samba - Jun 2006 - Help with RHEL4 and AD 2003 Authentication

Hello,

I've been reading up on lots of documents that mention the different ways to
do things as far as joining a linux machine to AD and authentication. I've
tried most of them but its not helping at all. I've included my config files
for smb.conf, krb5.conf, pam.d/system-auth and the applicable
nsswitch.conflines. For security reasons, i've obscured part of the
domain name. Any help
is appreciated.

Here are the questions:

1. Do i need to edit more than one pam.d file? For now, I'm just trying to
be able to SSH in as a domain account and as a local user account.
2. Do all the config files here look correct?
3. When logging in, what should my login name be? DOMAIN\Username or just
Username or username@DOMAIN.NAME.COM ? I've tried all with no luck.
4. Can AD group policy affect this in someway?

At the bottom, I have attached the output of some commands that may also
help.

Thank you in advance for any help/advice.

Anoop

# pam.d/system-auth
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

# krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = CORP.OBSCURED.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes
 default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
 default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
 preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC

[realms]
CORP.OBSCURED.COM = {
  kdc = dmc01.corp.obscured.com
  kdc = dmc02.corp.obscured.com
  default_domain = CORP.OBSCURED.COM
  kdc = dmc03.corp.obscured.com
 }

[domain_realm]
 .example.com = CORP.OBSCURED.COM
 example.com = CORP.OBSCURED.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

# smb.conf
[global]
workgroup = CORP
netbios name = ADTEST01
server string = A test server
printcap name = /etc/printcap
load printers = yes
log file = /var/log/samba/%m.log
log level = 10
max log size = 50
security = ads
realm = CORP.OBSCURED.COM
encrypt passwords = yes
preferred master = no
smb passwd file = /etc/samba/smbpasswd
allow trusted domains = yes
unix password sync = yes
password server = *
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
pam password change = yes
obey pam restrictions = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 10000-20000
idmap gid = 10000-20000
enhanced browsing = no
winbind use default domain = no
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U

# nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind

hosts:      files dns

bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:        files
services:   files winbind
netgroup:   files winbind
publickey:  files
automount:  files winbind
aliases:    files

# OUTPUT

# net ads join -U Administrator
bhataadmin's password:
[2006/06/30 09:54:14, 0] libads/ldap.c:ads_add_machine_acct(1368)
  ads_add_machine_acct: Host account for ADTEST01 already exists - modifying
old account
Using short domain name -- CORP
Joined 'ADTEST01' to realm 'CORP.OBSCURED.COM'
#

# kinit Administrator@CORP.OBSCURED.COM
Password for Administrator@CORP.OBSCURED.COM:
#

# wbinfo -u
Error looking up domain users
# wbinfo -g
Error looking up domain groups
# wbinfo -t
checking the trust secret via RPC calls failed
error code was  (0x0)
Could not check secret
#

Thanks very much.

any idea what the separator should be to use CORP\zuser as the login?

On 6/30/06, pk <paul@computertaming.com> wrote:
>
> since you smb.conf has winbind separator = + ; login CORP+zuser
> wbinfo commands show you dont have access to the domain; go to ad server
> delete linux computer( that you tried to join to the directory)  from
> the active directory.  Kinit show kerberos works, Go to /var/log/samba
> check error logs; check system logs, verify winbind is running,  I found
> after *.conf files were changed dameons had to be restarted. Trying
> joing again. What happens if you use smbclient command ie
>
> smbclient //CORP.OBSCURED.COM/shared something -Uzuser%password
>
>
>
>
> Anoop Bhat wrote:
>
> > Hello,
> >
> > I've been reading up on lots of documents that mention the
different
> > ways to
> > do things as far as joining a linux machine to AD and authentication.
> > I've
> > tried most of them but its not helping at all. I've included my
config
> > files
> > for smb.conf, krb5.conf, pam.d/system-auth and the applicable
> > nsswitch.conflines. For security reasons, i've obscured part of
the
> > domain name. Any help
> > is appreciated.
> >
> > Here are the questions:
> >
> > 1. Do i need to edit more than one pam.d file? For now, I'm just
> > trying to
> > be able to SSH in as a domain account and as a local user account.
> > 2. Do all the config files here look correct?
> > 3. When logging in, what should my login name be? DOMAIN\Username or
> just
> > Username or username@DOMAIN.NAME.COM ? I've tried all with no
luck.
> > 4. Can AD group policy affect this in someway?
> >
> > At the bottom, I have attached the output of some commands that may
also
> > help.
> >
> > Thank you in advance for any help/advice.
> >
> > Anoop
> >
> > # pam.d/system-auth
> > auth        required      /lib/security/$ISA/pam_env.so
> > auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth
nullok
> > auth        sufficient    /lib/security/$ISA/pam_winbind.so
> > use_first_pass
> > auth        required      /lib/security/$ISA/pam_deny.so
> >
> > account     required      /lib/security/$ISA/pam_unix.so broken_shadow
> > account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid
< 100
> > quiet
> > account     [default=bad success=ok user_unknown=ignore]
> > /lib/security/$ISA/pam_winbind.so
> > account     required      /lib/security/$ISA/pam_permit.so
> >
> > password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
> > password    sufficient    /lib/security/$ISA/pam_unix.so nullok
> > use_authtok
> > md5 shadow
> > password    sufficient    /lib/security/$ISA/pam_winbind.so
use_authtok
> > password    required      /lib/security/$ISA/pam_deny.so
> >
> > session     required      /lib/security/$ISA/pam_limits.so
> > session     required      /lib/security/$ISA/pam_unix.so
> >
> > # krb5.conf
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> > default_realm = CORP.OBSCURED.COM
> > dns_lookup_realm = true
> > dns_lookup_kdc = true
> > ticket_lifetime = 24h
> > forwardable = yes
> > default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
> > default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
> > preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
> >
> > [realms]
> > CORP.OBSCURED.COM = {
> >  kdc = dmc01.corp.obscured.com
> >  kdc = dmc02.corp.obscured.com
> >  default_domain = CORP.OBSCURED.COM
> >  kdc = dmc03.corp.obscured.com
> > }
> >
> > [domain_realm]
> > .example.com = CORP.OBSCURED.COM
> > example.com = CORP.OBSCURED.COM
> >
> > [kdc]
> > profile = /var/kerberos/krb5kdc/kdc.conf
> >
> > [appdefaults]
> > pam = {
> >   debug = false
> >   ticket_lifetime = 36000
> >   renew_lifetime = 36000
> >   forwardable = true
> >   krb4_convert = false
> > }
> >
> > # smb.conf
> > [global]
> > workgroup = CORP
> > netbios name = ADTEST01
> > server string = A test server
> > printcap name = /etc/printcap
> > load printers = yes
> > log file = /var/log/samba/%m.log
> > log level = 10
> > max log size = 50
> > security = ads
> > realm = CORP.OBSCURED.COM
> > encrypt passwords = yes
> > preferred master = no
> > smb passwd file = /etc/samba/smbpasswd
> > allow trusted domains = yes
> > unix password sync = yes
> > password server = *
> > passwd program = /usr/bin/passwd %u
> > passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> > *passwd:*all*authentication*tokens*updated*successfully*
> > pam password change = yes
> > obey pam restrictions = yes
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > dns proxy = no
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> > enhanced browsing = no
> > winbind use default domain = no
> > winbind separator = +
> > winbind enum users = yes
> > winbind enum groups = yes
> > template shell = /bin/bash
> > template homedir = /home/%U
> >
> > # nsswitch.conf
> > passwd:     files winbind
> > shadow:     files winbind
> > group:      files winbind
> >
> > hosts:      files dns
> >
> > bootparams: nisplus [NOTFOUND=return] files
> > ethers:     files
> > netmasks:   files
> > networks:   files
> > protocols:  files winbind
> > rpc:        files
> > services:   files winbind
> > netgroup:   files winbind
> > publickey:  files
> > automount:  files winbind
> > aliases:    files
> >
> > # OUTPUT
> >
> > # net ads join -U Administrator
> > bhataadmin's password:
> > [2006/06/30 09:54:14, 0] libads/ldap.c:ads_add_machine_acct(1368)
> >  ads_add_machine_acct: Host account for ADTEST01 already exists -
> > modifying
> > old account
> > Using short domain name -- CORP
> > Joined 'ADTEST01' to realm 'CORP.OBSCURED.COM'
> > #
> >
> > # kinit Administrator@CORP.OBSCURED.COM
> > Password for Administrator@CORP.OBSCURED.COM:
> > #
> >
> > # wbinfo -u
> > Error looking up domain users
> > # wbinfo -g
> > Error looking up domain groups
> > # wbinfo -t
> > checking the trust secret via RPC calls failed
> > error code was  (0x0)
> > Could not check secret
> > #
> >
> > Thanks very much.
>
>
>
>

ahh ok. i had troubles with leaving the line in there.

any ideas on how i can auth certain groups only?

Thank you pk!

On 6/30/06, pk <paul@computertaming.com> wrote:
>
>
>
> yes
> winbind separator = \
> but that is the default so that line could be commented out and achieve
> the same result.
>
>
> Anoop Bhat wrote:
>
> > any idea what the separator should be to use CORP\zuser as the login?
> >
> > On 6/30/06, pk <paul@computertaming.com> wrote:
> >
> >>
> >> since you smb.conf has winbind separator = + ; login CORP+zuser
> >> wbinfo commands show you dont have access to the domain; go to ad
> server
> >> delete linux computer( that you tried to join to the directory) 
from
> >> the active directory.  Kinit show kerberos works, Go to
/var/log/samba
> >> check error logs; check system logs, verify winbind is running,  I
> found
> >> after *.conf files were changed dameons had to be restarted.
Trying
> >> joing again. What happens if you use smbclient command ie
> >>
> >> smbclient //CORP.OBSCURED.COM/shared something -Uzuser%password
> >>
> >>
> >>
> >>
> >> Anoop Bhat wrote:
> >>
> >> > Hello,
> >> >
> >> > I've been reading up on lots of documents that mention
the different
> >> > ways to
> >> > do things as far as joining a linux machine to AD and
authentication.
> >> > I've
> >> > tried most of them but its not helping at all. I've
included my
> config
> >> > files
> >> > for smb.conf, krb5.conf, pam.d/system-auth and the applicable
> >> > nsswitch.conflines. For security reasons, i've obscured
part of the
> >> > domain name. Any help
> >> > is appreciated.
> >> >
> >> > Here are the questions:
> >> >
> >> > 1. Do i need to edit more than one pam.d file? For now,
I'm just
> >> > trying to
> >> > be able to SSH in as a domain account and as a local user
account.
> >> > 2. Do all the config files here look correct?
> >> > 3. When logging in, what should my login name be?
DOMAIN\Username or
> >> just
> >> > Username or username@DOMAIN.NAME.COM ? I've tried all
with no luck.
> >> > 4. Can AD group policy affect this in someway?
> >> >
> >> > At the bottom, I have attached the output of some commands
that may
> >> also
> >> > help.
> >> >
> >> > Thank you in advance for any help/advice.
> >> >
> >> > Anoop
> >> >
> >> > # pam.d/system-auth
> >> > auth        required      /lib/security/$ISA/pam_env.so
> >> > auth        sufficient    /lib/security/$ISA/pam_unix.so
likeauth
> >> nullok
> >> > auth        sufficient    /lib/security/$ISA/pam_winbind.so
> >> > use_first_pass
> >> > auth        required      /lib/security/$ISA/pam_deny.so
> >> >
> >> > account     required      /lib/security/$ISA/pam_unix.so
> broken_shadow
> >> > account     sufficient   
/lib/security/$ISA/pam_succeed_if.so uid
> >> < 100
> >> > quiet
> >> > account     [default=bad success=ok user_unknown=ignore]
> >> > /lib/security/$ISA/pam_winbind.so
> >> > account     required      /lib/security/$ISA/pam_permit.so
> >> >
> >> > password    requisite     /lib/security/$ISA/pam_cracklib.so
retry=3
> >> > password    sufficient    /lib/security/$ISA/pam_unix.so
nullok
> >> > use_authtok
> >> > md5 shadow
> >> > password    sufficient    /lib/security/$ISA/pam_winbind.so
> >> use_authtok
> >> > password    required      /lib/security/$ISA/pam_deny.so
> >> >
> >> > session     required      /lib/security/$ISA/pam_limits.so
> >> > session     required      /lib/security/$ISA/pam_unix.so
> >> >
> >> > # krb5.conf
> >> > [logging]
> >> > default = FILE:/var/log/krb5libs.log
> >> > kdc = FILE:/var/log/krb5kdc.log
> >> > admin_server = FILE:/var/log/kadmind.log
> >> >
> >> > [libdefaults]
> >> > default_realm = CORP.OBSCURED.COM
> >> > dns_lookup_realm = true
> >> > dns_lookup_kdc = true
> >> > ticket_lifetime = 24h
> >> > forwardable = yes
> >> > default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
> >> > default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
> >> > preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
> >> >
> >> > [realms]
> >> > CORP.OBSCURED.COM = {
> >> >  kdc = dmc01.corp.obscured.com
> >> >  kdc = dmc02.corp.obscured.com
> >> >  default_domain = CORP.OBSCURED.COM
> >> >  kdc = dmc03.corp.obscured.com
> >> > }
> >> >
> >> > [domain_realm]
> >> > .example.com = CORP.OBSCURED.COM
> >> > example.com = CORP.OBSCURED.COM
> >> >
> >> > [kdc]
> >> > profile = /var/kerberos/krb5kdc/kdc.conf
> >> >
> >> > [appdefaults]
> >> > pam = {
> >> >   debug = false
> >> >   ticket_lifetime = 36000
> >> >   renew_lifetime = 36000
> >> >   forwardable = true
> >> >   krb4_convert = false
> >> > }
> >> >
> >> > # smb.conf
> >> > [global]
> >> > workgroup = CORP
> >> > netbios name = ADTEST01
> >> > server string = A test server
> >> > printcap name = /etc/printcap
> >> > load printers = yes
> >> > log file = /var/log/samba/%m.log
> >> > log level = 10
> >> > max log size = 50
> >> > security = ads
> >> > realm = CORP.OBSCURED.COM
> >> > encrypt passwords = yes
> >> > preferred master = no
> >> > smb passwd file = /etc/samba/smbpasswd
> >> > allow trusted domains = yes
> >> > unix password sync = yes
> >> > password server = *
> >> > passwd program = /usr/bin/passwd %u
> >> > passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> >> > *passwd:*all*authentication*tokens*updated*successfully*
> >> > pam password change = yes
> >> > obey pam restrictions = yes
> >> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> >> > dns proxy = no
> >> > idmap uid = 10000-20000
> >> > idmap gid = 10000-20000
> >> > enhanced browsing = no
> >> > winbind use default domain = no
> >> > winbind separator = +
> >> > winbind enum users = yes
> >> > winbind enum groups = yes
> >> > template shell = /bin/bash
> >> > template homedir = /home/%U
> >> >
> >> > # nsswitch.conf
> >> > passwd:     files winbind
> >> > shadow:     files winbind
> >> > group:      files winbind
> >> >
> >> > hosts:      files dns
> >> >
> >> > bootparams: nisplus [NOTFOUND=return] files
> >> > ethers:     files
> >> > netmasks:   files
> >> > networks:   files
> >> > protocols:  files winbind
> >> > rpc:        files
> >> > services:   files winbind
> >> > netgroup:   files winbind
> >> > publickey:  files
> >> > automount:  files winbind
> >> > aliases:    files
> >> >
> >> > # OUTPUT
> >> >
> >> > # net ads join -U Administrator
> >> > bhataadmin's password:
> >> > [2006/06/30 09:54:14, 0]
libads/ldap.c:ads_add_machine_acct(1368)
> >> >  ads_add_machine_acct: Host account for ADTEST01 already
exists -
> >> > modifying
> >> > old account
> >> > Using short domain name -- CORP
> >> > Joined 'ADTEST01' to realm
'CORP.OBSCURED.COM'
> >> > #
> >> >
> >> > # kinit Administrator@CORP.OBSCURED.COM
> >> > Password for Administrator@CORP.OBSCURED.COM:
> >> > #
> >> >
> >> > # wbinfo -u
> >> > Error looking up domain users
> >> > # wbinfo -g
> >> > Error looking up domain groups
> >> > # wbinfo -t
> >> > checking the trust secret via RPC calls failed
> >> > error code was  (0x0)
> >> > Could not check secret
> >> > #
> >> >
> >> > Thanks very much.
> >>
> >>
> >>
> >>
>
>
>