Jason Gerfen
2008-May-22 16:32 UTC
[Samba] winbind,ads, win2k3, trusted domains, user mapping
I have been ready everything I can regarding this setup but am having a
problem that I am unsure of.
I am unable to authenticate any user despite the following commands working:
%> getent passwd <username>
%> wbinfo -u
%> wbinfo -g
With the getent passwd I am able to see all of my UID/GID being mapped
via winbdind to the rid of the domain user account.
This command fails:
%> wbinfo -i <username>
And in the log files when attempting to authenticate against this
machine by mapping a share the following is seen in the log files:
check_ntlm_password: Checking password for unmapped user
[server.domain.edu]\[username]@[DC] with the new password interface
This is inacurate as with a krb5 tgt the correct line should look like:
check_ntlm_password: Checking password for unmapped user
[server.domain.edu]\[username]@[REALM.EDU] with the new password interface
Unless I am missing something I believe my configuration shown below is
accurate and as of yet I have not received any real answer to this problem.
Any help is appreciated.
Here is my smb.conf
[global]
workgroup = scl
realm = SCL.DOMAIN.EDU
server string = valhalla.scl.domain.edu
netbios name = valhalla
password server = *
encrypt passwords = true
security = ads
os level = 20
allow trusted domains = no
ldap ssl = no
idmap uid = 5000-2000000
idmap gid = 5000-2000000
idmap domains = SCL
interfaces = eth0, lo
bind interfaces only = yes
log level = 20
log file = /var/log/samba3/log.%m
max log size = 50
client signing = yes
client schannel = no
client use spnego = yes
preferred master = no
local master = no
domain master = no
wins proxy = no
dns proxy = No
template shell = /bin/bash
nt acl support = yes
create mask = 0775
template homedir = /home/%U
winbind uid = 500-2000000
winbind gid = 500-2000000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind offline logon = true
printcap name = cups
printing = cups
load printers = yes
cups options = raw
print command lpq command = %p
lprm command
[test]
comment = testing
browsable = yes
read only = yes
create mode = 0644
path = /home/jason
Here is my krb5.conf
[libdefaults]
default_realm = UTAH.EDU
[realms]
UTAH.EDU = {
kdc = 155.99.1.95
}
[domain_realm]
.utah.edu = DOMAIN.EDU
DOMAIN.EDU = DOMAIN.EDU
scl.DOMAIN.EDU = DOMAIN.EDU
[loggin]
default = FILE:/var/log/krb5.log
[appdefaults]
pam = {
ticket_lifetime = 365d
renew_lifetime = 365d
forwardable = true
proxiable = false
retain_after_close = true
minimum_uid = 0
}
The nsswitch.com file:
passwd: compat winbind
shadow: compat
group: compat winbind
# passwd: db files nis
# shadow: db files nis
# group: db files nis
hosts: files dns wins
networks: files
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
--
Jas
Jason Gerfen
2008-May-22 17:56 UTC
[Samba] winbind, ads, win2k3, trusted domains, user mapping [UPDATED]
UPDATE Jason Gerfen wrote:> I have been ready everything I can regarding this setup but am having a > problem that I am unsure of. > > I am unable to authenticate any user despite the following commands > working: > %> getent passwd <username> > %> wbinfo -u > %> wbinfo -g > > With the getent passwd I am able to see all of my UID/GID being mapped > via winbdind to the rid of the domain user account. > > This command fails: > %> wbinfo -i <username>This command works %> wbinfo --krb5auth=smb%password From a windows machine this fails %> net use x: \\server.domain.com\share /user:smb> > And in the log files when attempting to authenticate against this > machine by mapping a share the following is seen in the log files: > check_ntlm_password: Checking password for unmapped user > [server.domain.edu]\[username]@[DC] with the new password interface > > This is inacurate as with a krb5 tgt the correct line should look like: > check_ntlm_password: Checking password for unmapped user > [server.domain.edu]\[username]@[REALM.EDU] with the new password interface > > Unless I am missing something I believe my configuration shown below is > accurate and as of yet I have not received any real answer to this problem. > > Any help is appreciated. > > Here is my smb.conf > [global] > workgroup = scl > realm = SCL.DOMAIN.EDU > server string = valhalla.scl.domain.edu > netbios name = valhalla > > password server = * > encrypt passwords = true > security = ads > > os level = 20 > > allow trusted domains = no > > ldap ssl = no > > idmap uid = 5000-2000000 > idmap gid = 5000-2000000 > idmap domains = SCL > > interfaces = eth0, lo > bind interfaces only = yes > > log level = 20 > log file = /var/log/samba3/log.%m > max log size = 50 > > client signing = yes > client schannel = no > client use spnego = yes > > preferred master = no > local master = no > domain master = no > wins proxy = no > dns proxy = No > > template shell = /bin/bash > nt acl support = yes > create mask = 0775 > template homedir = /home/%U > > winbind uid = 500-2000000 > winbind gid = 500-2000000 > winbind separator = + > winbind enum users = yes > winbind enum groups = yes > winbind nested groups = yes > winbind use default domain = yes > winbind offline logon = true > > printcap name = cups > printing = cups > load printers = yes > cups options = raw > print command > lpq command = %p > lprm command > > [test] > comment = testing > browsable = yes > read only = yes > create mode = 0644 > path = /home/jason > > Here is my krb5.conf > [libdefaults] > default_realm = UTAH.EDU > > [realms] > UTAH.EDU = { > kdc = 155.99.1.95 > } > > [domain_realm] > .utah.edu = DOMAIN.EDU > DOMAIN.EDU = DOMAIN.EDU > scl.DOMAIN.EDU = DOMAIN.EDU > > [loggin] > default = FILE:/var/log/krb5.log > > [appdefaults] > pam = { > ticket_lifetime = 365d > renew_lifetime = 365d > forwardable = true > proxiable = false > retain_after_close = true > minimum_uid = 0 > } > > The nsswitch.com file: > passwd: compat winbind > shadow: compat > group: compat winbind > > # passwd: db files nis > # shadow: db files nis > # group: db files nis > > hosts: files dns wins > networks: files > > services: db files > protocols: db files > rpc: db files > ethers: db files > netmasks: files > netgroup: files > bootparams: files > > automount: files > aliases: files > >-- Jas
Linux Addict
2008-May-22 18:08 UTC
[Samba] winbind, ads, win2k3, trusted domains, user mapping [UPDATED]
On Thu, May 22, 2008 at 2:03 PM, Jason Gerfen <jason.gerfen@scl.utah.edu> wrote:> UPDATE > Jason Gerfen wrote: >> >> I have been ready everything I can regarding this setup but am having a >> problem that I am unsure of. >> >> I am unable to authenticate any user despite the following commands >> working: >> %> getent passwd <username> >> %> wbinfo -u >> %> wbinfo -g >> >> With the getent passwd I am able to see all of my UID/GID being mapped via >> winbdind to the rid of the domain user account. >> >> This command fails: >> %> wbinfo -i <username> > > This command works > %> wbinfo --krb5auth=smb%password > > From a windows machine this fails > %> net use x: \\server.domain.com\share /user:smb > >> >> And in the log files when attempting to authenticate against this machine >> by mapping a share the following is seen in the log files: >> check_ntlm_password: Checking password for unmapped user >> [server.domain.edu]\[username]@[DC] with the new password interface >> >> This is inacurate as with a krb5 tgt the correct line should look like: >> check_ntlm_password: Checking password for unmapped user >> [server.domain.edu]\[username]@[REALM.EDU] with the new password interface >> >> Unless I am missing something I believe my configuration shown below is >> accurate and as of yet I have not received any real answer to this problem. >> >> Any help is appreciated. >> >> Here is my smb.conf >> [global] >> workgroup = scl >> realm = SCL.DOMAIN.EDU >> server string = valhalla.scl.domain.edu >> netbios name = valhalla >> >> password server = * >> encrypt passwords = true >> security = ads >> >> os level = 20 >> >> allow trusted domains = no >> >> ldap ssl = no >> >> idmap uid = 5000-2000000 >> idmap gid = 5000-2000000 >> idmap domains = SCL >> >> interfaces = eth0, lo >> bind interfaces only = yes >> >> log level = 20 >> log file = /var/log/samba3/log.%m >> max log size = 50 >> >> client signing = yes >> client schannel = no >> client use spnego = yes >> >> preferred master = no >> local master = no >> domain master = no >> wins proxy = no >> dns proxy = No >> >> template shell = /bin/bash >> nt acl support = yes >> create mask = 0775 >> template homedir = /home/%U >> >> winbind uid = 500-2000000 >> winbind gid = 500-2000000 >> winbind separator = + >> winbind enum users = yes >> winbind enum groups = yes >> winbind nested groups = yes >> winbind use default domain = yes >> winbind offline logon = true >> >> printcap name = cups >> printing = cups >> load printers = yes >> cups options = raw >> print command >> lpq command = %p >> lprm command >> >> [test] >> comment = testing >> browsable = yes >> read only = yes >> create mode = 0644 >> path = /home/jason >> >> Here is my krb5.conf >> [libdefaults] >> default_realm = UTAH.EDU >> >> [realms] >> UTAH.EDU = { >> kdc = 155.99.1.95 >> } >> >> [domain_realm] >> .utah.edu = DOMAIN.EDU >> DOMAIN.EDU = DOMAIN.EDU >> scl.DOMAIN.EDU = DOMAIN.EDU >> >> [loggin] >> default = FILE:/var/log/krb5.log >> >> [appdefaults] >> pam = { >> ticket_lifetime = 365d >> renew_lifetime = 365d >> forwardable = true >> proxiable = false >> retain_after_close = true >> minimum_uid = 0 >> } >> >> The nsswitch.com file: >> passwd: compat winbind >> shadow: compat >> group: compat winbind >> >> # passwd: db files nis >> # shadow: db files nis >> # group: db files nis >> >> hosts: files dns wins >> networks: files >> >> services: db files >> protocols: db files >> rpc: db files >> ethers: db files >> netmasks: files >> netgroup: files >> bootparams: files >> >> automount: files >> aliases: files >> >> > > > -- > Jas > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >Have you checked your PAM configuration? What do you see on /var/log/secure?
Jason Gerfen
2008-May-22 18:18 UTC
[Samba] winbind, ads, win2k3, trusted domains, user mapping [UPDATED]
Forget my pam stack data auth required pam_env.so auth sufficient pam_winbind.so auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_krb5.so ignore_root account sufficient pam_winbind.so password optional pam_krb5.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3 password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow password required pam_deny.so session required pam_mkhomedir.so umask=0000 skel=/etc/skel/ silent session required pam_limits.so session required pam_unix.so session optional pam_krb5.so Linux Addict wrote:> On Thu, May 22, 2008 at 2:03 PM, Jason Gerfen <jason.gerfen@scl.utah.edu> wrote: >> UPDATE >> Jason Gerfen wrote: >>> I have been ready everything I can regarding this setup but am having a >>> problem that I am unsure of. >>> >>> I am unable to authenticate any user despite the following commands >>> working: >>> %> getent passwd <username> >>> %> wbinfo -u >>> %> wbinfo -g >>> >>> With the getent passwd I am able to see all of my UID/GID being mapped via >>> winbdind to the rid of the domain user account. >>> >>> This command fails: >>> %> wbinfo -i <username> >> This command works >> %> wbinfo --krb5auth=smb%password >> >> From a windows machine this fails >> %> net use x: \\server.domain.com\share /user:smb >> >>> And in the log files when attempting to authenticate against this machine >>> by mapping a share the following is seen in the log files: >>> check_ntlm_password: Checking password for unmapped user >>> [server.domain.edu]\[username]@[DC] with the new password interface >>> >>> This is inacurate as with a krb5 tgt the correct line should look like: >>> check_ntlm_password: Checking password for unmapped user >>> [server.domain.edu]\[username]@[REALM.EDU] with the new password interface >>> >>> Unless I am missing something I believe my configuration shown below is >>> accurate and as of yet I have not received any real answer to this problem. >>> >>> Any help is appreciated. >>> >>> Here is my smb.conf >>> [global] >>> workgroup = scl >>> realm = SCL.DOMAIN.EDU >>> server string = valhalla.scl.domain.edu >>> netbios name = valhalla >>> >>> password server = * >>> encrypt passwords = true >>> security = ads >>> >>> os level = 20 >>> >>> allow trusted domains = no >>> >>> ldap ssl = no >>> >>> idmap uid = 5000-2000000 >>> idmap gid = 5000-2000000 >>> idmap domains = SCL >>> >>> interfaces = eth0, lo >>> bind interfaces only = yes >>> >>> log level = 20 >>> log file = /var/log/samba3/log.%m >>> max log size = 50 >>> >>> client signing = yes >>> client schannel = no >>> client use spnego = yes >>> >>> preferred master = no >>> local master = no >>> domain master = no >>> wins proxy = no >>> dns proxy = No >>> >>> template shell = /bin/bash >>> nt acl support = yes >>> create mask = 0775 >>> template homedir = /home/%U >>> >>> winbind uid = 500-2000000 >>> winbind gid = 500-2000000 >>> winbind separator = + >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind nested groups = yes >>> winbind use default domain = yes >>> winbind offline logon = true >>> >>> printcap name = cups >>> printing = cups >>> load printers = yes >>> cups options = raw >>> print command >>> lpq command = %p >>> lprm command >>> >>> [test] >>> comment = testing >>> browsable = yes >>> read only = yes >>> create mode = 0644 >>> path = /home/jason >>> >>> Here is my krb5.conf >>> [libdefaults] >>> default_realm = UTAH.EDU >>> >>> [realms] >>> UTAH.EDU = { >>> kdc = 155.99.1.95 >>> } >>> >>> [domain_realm] >>> .utah.edu = DOMAIN.EDU >>> DOMAIN.EDU = DOMAIN.EDU >>> scl.DOMAIN.EDU = DOMAIN.EDU >>> >>> [loggin] >>> default = FILE:/var/log/krb5.log >>> >>> [appdefaults] >>> pam = { >>> ticket_lifetime = 365d >>> renew_lifetime = 365d >>> forwardable = true >>> proxiable = false >>> retain_after_close = true >>> minimum_uid = 0 >>> } >>> >>> The nsswitch.com file: >>> passwd: compat winbind >>> shadow: compat >>> group: compat winbind >>> >>> # passwd: db files nis >>> # shadow: db files nis >>> # group: db files nis >>> >>> hosts: files dns wins >>> networks: files >>> >>> services: db files >>> protocols: db files >>> rpc: db files >>> ethers: db files >>> netmasks: files >>> netgroup: files >>> bootparams: files >>> >>> automount: files >>> aliases: files >>> >>> >> >> -- >> Jas >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/listinfo/samba >> > > Have you checked your PAM configuration? What do you see on /var/log/secure?-- Jas
Linux Addict
2008-May-22 18:42 UTC
[Samba] winbind, ads, win2k3, trusted domains, user mapping [UPDATED]
On Thu, May 22, 2008 at 2:25 PM, Jason Gerfen <jason.gerfen@scl.utah.edu> wrote:> Forget my pam stack data > > auth required pam_env.so > auth sufficient pam_winbind.so > auth sufficient pam_unix.so try_first_pass likeauth nullok > auth sufficient pam_krb5.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_krb5.so ignore_root > account sufficient pam_winbind.so > > password optional pam_krb5.so > password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 > try_first_pass retry=3 > password sufficient pam_unix.so try_first_pass use_authtok nullok md5 > shadow > password required pam_deny.so > > session required pam_mkhomedir.so umask=0000 skel=/etc/skel/ silent > session required pam_limits.so > session required pam_unix.so > session optional pam_krb5.so > > > Linux Addict wrote: >> >> On Thu, May 22, 2008 at 2:03 PM, Jason Gerfen <jason.gerfen@scl.utah.edu> >> wrote: >>> >>> UPDATE >>> Jason Gerfen wrote: >>>> >>>> I have been ready everything I can regarding this setup but am having a >>>> problem that I am unsure of. >>>> >>>> I am unable to authenticate any user despite the following commands >>>> working: >>>> %> getent passwd <username> >>>> %> wbinfo -u >>>> %> wbinfo -g >>>> >>>> With the getent passwd I am able to see all of my UID/GID being mapped >>>> via >>>> winbdind to the rid of the domain user account. >>>> >>>> This command fails: >>>> %> wbinfo -i <username> >>> >>> This command works >>> %> wbinfo --krb5auth=smb%password >>> >>> From a windows machine this fails >>> %> net use x: \\server.domain.com\share /user:smb >>> >>>> And in the log files when attempting to authenticate against this >>>> machine >>>> by mapping a share the following is seen in the log files: >>>> check_ntlm_password: Checking password for unmapped user >>>> [server.domain.edu]\[username]@[DC] with the new password interface >>>> >>>> This is inacurate as with a krb5 tgt the correct line should look like: >>>> check_ntlm_password: Checking password for unmapped user >>>> [server.domain.edu]\[username]@[REALM.EDU] with the new password >>>> interface >>>> >>>> Unless I am missing something I believe my configuration shown below is >>>> accurate and as of yet I have not received any real answer to this >>>> problem. >>>> >>>> Any help is appreciated. >>>> >>>> Here is my smb.conf >>>> [global] >>>> workgroup = scl >>>> realm = SCL.DOMAIN.EDU >>>> server string = valhalla.scl.domain.edu >>>> netbios name = valhalla >>>> >>>> password server = * >>>> encrypt passwords = true >>>> security = ads >>>> >>>> os level = 20 >>>> >>>> allow trusted domains = no >>>> >>>> ldap ssl = no >>>> >>>> idmap uid = 5000-2000000 >>>> idmap gid = 5000-2000000 >>>> idmap domains = SCL >>>> >>>> interfaces = eth0, lo >>>> bind interfaces only = yes >>>> >>>> log level = 20 >>>> log file = /var/log/samba3/log.%m >>>> max log size = 50 >>>> >>>> client signing = yes >>>> client schannel = no >>>> client use spnego = yes >>>> >>>> preferred master = no >>>> local master = no >>>> domain master = no >>>> wins proxy = no >>>> dns proxy = No >>>> >>>> template shell = /bin/bash >>>> nt acl support = yes >>>> create mask = 0775 >>>> template homedir = /home/%U >>>> >>>> winbind uid = 500-2000000 >>>> winbind gid = 500-2000000 >>>> winbind separator = + >>>> winbind enum users = yes >>>> winbind enum groups = yes >>>> winbind nested groups = yes >>>> winbind use default domain = yes >>>> winbind offline logon = true >>>> >>>> printcap name = cups >>>> printing = cups >>>> load printers = yes >>>> cups options = raw >>>> print command >>>> lpq command = %p >>>> lprm command >>>> >>>> [test] >>>> comment = testing >>>> browsable = yes >>>> read only = yes >>>> create mode = 0644 >>>> path = /home/jason >>>> >>>> Here is my krb5.conf >>>> [libdefaults] >>>> default_realm = UTAH.EDU >>>> >>>> [realms] >>>> UTAH.EDU = { >>>> kdc = 155.99.1.95 >>>> } >>>> >>>> [domain_realm] >>>> .utah.edu = DOMAIN.EDU >>>> DOMAIN.EDU = DOMAIN.EDU >>>> scl.DOMAIN.EDU = DOMAIN.EDU >>>> >>>> [loggin] >>>> default = FILE:/var/log/krb5.log >>>> >>>> [appdefaults] >>>> pam = { >>>> ticket_lifetime = 365d >>>> renew_lifetime = 365d >>>> forwardable = true >>>> proxiable = false >>>> retain_after_close = true >>>> minimum_uid = 0 >>>> } >>>> >>>> The nsswitch.com file: >>>> passwd: compat winbind >>>> shadow: compat >>>> group: compat winbind >>>> >>>> # passwd: db files nis >>>> # shadow: db files nis >>>> # group: db files nis >>>> >>>> hosts: files dns wins >>>> networks: files >>>> >>>> services: db files >>>> protocols: db files >>>> rpc: db files >>>> ethers: db files >>>> netmasks: files >>>> netgroup: files >>>> bootparams: files >>>> >>>> automount: files >>>> aliases: files >>>> >>>> >>> >>> -- >>> Jas >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/listinfo/samba >>> >> >> Have you checked your PAM configuration? What do you see on >> /var/log/secure? > > > -- > Jas > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >1. Did you tried su and ssh? What is the result? 2. Remove the *.tdb files on /var/lib/samba and restart the winbind. There may be corruption. 3. Does the kinit gets ticket? I suggest you make su or ssh work first, then start with smb. Also check the /var/log/secure as it shud log anything related to authentication. Your pam configuration looks good. If you krb is configured correctly, then winbind.so entries are not really required.