Jeff LePage
2008-Jul-28 15:34 UTC
[Samba] Problems authenticating Ubuntu 8.04 client (gdm) against Samba (Ubuntu 8.04) domain server
Hello, Does anyone have a working pam configuration that allows gdm logins? My current config works with ssh and bash logins. I'd like gdm to work with usernames like DOMAIN\\USERNAME. MORE DETAIL: ------------------- I'm trying to get a Linux client (Ubuntu 8.04) to authenticate against a Samba domain controller (also Ubuntu8.04). WindowsXP clients work fine with the samba PDC. I have managed to get logins to work for ssh and at the bash prompt, thus: login: ora\\bob This works fine, but logging in at the console does NOT work. When I try to login using gdm, I get a popup that says that "Authentication failed". This is not the normal error message when logging in as a local user with incorrect password. This indicates to me that the user "ORA\\bob" (and all syntactic variations thereof) is being recognized as a domain user, but the password server is rejecting the user. The (relevant portions of) smb.conf on the client system are: #********* workgroup = ORA # this is my domain name security = Domain encrypt passwords = true password server = samba1 # this is my Ubuntu8.04 samba domain controller passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u pam password change = yes idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash template homedir = /home/%D/%U winbind cache time = 5 winbind enum users = yes winbind enum groups = yes ########## My /etc/pam.d/gdm is shown below. Ubuntu separates out certain blocks into common files that are included in the application specific files. I have included the includes: auth requisite pam_nologin.so auth required pam_env.so readenv=1 auth required pam_env.so readenv=1 envfile=/etc/default/locale #@include common-auth auth sufficient pam_winbind.so auth sufficient pam_unix.so nullok_secure use_first_pass auth optional pam_smbpass.so migrate missingok #@include common-auth auth optional pam_gnome_keyring.so #@include common-account account sufficient pam_winbind.so account required pam_unix.so #@include common-account session required pam_limits.so #@include common-session session required pam_unix.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel #@include common-session session optional pam_gnome_keyring.so auto_start #@include common-password password requisite pam_unix.so nullok obscure md5 password optional pam_smbpass.so nullok use_authtok use_first_pass missingok #@include common-password
Jeff LePage
2008-Jul-29 11:56 UTC
[Samba] Problems authenticating Ubuntu 8.04 client (gdm) againstSamba (Ubuntu 8.04) domain server
Problem solved. There was a spelling error in my configuration, introduced during a hasty edit. Once I fixed that and rebooted everything works. -----Original Message----- From: samba-bounces+jeff.lepage=asg.com@lists.samba.org [mailto:samba-bounces+jeff.lepage=asg.com@lists.samba.org] On Behalf Of Jeff LePage Sent: Monday, July 28, 2008 9:21 AM To: samba@lists.samba.org Subject: [Samba] Problems authenticating Ubuntu 8.04 client (gdm) againstSamba (Ubuntu 8.04) domain server Hello, Does anyone have a working pam configuration that allows gdm logins? My current config works with ssh and bash logins. I'd like gdm to work with usernames like DOMAIN\\USERNAME. MORE DETAIL: ------------------- I'm trying to get a Linux client (Ubuntu 8.04) to authenticate against a Samba domain controller (also Ubuntu8.04). WindowsXP clients work fine with the samba PDC. I have managed to get logins to work for ssh and at the bash prompt, thus: login: ora\\bob This works fine, but logging in at the console does NOT work. When I try to login using gdm, I get a popup that says that "Authentication failed". This is not the normal error message when logging in as a local user with incorrect password. This indicates to me that the user "ORA\\bob" (and all syntactic variations thereof) is being recognized as a domain user, but the password server is rejecting the user. The (relevant portions of) smb.conf on the client system are: #********* workgroup = ORA # this is my domain name security = Domain encrypt passwords = true password server = samba1 # this is my Ubuntu8.04 samba domain controller passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u pam password change = yes idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash template homedir = /home/%D/%U winbind cache time = 5 winbind enum users = yes winbind enum groups = yes ########## My /etc/pam.d/gdm is shown below. Ubuntu separates out certain blocks into common files that are included in the application specific files. I have included the includes: auth requisite pam_nologin.so auth required pam_env.so readenv=1 auth required pam_env.so readenv=1 envfile=/etc/default/locale #@include common-auth auth sufficient pam_winbind.so auth sufficient pam_unix.so nullok_secure use_first_pass auth optional pam_smbpass.so migrate missingok #@include common-auth auth optional pam_gnome_keyring.so #@include common-account account sufficient pam_winbind.so account required pam_unix.so #@include common-account session required pam_limits.so #@include common-session session required pam_unix.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel #@include common-session session optional pam_gnome_keyring.so auto_start #@include common-password password requisite pam_unix.so nullok obscure md5 password optional pam_smbpass.so nullok use_authtok use_first_pass missingok #@include common-password -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba