Garrett, Joseph
2006-Aug-30 07:05 UTC
[Samba] winbind auth against ads not working via remote login - solaris 10.
I am attempting to use winbind for Telnet authentication but winbind pam
doesn't recognize ads realm or smb.conf workgroup..see error snapshot.
pdtsun03 is hostname of solaris 10 ADS domain member running samba
3.0.11. "net ads join" worked..."net ads user" returns all
MYADSDOMAIN
users and samba shares work from both unix and NT side.
one note..After make install, I had to manually copy compiled
nsswitch/pam_winbind.so file to /usr/lib/security. thanks for the help
samba configured args:
./configure --with-ads --with-winbind --with-krb5=/usr/local --with-pam
-------------------------
error snapshot:
[2006/08/29 14:31:49, 8] lib/util.c:is_myname(1810)
is_myname("PDTSUN03") returns 1
[2006/08/29 14:31:49, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(259)
Authentication for domain PDTSUN03 (local domain to this server) not
supported at this stage
[2006/08/29 14:31:49, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth(361)
Plain-text authentication for user jgarrett returned
NT_STATUS_NO_SUCH_USER (PAM: 13)
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524)
---------------------------------
smb.conf
# Global parameters
[global]
workgroup = MYADSDOMAIN
server string = Samba Server pdtsun03
password server = MYPWDSERVER(s)
encrypt passwords = yes
log level = 10
log file = /usr/local/samba/var/log.%m
max log size = 50
dns proxy = No
guest account = visitor
realm = MYREALM.COM
security = ads
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
[homes]
comment = Home Directories
read only = No
browseable = No
[tmp]
comment = Temporary file space
path = /tmp
read only = No
---------------------------------------
detail error - with debug level at 10:
[2006/08/29 14:31:49, 6] nsswitch/winbindd.c:new_connection(356)
accepted socket 19
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470)
client_read: read 1824 bytes. Need 0 more for a full request.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:process_request(321)
process_request: request fn INTERFACE_VERSION
[2006/08/29 14:31:49, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[19587]: request interface version
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524)
client_write: wrote 1300 bytes.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470)
client_read: read 1824 bytes. Need 0 more for a full request.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:process_request(321)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2006/08/29 14:31:49, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[19587]: request location of privileged pipe
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524)
client_write: wrote 1300 bytes.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(569)
client_write: need to write 47 extra data bytes.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524)
client_write: wrote 47 bytes.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(558)
client_write: client_write: complete response written.
[2006/08/29 14:31:49, 6] nsswitch/winbindd.c:new_connection(356)
accepted socket 20
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470)
client_read: read 1824 bytes. Need 0 more for a full request.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:process_request(321)
process_request: request fn PAM_AUTH
[2006/08/29 14:31:49, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(179)
[19587]: pam auth jgarrett
[2006/08/29 14:31:49, 8] lib/util.c:is_myname(1810)
is_myname("PDTSUN03") returns 1
[2006/08/29 14:31:49, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(259)
Authentication for domain PDTSUN03 (local domain to this server) not
supported at this stage
[2006/08/29 14:31:49, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth(361)
Plain-text authentication for user jgarrett returned
NT_STATUS_NO_SUCH_USER (PAM: 13)
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524)
client_write: wrote 1300 bytes.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470)
client_read: read 0 bytes. Need 1824 more for a full request.
[2006/08/29 14:31:49, 5] nsswitch/winbindd.c:winbind_client_read(477)
read failed on sock 19, pid 19587: EOF
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470)
client_read: read 0 bytes. Need 1824 more for a full request.
[2006/08/29 14:31:49, 5] nsswitch/winbindd.c:winbind_client_read(477)
read failed on sock 20, pid 19587: EOF
Garrett, Joseph
2006-Aug-31 13:40 UTC
[Samba] winbind auth against ads not working via remote login-solaris 10.
update: OS not allowing a winbind auth on Solaris 10 console.
I added the below winbind options(see smb.conf). I now get
"NT_STATUS_OS" for the user(see winbind log) as I try to login but
Solaris 10 still reports a "Login Incorrect". What other OS configure
am
I missing? Does the
nss_winbind.so libraries need to be copied anywhere else?
I copied the libnss_winbind.so to /lib and /usr/lib and made the below
links.
/lib/nss_winbind.so
/lib/nss_winbind.so.1
Nsswitch.conf is using "file nis winbind" . See pam.conf below.
Thanks and God bless!
Winbind Log:------------------
[2006/08/31 08:17:43, 5]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(445)
Plain-text authentication for user jgarrett returned NT_STATUS_OK
(PAM: 0)
Smb.conf----------------
# cat smb.conf
# Global parameters
[global]
workgroup = MYDOMAIN
server string = Samba Server pdtsun03
password server = MYPWDSERVERS
encrypt passwords = yes
log level = 10
log file = /usr/local/samba/var/log.%m
max log size = 50
dns proxy = No
guest account = visitor
realm = MYREALM
security = ads
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind cache time = 2
winbind use default domain = Yes
winbind trusted domains only = Yes
winbind nested groups = Yes
winbind uid = 20001-40000
winbind gid = 20001-40000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet
access)
Pam.conf--------------
# cat /etc/pam.conf
#
#ident "@(#)pam.conf 1.28 04/04/21 SMI"
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
login auth sufficient /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
rlogin auth sufficient /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
krlogin auth sufficient /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth sufficient /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
krsh auth sufficient /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
ktelnet auth sufficient /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
ppp auth sufficient /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
other auth sufficient /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
passwd auth sufficient /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
other account sufficient /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
management
#
other session required pam_unix_session.so.1
other session sufficient /usr/lib/security/pam_winbind.so
try_first_pass debug
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password
management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
other password sufficient /usr/lib/security/pam_winbind.so
try_first_pass use_authtok debug
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
-----Original Message-----
From: samba-bounces+jgarrett=southernco.com@lists.samba.org
[mailto:samba-bounces+jgarrett=southernco.com@lists.samba.org] On Behalf
Of Garrett, Joseph
Sent: Tuesday, August 29, 2006 2:56 PM
To: samba@lists.samba.org
Subject: [Samba] winbind auth against ads not working via remote login
-solaris 10.
I am attempting to use winbind for Telnet authentication but winbind pam
doesn't recognize ads realm or smb.conf workgroup..see error snapshot.
pdtsun03 is hostname of solaris 10 ADS domain member running samba
3.0.11. "net ads join" worked..."net ads user" returns all
MYADSDOMAIN
users and samba shares work from both unix and NT side.
one note..After make install, I had to manually copy compiled
nsswitch/pam_winbind.so file to /usr/lib/security. thanks for the help
samba configured args:
./configure --with-ads --with-winbind --with-krb5=/usr/local --with-pam
-------------------------
error snapshot:
[2006/08/29 14:31:49, 8] lib/util.c:is_myname(1810)
is_myname("PDTSUN03") returns 1
[2006/08/29 14:31:49, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(259)
Authentication for domain PDTSUN03 (local domain to this server) not
supported at this stage
[2006/08/29 14:31:49, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth(361)
Plain-text authentication for user jgarrett returned
NT_STATUS_NO_SUCH_USER (PAM: 13)
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524)
---------------------------------
smb.conf
# Global parameters
[global]
workgroup = MYADSDOMAIN
server string = Samba Server pdtsun03
password server = MYPWDSERVER(s)
encrypt passwords = yes
log level = 10
log file = /usr/local/samba/var/log.%m
max log size = 50
dns proxy = No
guest account = visitor
realm = MYREALM.COM
security = ads
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
[homes]
comment = Home Directories
read only = No
browseable = No
[tmp]
comment = Temporary file space
path = /tmp
read only = No
---------------------------------------
detail error - with debug level at 10:
[2006/08/29 14:31:49, 6] nsswitch/winbindd.c:new_connection(356)
accepted socket 19
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470)
client_read: read 1824 bytes. Need 0 more for a full request.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:process_request(321)
process_request: request fn INTERFACE_VERSION
[2006/08/29 14:31:49, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[19587]: request interface version
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524)
client_write: wrote 1300 bytes.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470)
client_read: read 1824 bytes. Need 0 more for a full request.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:process_request(321)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2006/08/29 14:31:49, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[19587]: request location of privileged pipe
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524)
client_write: wrote 1300 bytes.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(569)
client_write: need to write 47 extra data bytes.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524)
client_write: wrote 47 bytes.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(558)
client_write: client_write: complete response written.
[2006/08/29 14:31:49, 6] nsswitch/winbindd.c:new_connection(356)
accepted socket 20
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470)
client_read: read 1824 bytes. Need 0 more for a full request.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:process_request(321)
process_request: request fn PAM_AUTH
[2006/08/29 14:31:49, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(179)
[19587]: pam auth jgarrett
[2006/08/29 14:31:49, 8] lib/util.c:is_myname(1810)
is_myname("PDTSUN03") returns 1
[2006/08/29 14:31:49, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(259)
Authentication for domain PDTSUN03 (local domain to this server) not
supported at this stage
[2006/08/29 14:31:49, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth(361)
Plain-text authentication for user jgarrett returned
NT_STATUS_NO_SUCH_USER (PAM: 13)
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:client_write(524)
client_write: wrote 1300 bytes.
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470)
client_read: read 0 bytes. Need 1824 more for a full request.
[2006/08/29 14:31:49, 5] nsswitch/winbindd.c:winbind_client_read(477)
read failed on sock 19, pid 19587: EOF
[2006/08/29 14:31:49, 10] nsswitch/winbindd.c:winbind_client_read(470)
client_read: read 0 bytes. Need 1824 more for a full request.
[2006/08/29 14:31:49, 5] nsswitch/winbindd.c:winbind_client_read(477)
read failed on sock 20, pid 19587: EOF
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Apparently Analagous Threads
- winbind auth against ads not working via remote login-solaris 10. - Success!!
- AD returns only one group for all users
- Winbind fails to connect to \PIPE\NETLOGON with 3.0.10 and 3.0.9
- Windows 2003 Active Directory - Cannot authenticate
- winbind wbinfo -u problem