Walter Huf
2008-Feb-22 19:44 UTC
[Samba] Winbind 3.0.26a cannot authenticate with ActiveDirectory
I am using Ubuntu Gutsy, which comes with Winbind 3.0.26a. I am using the
same configuration that worked on Ubuntu Feisty, which uses Winbind 3.0.24.
Something changed with Winbind, apparently, to break the configuration that
was working perfectly. How can I fix my configuration to work with the new
version?
The symptoms are as follows:
wbinfo -t works
wbinfo can retrieve a list of users
wbinfo can look up a user's SID by it's username
wbinfo can look up a user's username by it's SID
ntlm_auth can authenticate a user. I can not use wbinfo to verify this
because my password has a ! in it. Windows Event Viewer does not show an
event for this.
Logging in fails, generating a Windows Event with error code 0xC000006A.
su username does not work, failing with "Unknown id: username"
The relevant section of smb.conf:
workgroup = WORKGROUP
realm = WORKGROUP.TLD
security = ADS
winbind enum groups = yes
winbind enum users = yes
winbind cache time = 600
winbind nested groups = yes
winbind nss info = sfu
winbind separator = +
winbind use default domain = yes
idmap gid = 500-45000
idmap uid = 500-45000
idmap backend = ad
nsswitch.conf has the following:
passwd: files winbind
group: files winbind
Pam configuration:
auth requisite pam_nologin.so debug
auth [success=1 default=ignore] pam_localuser.so debug
auth [success=done auth_err=bad] pam_winbind.so debug
auth required pam_unix.so nullok_secure debug
account sufficient pam_winbind.so debug
account required pam_unix_acct.so debug
Relevent part of auth.log:
Feb 22 11:25:49 client sshd[4620]: Invalid user username from X.X.X.X
Feb 22 11:25:49 client sshd[4620]: Failed none for invalid user username
from X.X.X.X port 2086 ssh2
Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): [pamh: 0x8006e940]
ENTER: pam_sm_authenticate (flags: 0x0001)
Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): getting password
(0x00000001)
Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): Verify user
'username'
Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): request failed:
Wrong Password, PAM error was Authentication failure (7), NT error was
NT_STATUS_WRONG_PASSWORD
Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): user
'username'
denied access (incorrect password or invalid membership)
Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): [pamh: 0x8006e940]
LEAVE: pam_sm_authenticate returning 7
Feb 22 11:25:49 client sshd[4620]: pam_unix(ssh:auth): check pass; user
unknown
Feb 22 11:25:50 client sshd[4620]: pam_unix(ssh:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.X.X
Feb 22 11:25:51 client sshd[4620]: Failed password for invalid user username
from X.X.X.X port 2086 ssh2
klist output:
Default principal: principal@WORKGROUP.TLD
Valid starting Expires Service principal
02/22/08 10:51:58 02/22/08 20:51:43 krbtgt/WORKGROUP.TLD@WORKGROUP.TLD
renew until 02/23/08 10:51:58
02/22/08 11:20:58 02/22/08 20:51:43 dc$@WORKGROUP.TLD
renew until 02/23/08 10:51:58
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Does anyone have any ways to fix this serious problem?
Guillermo Gutierrez
2008-Feb-22 19:53 UTC
[Samba] Winbind 3.0.26a cannot authenticate with ActiveDirectory
something that has worked for me on occasion with the later samba verisons is to change: *idmap uid*, and *idmap gid* to *winbind uid*, and *winbind gid* I dont understand why, because the man page says that winbind uid/gid is a wrapper for idmap uid/gid. But maybe that is why. I hope it helps. - Guillermo Gutierrez On Fri, Feb 22, 2008 at 11:43 AM, Walter Huf <hufman+samba@gmail.com> wrote:> I am using Ubuntu Gutsy, which comes with Winbind 3.0.26a. I am using the > same configuration that worked on Ubuntu Feisty, which uses Winbind 3.0.24 > . > Something changed with Winbind, apparently, to break the configuration > that > was working perfectly. How can I fix my configuration to work with the new > version? > > The symptoms are as follows: > wbinfo -t works > wbinfo can retrieve a list of users > wbinfo can look up a user's SID by it's username > wbinfo can look up a user's username by it's SID > ntlm_auth can authenticate a user. I can not use wbinfo to verify this > because my password has a ! in it. Windows Event Viewer does not show an > event for this. > Logging in fails, generating a Windows Event with error code 0xC000006A. > su username does not work, failing with "Unknown id: username" > > The relevant section of smb.conf: > workgroup = WORKGROUP > realm = WORKGROUP.TLD > security = ADS > winbind enum groups = yes > winbind enum users = yes > winbind cache time = 600 > winbind nested groups = yes > winbind nss info = sfu > winbind separator = + > winbind use default domain = yes > > idmap gid = 500-45000 > idmap uid = 500-45000 > idmap backend = ad > > nsswitch.conf has the following: > passwd: files winbind > group: files winbind > > Pam configuration: > auth requisite pam_nologin.so debug > auth [success=1 default=ignore] pam_localuser.so debug > auth [success=done auth_err=bad] pam_winbind.so debug > auth required pam_unix.so nullok_secure debug > > account sufficient pam_winbind.so debug > account required pam_unix_acct.so debug > > Relevent part of auth.log: > Feb 22 11:25:49 client sshd[4620]: Invalid user username from X.X.X.X > Feb 22 11:25:49 client sshd[4620]: Failed none for invalid user username > from X.X.X.X port 2086 ssh2 > Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): [pamh: > 0x8006e940] > ENTER: pam_sm_authenticate (flags: 0x0001) > Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): getting password > (0x00000001) > Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): Verify user > 'username' > Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): request failed: > Wrong Password, PAM error was Authentication failure (7), NT error was > NT_STATUS_WRONG_PASSWORD > Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): user 'username' > denied access (incorrect password or invalid membership) > Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): [pamh: > 0x8006e940] > LEAVE: pam_sm_authenticate returning 7 > Feb 22 11:25:49 client sshd[4620]: pam_unix(ssh:auth): check pass; user > unknown > Feb 22 11:25:50 client sshd[4620]: pam_unix(ssh:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.X.X > Feb 22 11:25:51 client sshd[4620]: Failed password for invalid user > username > from X.X.X.X port 2086 ssh2 > > klist output: > Default principal: principal@WORKGROUP.TLD > > Valid starting Expires Service principal > 02/22/08 10:51:58 02/22/08 20:51:43 krbtgt/WORKGROUP.TLD@WORKGROUP.TLD > renew until 02/23/08 10:51:58 > 02/22/08 11:20:58 02/22/08 20:51:43 dc$@WORKGROUP.TLD > renew until 02/23/08 10:51:58 > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > > > Does anyone have any ways to fix this serious problem? > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >-- Guillermo Gutierrez guillermogutierrezjr@gmail.com
Walter Huf
2008-Feb-28 16:42 UTC
Fwd: [Samba] Winbind 3.0.26a cannot authenticate with ActiveDirectory
I changed those lines, and nothing seemed to change. However, I remembered more information that I could include. getent passwd does not list domain users, only local users. Sample lines from /var/log/samba/log.winbindd: [2008/02/22 14:13:21, 1] nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(613) Could not get unix ID [2008/02/22 14:13:21, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85) error getting user id for sid S-1-5-21-2143970516-726479814-926709054-1840 [2008/02/22 14:13:21, 1] nsswitch/winbindd_user.c:winbindd_getpwent(728) could not lookup domain user otherusername Does this help at all? Has anybody gotten Winbind 3.0.26a to authenticate successfully with Active Directory? On Fri, Feb 22, 2008 at 1:52 PM, Guillermo Gutierrez < guillermogutierrezjr@gmail.com> wrote:> something that has worked for me on occasion with the later samba verisons > is to change: > > *idmap uid*, and *idmap gid* > > to > > *winbind uid*, and *winbind gid* > > I dont understand why, because the man page says that winbind uid/gid is a > wrapper for idmap uid/gid. But maybe that is why. > > I hope it helps. > > > -- > Guillermo Gutierrez > guillermogutierrezjr@gmail.com
Walter Huf
2008-Feb-29 03:05 UTC
[Samba] Winbind 3.0.26a cannot authenticate with ActiveDirectory
I changed those lines, and nothing seemed to change. However, I remembered more information that I could include. getent passwd does not list domain users, only local users. Sample lines from /var/log/samba/log.winbindd: [2008/02/22 14:13:21, 1] nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(613) Could not get unix ID [2008/02/22 14:13:21, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85) error getting user id for sid S-1-5-21-2143970516-726479814-926709054-1840 [2008/02/22 14:13:21, 1] nsswitch/winbindd_user.c:winbindd_getpwent(728) could not lookup domain user otherusername Does this help at all? Has anybody gotten Winbind 3.0.26a to authenticate successfully with Active Directory? On Fri, Feb 22, 2008 at 1:52 PM, Guillermo Gutierrez < guillermogutierrezjr@gmail.com> wrote:> something that has worked for me on occasion with the later samba verisons > is to change: > > *idmap uid*, and *idmap gid* > > to > > *winbind uid*, and *winbind gid* > > I dont understand why, because the man page says that winbind uid/gid is a > wrapper for idmap uid/gid. But maybe that is why. > > I hope it helps. > > > -- > Guillermo Gutierrez > guillermogutierrezjr@gmail.com