Hi Gurus!
Hope you can help me - I'm trying to get my SLES 10 SP2-box to
authenticate users against Windows AD using Winbind, but I can't get it
to work as I want. I have configured smb, winbind and Kerberos, and
kinit, list, net ads join, wbinfo etc. works fine - but when I try to
login, user xx.xx.admin, it fails. This is what I got in my
/var/log/warn:
eb 6 12:15:09 045gev-rcms-001 sshd[16209]: pam_winbind(sshd:auth):
request failed: Access denied, PAM error was System error (4), NT error
was NT_STATUS_ACCESS_DENIED
Feb 6 12:15:09 045gev-rcms-001 sshd[16209]: pam_winbind(sshd:auth):
internal module error (retval = 4, user = xx.xx.admin')
...which is kind of weird, as the password is fine, works on Windows,
and on some HP-UX-boxes where I use LDAP/Kerberos to authenticate
through Windows AD.
Also, at various points, it puts this in the warn-file:
Feb 6 13:16:01 045gev-rcms-001 winbindd[1421]: [2009/02/06 13:16:01, 0]
libads/kerberos.c:ads_kinit_password(228)
Feb 6 13:16:01 045gev-rcms-001 winbindd[1421]:
kerberos_kinit_password 045GEV-RCMS-001$@VELUX.ORG failed:
Preauthentication failed
Any hint, help etc. will be appreciated - configuration is stated below.
Thanx in advance.
Here is my conf-files:
cat /etc/samba/smb.conf
[global]
workgroup = DOMAIN
security = ads
netbios name = 045gefvsora003
realm = DOMAIN.ORG
password server = 045geveladdc001.velux.org
workgroup = DOMAIN.ORG
idmap uid = 1000-29999
idmap gid = 1000-29999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
server string
cat /etc/krb5.conf
[libdefaults]
default_realm = VELUX.ORG
[realms]
VELUX.ORG = {
kdc = 045geveladdc001.velux.org
kdc = 045geveladdc002.velux.org
kdc = 045geveladdc003.velux.org
}
[domain_realm]
.velux.org = VELUX.ORG
velux.org = VELUX.ORG
cat /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
cat /etc/pam.d/common-account
account sufficient pam_winbind.so
account required pam_unix2.so
cat /etc/pam.d/common-auth
auth sufficient pam_winbind.so
auth required pam_env.so
auth required pam_unix2.so
cat /etc/pam.d/common-password
assword required pam_pwcheck.so nullok
password required pam_unix2.so nullok_secure use_first_pass
cat /etc/pam.d/common-session
session required pam_limits.so
session required pam_unix2.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
cat /etc/security/pam_winbind.conf
[global]
# turn on debugging
;debug = yes
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = no
# authenticate using kerberos
;krb5_auth = yes
# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type
# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of
# password expiry warning period in days
;warn_pwd_expire = 14
Lots of greetings
Danny Petterson
This message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.
