Gutholm, James
2006-Jul-25 19:21 UTC
[Samba] pam winbind seems to have trouble with idmap backend = ldap
Environment is
samba-3.0.10-1.4E.6
RedHat ES4, kernel 2.6.9-34.0.2.ELsmp
AD domain Win2003 SP2 Native mode
This system was initially setup in ads security mode, joined to a Win
2003 AD domain and configured to use winbind for both samba file shares
and authz/authn for sshd and local logins. In this configuration the
winbind idmap was the default local database. Everything worked fine.
Users could login via ssh and access controls on files were properly
working, samba file sharing worked properly, etc.
In an effort to synchronize the uid/gid to sid mapping across multiple
machines we configured a system to use idmap backend = ldap. Initially
it seemed that this new configuration was working. After deleting the
winbind cache and local database and restarting smb/winbind, getent
passwd populated the ldap directory with mapping info and samba file
sharing worked fine. The problem is that now ssh and console logins
don't work for AD accounts, only local accounts.
The short version is, with idmap... commented out, fileshares and ssh
work for AD accounts. With idmap... file shares work but ssh does not.
Errors while using ssh are included below.
-- smb.conf ------------------------------------------------------
[global]
workgroup = AC_COMPUTING
server string = JAMESDIRTEST
log file = /var/log/samba/%m.log
log level = 3 passdb:5 auth:10 winbind:3
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
template homedir = /home/%U
username map = /etc/samba/smbusers
winbind use default domain = yes
realm = EVERGREEN.EDU
password server = EVDC1 EVDC2
winbind enum users=yes
winbind enum groups=yes
client schannel = no
client use spnego = no
ldap admin dn = cn=manager,ou=users,dc=sambaidmap,dc=evergreen,dc=edu
ldap idmap suffix = ou=idmap
ldap suffix = dc=sambaidmap,dc=evergreen,dc=edu
#idmap backend = ldap:"ldap://adappmode.evergreen.edu:50000"
[setup-staging]
comment = Local Install Setup
path = /setup-staging
valid users = @"Network Services GG" @"Admin Computing
GG"
public = no
writable = yes
printable = no
create mask = 0775
force group = Network Services GG
... more shares...
------------------------------------------------------------------
-- nsswitch.conf -------------------------------------------------
passwd: files winbind
shadow: files
group: files winbind
hosts: files dns
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: files
automount: files
aliases: files
------------------------------------------------------------------
-- pam.d/sshd ----------------------------------------------------
#%PAM-1.0
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so
use_first_pass
auth required /lib/security/$ISA/pam_deny.so
auth required pam_nologin.so
#
#
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_winbind.so
account required /lib/security/$ISA/pam_permit.so
#
#
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so
#
#
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0022
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
------------------------------------------------------------------
-- tail of var/log/messages --------------------------------------
Jul 25 11:14:25 jamesdirtest winbind: winbindd startup succeeded
Jul 25 11:14:25 jamesdirtest smb: smbd startup succeeded
Jul 25 11:14:25 jamesdirtest smb: nmbd startup succeeded
Jul 25 11:14:41 jamesdirtest smbd[6416]: [2006/07/25 11:14:41, 0]
smbd/service.c:set_current_service(51)
Jul 25 11:14:41 jamesdirtest smbd[6416]: chdir (/setup-staging) failed
Jul 25 11:14:41 jamesdirtest smbd[6416]: [2006/07/25 11:14:41, 0]
smbd/service.c:set_current_service(51)
Jul 25 11:14:41 jamesdirtest smbd[6416]: chdir (/setup-staging) failed
Jul 25 11:15:06 jamesdirtest sshd(pam_unix)[6418]: authentication
failure; logname= uid=0 euid=0 tty=ssh ruserrhost=jamesdirtest.evergreen.edu
user=james_su
Jul 25 11:15:06 jamesdirtest pam_winbind[6418]: request failed: Wrong
Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD
Jul 25 11:15:06 jamesdirtest pam_winbind[6418]: user `james_su' denied
access (incorrect password or invalid membership)
Jul 25 11:15:12 jamesdirtest pam_winbind[6418]: request failed: Wrong
Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD
Jul 25 11:15:12 jamesdirtest pam_winbind[6418]: user `james_su' denied
access (incorrect password or invalid membership)
Jul 25 11:15:17 jamesdirtest pam_winbind[6418]: request failed: Wrong
Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD
Jul 25 11:15:17 jamesdirtest pam_winbind[6418]: user `james_su' denied
access (incorrect password or invalid membership)
Jul 25 11:15:19 jamesdirtest sshd(pam_unix)[6418]: 2 more authentication
failures; logname= uid=0 euid=0 tty=ssh ruserrhost=jamesdirtest.evergreen.edu
user=james_su
Jul 25 11:15:31 jamesdirtest winbind: winbindd shutdown succeeded
Jul 25 11:15:31 jamesdirtest smb: smbd shutdown succeeded
Jul 25 11:15:31 jamesdirtest nmbd[6412]: [2006/07/25 11:15:31, 0]
nmbd/nmbd.c:terminate(56)
Jul 25 11:15:31 jamesdirtest nmbd[6412]: Got SIGTERM: going down...
Jul 25 11:15:31 jamesdirtest smb: nmbd shutdown succeeded
------------------------------------------------------------------
Maybe Matching Threads
Wisdom of the Ancients
