orlando carvalho
2007-Feb-04 01:09 UTC
[Samba] Can't authenticate, from a linux client, against a samba PDC/tdbsam
Hi all, Since September 2006, I've been using a samba PDC (3.0.20) with tdbsam, to authenticate the users of a school network (90 XP boxes). All the users are able to log in the network from XP boxes. Recently, I've installed a samba client (K12LTSP) in the domain, but, I' ve a problem getting linux client to authenticate against the Samba PDC. After setup all the config files (smb.conf, nsswitch, system-auth/pam amd pam_mount.conf) and start all services, I can't log in. The error message is "Account disabled by the administrator". This happen with all accounts. When I try to logon into the linux client machine with a username and password stored in samba I get the following in /var/log/messages: ==> messages <= Jan 31 17:41:38 ltspserver1 nmbd[2954]: Jan 31 17:41:38 ltspserver1 nmbd[2954]: ***** Jan 31 17:42:29 ltspserver1 pam_winbind[3455]: user 'p1012' OK Jan 31 17:42:29 ltspserver1 pam_winbind[3455]: user 'p1012' granted access Jan 31 17:42:29 ltspserver1 gdm[3740]: session_child_run: Utilizador n?o autorizado a iniciar sess?o Jan 31 17:59:44 ltspserver1 restorecond: Reset file context /etc/mtab: system_u:object_r:etc_t:s0->system_u:object_r:etc_runtime_t:s0 Jan 31 18:00:18 ltspserver1 pam_winbind[3832]: user 'p1012' OK Jan 31 18:00:18 ltspserver1 pam_winbind[3832]: user 'p1012' granted access Jan 31 18:00:18 ltspserver1 gdm[3846]: session_child_run: Utilizador n?o autorizado a iniciar sess?o Jan 31 18:08:28 ws253.ltsp -- MARK -- TRANSLATION of "Utilizador n?o autorizado a iniciar sess?o": User not allowed to start session In Samba PDC the command pdbedit -Lv p1012, prints: Unix username: p1012 NT username: Account Flags: [UX ] User SID: S-1-5-21-3881466999-1126814743-3210567677-7692 Primary Group SID: S-1-5-21-3881466999-1126814743-3210567677-2113 Full Name: Carlos Carvalho Home Directory: \\servlinux\p1012 HomeDir Drive: X: Logon Script: logon.bat Profile Path: Domain: ESCOLA Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Tue, 19 Jan 2038 03:14:07 GMT Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT Password last set: Thu, 04 Jan 2007 18:00:11 GMT Password can change: Thu, 04 Jan 2007 18:00:11 GMT Password must change: Tue, 19 Jan 2038 03:14:07 GMT Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF All the following commands succeeded: wbinfo -u wbinfo -g wbinfo -t getent passwd My config files are: SMB.CONF (SAMBA PDC): [global] unix charset = iso8859-1 display charset = cp850 workgroup = ESCOLA server string = Samba Server passdb backend = tdbsam passwd chat = *new*password* %n\n re-enter*new*password* %n\n password*changed* username map = /etc/samba/smbusers log level = 2 auth syslog = 0 log file = /var/log/samba/%m.log max log size = 50 name resolve order = wins bcast hosts time server = Yes printcap name = cups show add printer wizard = No add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u logon script = logon.bat logon path logon drive = X: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes ldap ssl = no idmap uid = 10000-20000 idmap gid = 10000-20000 admin users = root veto oplock files = /*.doc/*.xls/*.mdb/ [homes] comment = Home Directories - %p valid users = %S read only = No browseable = No [printers] comment = SMB Print Spool path = /var/spool/samba guest ok = Yes printable = Yes use client driver = Yes browseable = No [netlogon] comment = Network Logon Service path = /home/netlogon/%u read only = No browseable = No [software] comment = Instalacao de SW path = /apps/programas create mode = 770 directory mode = 770 valid users = root @ti admin users = p650 p1012 p894 writeable = yes browseable = no [professores] comment = Ficheiros para professores path = /apps/professores create mode = 770 directory mode = 770 valid users = root @professores admin users = p650 p1012 p894 writeable = yes browseable = no [administracao] comment = Programas de Gestao path = /apps/administracao create mode = 775 directory mode = 775 valid users = root @professores @t1213 admin users = p894 p774 p140 writeable = yes browseable = no [software_livre] comment = Software Livre path = /dados/livre create mode = 777 directory mode = 777 valid users = root @professores @alunos @formacao admin users = p1012 p755 p650 p894 writeable = yes browseable = yes SMB.CONF (LINUX CLIENT): [global] workgroup = ESCOLA security = domain log file = /var/log/samba/%m.log max log size = 50 wins server = 192.168.1.10 password server = 192.168.1.10 idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 winbind enum users = yes winbind enum groups = yes template shell = /bin/false winbind use default domain = yes [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /usr/spool/samba browseable = no SYSTEM-AUTH (LINUX CLIENT): #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_mount.so auth sufficient pam_unix.so nullok try_first_pass auth sufficient pam_smb_auth.so use_first_pass nolocal auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session optional pam_mkhomedir.so skel=/etc/skel umask 0022 session optional pam_mount.so use_first_pass session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so PAM_MOUNT (LINUX CLIENT): debug 0 mkmountpoint 1 fsckloop /dev/loop7 options_allow nosuid,nodev,loop,encryption options_require nosuid,nodev lsof /usr/sbin/lsof %(MNTPT) fsck /sbin/fsck -p %(FSCKTARGET) losetup /sbin/losetup -p0 "%(before=\"-e \" CIPHER)" "%(before=\"-k \" KEYBITS)" %(FSCKLOOP) %(VOLUME) unlosetup /sbin/losetup -d %(FSCKLOOP) cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)" smbmount /bin/mount -t smbfs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)" ncpmount /bin/mount -t ncpfs %(SERVER)/%(USER) %(MNTPT) -o "pass-fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)" umount /bin/umount %(MNTPT) lclmount /bin/mount -p0 %(VOLUME) %(MNTPT) "%(before=\"-o \" OPTIONS)" cryptmount /bin/mount -t crypt "%(before=\"-o \" OPTIONS)" %(VOLUME) %(MNTPT) nfsmount /bin/mount %(SERVER):%(VOLUME) "%(MNTPT)%(before=\"-o \" OPTIONS)" mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT) mntcheck /bin/mount # For BSD's (don't have /etc/mtab) pmvarrun /usr/sbin/pmvarrun -u %(USER) -d -o %(OPERATION) volume * smb 192.168.1.10 & /home/&/online uid=&,dmask=0570 - - I've made tests with k12ltsp 5.0/k12ltsp 6.0 and Samba 3.0.23c/Samba 3.0.23d without success. Before testing, I installed all the updates availables. Almost everything is working well and the system is able to create the users home directories with pam_mkhomedir.so skel=/etc/skel umask 0022. I tried the commands <<smbpasswd -e p1012>> and <<pdbedit -r -c "[X ] p1012>> without success. Meanwhile, I joined with success, a linux client Fedora core 4. I need an easy way to deploy terminals, so, could you help me to find correct way to solve my problem? Thank You, Carlos Carvalho
Possibly Parallel Threads
Wisdom of the Ancients
