from all sorts of sources but I still cannot get samba to authenticate a domain login via winbind off of the windows 2003 DC on our network. Here is what I can do: I can successfully do a kinit command and can verify the existance on the samba server in active directory on the DC. I can login using domain profiles on the samba server linux box's (Gentoo) console. I can login as root from ssh only, not at the console. I can not login with domain profiles through ssh (haven't tried to modify /etc/pam.d/sshd for fear of not being able to login as root at all). I can get to my /home/samba/public samba share through netBIOS. I can not get into my /home/<DOMAIN>/<domainuser> samba share, I recieve a "network path not found" error in windows. When the above happens, one samba log (log.<machinename>) will say: [2006/03/08 10:36:19, 5] smbd/reply.c:reply_special(537) init msg_type=0x81 msg_flags=0x0 [2006/03/08 10:36:19, 0] lib/util_sock.c:write_data(557) write_data: write failure in writing to client 10.11.7.56. Error Connection reset by peer [2006/03/08 10:36:19, 0] lib/util_sock.c:send_smb(765) Error writing 4 bytes to client. -1. (Connection reset by peer) [2006/03/08 10:36:19, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/03/08 10:36:19, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/03/08 10:36:19, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/03/08 10:36:19, 5] smbd/uid.c:change_to_root_user(324) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/03/08 10:36:19, 2] smbd/server.c:exit_server(614) Closing connections [2006/03/08 10:36:19, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2006/03/08 10:36:19, 3] smbd/connection.c:yield_connection(76) yield_connection: tdb_delete for name failed with error Record does not exist. [2006/03/08 10:36:19, 3] smbd/server.c:exit_server(655) Server exit (process_smb: send_smb failed.) The other samba log (log.<IPAddress>) will say: [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/03/08 10:40:26, 5] smbd/uid.c:change_to_root_user(324) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/03/08 10:40:26, 5] lib/util.c:show_msg(454) [2006/03/08 10:40:26, 5] lib/util.c:show_msg(464) size=35 smb_com=0x71 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=1 smb_pid=65279 smb_uid=101 smb_mid=448 smt_wct=0 smb_bcc=0 [2006/03/08 10:40:26, 3] smbd/process.c:timeout_processing(1447) timeout_processing: End of file from client (client has disconnected). [2006/03/08 10:40:26, 5] lib/gencache.c:gencache_shutdown(89) Closing cache file [2006/03/08 10:40:26, 5] libsmb/namecache.c:namecache_shutdown(79) namecache_shutdown: netbios namecache closed successfully. [2006/03/08 10:40:26, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/03/08 10:40:26, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/03/08 10:40:26, 5] smbd/uid.c:change_to_root_user(324) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/03/08 10:40:26, 2] smbd/server.c:exit_server(614) Closing connections [2006/03/08 10:40:26, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2006/03/08 10:40:26, 3] smbd/server.c:exit_server(655) Server exit (normal exit) and a whole bunch of other stuff that extends into the .old archive of this log. Please help me figure out what the source of my issue is or point me to a step-by-step set of instructions that will work. Here is some info on my setup: Samba Server: samba 3.0.21c on a Gentoo Linux system Network: windows 2003 Active Directory domain with a Novell Server on the network. OS of client used for testing connection: windows XP SP2 thanks in advance, Guillermo Gutierrez Development Systems Engineer Market Scan Information Systems (818) 575-2000 x2427 ggutierrez@marketscan.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba