I know this question has been posed over and over (and over) again, but
I'm at my wit's end. I've dug into the Samba docs, Gentoo specific
docs,
and PAM docs, and Googled the heck out of it...
In any event, I'm running Gentoo 2006.0 (just built) running kernel
2.6.15 and Samba 3.0.21b. I'm 'trying' to set up a simple file
server
with SSO capabilities to a 2K AD domain.
So far, the Samba/Winbind side seems great. I am able to map shares to
windows workstations based on the windows uid/gid without a hiccup. The
wbinfo [-u|-g] and gentent [passwd|group] commands work great.
# wbinfo -u
someuser
someotheruser
yetanotheruser
....
# wbinfo -g | more
Domain Guests
Domain Users
Schema Admins
....
# getent passwd
someuser:x:15007:10011::/home/UNICITY/someuser:/bin/bash
someotheruser:x:15008:10011::/home/UNICITY/someotheruser:/bin/bash
yetanotheruser:x:15009:10011::/home/UNICITY/yetanotheruser:/bin/bash
....
# getent group
Domain Guests:x:10020:
Domain Users:x:10011:
Schema Admins:x:10015:
Kinit doesn't work quite right:
# kinit
Password for administrator@AD_DOMAIN:
(Works)
# kinit -k
kinit(v5): Client not found in Kerberos database while getting initial
credentials
(Obviously doesn't)
The biggest issue appears to be with PAM. Local and ssh logins using
AD_DOMAIN accounts. Neither work and fail without notification to the
user, but the following appears in the logs:
....
Mar 23 16:08:42 32gs sshd(pam_unix)[8586]: check pass; user unknown
Mar 23 16:08:42 32gs sshd(pam_unix)[8586]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x
Mar 23 16:08:44 32gs sshd[8581]: error: PAM: Authentication failure for
testuser from x.x.x.x
....
# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[share]"
Loaded services file OK.
WARNING: passdb expand explicit = yes is deprecated
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = AD_DOMAIN
realm = AD_DOMAIN.FQDN
netbios name = MACHINENAME
server string = MACHINENAME
interfaces = x.x.x.x, 127.
bind interfaces only = Yes
security = ADS
log level = 5
log file = /var/log/samba/log.%m
max log size = 50
name resolve order = hosts wins bcast
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
load printers = No
os level = 5
preferred master = No
local master = No
domain master = No
dns proxy = No
wins server = 10.10.57.124
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind separator = +
winbind use default domain = Yes
hosts allow = x.x.x.x, 127.
[share]
comment = SHARE
path = /mnt/share
invalid users = root
valid users = "@AD_DOMAIN+Domain Users"
read only = No
create mask = 0777
directory mask = 0777
# cat /etc/pam.d/login
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
# cat /etc/pam.d/samba
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
# cat /etc/pam.d/sshd
#%PAM-1.0
auth include system-auth
auth required pam_shells.so
auth required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
Anything else?
Brian