Lazarus Long
2009-Sep-11 10:46 UTC
[Samba] pam_winbind seems unable to return full list of trusted relationship domain members
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello:
Our scenario:
- - Our domain (ABRANTINA) is a Windows 2003R2 AD (RFC2307 enabled)
- - Trusted domain (REDE-LC) is a Windows 2003R2 AD
- - cafs01tst is a Debian "stable" based SAMBA 3.2.5 file server
Our goal:
- - Serve home and shares for users of both domains ABRANTINA and REDE-LC
Our implementation:
(following guidelines from "Samba-3 by Example", and misc info
gathered
from the net)
- - Configured MIT Kerberos with info for both domains
- - Configured PAM to use pam_winbind
- - Configured NSS to use nss_winbind
- - Configured SAMBA to use the ADS security mechanism
- - Joined cafs01tst to ABRANTINA domain
Our problems:
- - Users from REDE-LC domain are unable to access cafs01tst, being asked
for a username/password pair (ABRANTINA users access without problem)
- - "getent passwd" only lists five REDE-LC users (always the same
five),
while "wbinfo -u" lists all
- - SSH logging on to the system from REDE-LC users fails with
"pam_sm_authenticate returning 10" (ABRANTINA users access without
problem)
Small note:
We currently have five SAMBA file servers (equal as the one we have
setup for testing) serving domain ABRANTINA users without any problem at
all, the trust relationship and the need to serve REDE-LC domain users
is the source of our problems.
Our steps to reproduce the "getent passwd" problem:
- --8<--
root at cafs01tst:~# invoke-rc.d winbind stop ; invoke-rc.d samba stop
Stopping the Winbind daemon: winbind.
Stopping Samba daemons: nmbd smbd.
root at cafs01tst:~# for d in /var/log/samba/ /var/lib/samba/ \
/var/cache/samba/ ; do find ${d} ! -type d |xargs rm -f ; done
root at cafs01tst:~# net ads join -U Administrator%PASSWORD
Using short domain name -- ABRANTINA
Joined 'CAFS01TST' to realm 'abrantina.org'
root at cafs01tst:~# net ads testjoin -U Administrator%PASSWORD
Join is OK
root at cafs01tst:~# net rpc testjoin -U Administrator%PASSWORD
Join to 'ABRANTINA' is OK
root at cafs01tst:~# invoke-rc.d samba start ; invoke-rc.d winbind start
Starting Samba daemons: nmbd smbd.
Starting the Winbind daemon: winbind.
root at cafs01tst:~# wbinfo --set-auth-user=Administrator%PASSWORD
root at cafs01tst:~# wbinfo --get-auth-user
ABRANTINA+Administrator%PASSWORD
root at cafs01tst:~# wbinfo -t
checking the trust secret via RPC calls succeeded
root at cafs01tst:~# wbinfo -m
BUILTIN
CAFS01TST
ABRANTINA
REDE-LC
root at cafs01tst:~# net rpc trustdom list -U Administrator%PASSWORD
Trusted domains list:
REDE-LC S-1-5-21-1659004503-776561741-839522115
Trusting domains list:
REDE-LC S-1-5-21-1659004503-776561741-839522115
root at cafs01tst:~# wbinfo -u
guest
administrator
krbtgt
fmendonca
echironadmin
tsinternetuser
iwam_abrghost
iusr_abrghost
asequeira
jalberto
...
(full list edited for clarity)
...
testepr1
testepr2
tsta
REDE-LC+administrator
REDE-LC+guest
REDE-LC+iusr_castor
REDE-LC+iwam_castor
REDE-LC+krbtgt
REDE-LC+antonio martins
REDE-LC+adelino rodrigues
REDE-LC+agostinho costa
REDE-LC+alexandre ferreira
REDE-LC+alice neves
...
(full list edited for clarity)
...
REDE-LC+sql_agent
REDE-LC+tst l
REDE-LC+tstl
root at cafs01tst:~# getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
statd:x:102:65534::/var/lib/nfs:/bin/false
messagebus:x:103:105::/var/run/dbus:/bin/false
snmp:x:105:65534::/var/lib/snmp:/bin/false
nslcd:x:106:112:nss-ldapd name service LDAP connection
daemon,,,:/var/run/nslcd/:/bin/false
REDE-LC+sergio oliveira:*:20305:20339:Sergio \
Oliveira:/home/REDE-LC/sergio oliveira:/bin/sh
REDE-LC+tiago freire:*:22668:20339:Tiago Freire:/home/REDE-LC/tiago \
freire:/bin/sh
REDE-LC+nelson gesero:*:24590:20339:Nelson Gesero:/home/REDE-LC/nelson \
gesero:/bin/sh
REDE-LC+celso silva:*:26203:20339:Celso Silva:/home/REDE-LC/celso \
silva:/bin/sh
REDE-LC+luis soares:*:26361:20339:Luis Manuel Gaspar \
Soares:/home/REDE-LC/luis soares:/bin/sh
administrator:*:10000:10001:Administrator:/home/ABRANTINA/administrator:/bin/sh
fmendonca:*:10177:10014:Filipe Mendon?a:/home/ABRANTINA/fmendonca:/bin/sh
echironadmin:*:10001:10001:eChiron
Administration:/home/ABRANTINA/echironadmin:/bin/sh
asequeira:*:10073:10000:Ant?nio Sequeira:/home/ABRANTINA/asequeira:/bin/sh
jalberto:*:10219:10000:Jos? Alberto Santos:/home/ABRANTINA/jalberto:/bin/sh
...
(full list edited for clarity)
...
testepr1:*:10664:10000:testepr1:/home/ABRANTINA/testepr1:/bin/sh
testepr2:*:10666:10000:testepr2:/home/ABRANTINA/testepr2:/bin/sh
tsta:*:10687:10000:tsta:/home/ABRANTINA/tsta:/bin/sh
- -->8--
Some system info:
- --8<--
root at cafs01tst:~# uname -a
Linux cafs01tst 2.6.26-2-amd64 #1 SMP Wed Aug 19 22:33:18 UTC 2009
x86_64 GNU/Linux
root at cafs01tst:~# cat /etc/debian_version
5.0.3
root at cafs01tst:~# dpkg -s samba
Package: samba
Status: install ok installed
Priority: optional
Section: net
Installed-Size: 12380
Maintainer: Debian Samba Maintainers
<pkg-samba-maint at lists.alioth.debian.org>
Architecture: amd64
Version: 2:3.2.5-4lenny6
root at cafs01tst:~# smbd -V
Version 3.2.5
root at cafs01tst:~# cat /etc/nsswitch.conf
passwd: files winbind
group: files winbind
shadow: files winbind
hosts: files dns wins
networks: files dns
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
root at cafs01tst:~# cat /etc/pam.d/samba
@include common-auth
@include common-account
@include common-session
@include common-password
root at cafs01tst:~# cat /etc/pam.d/sshd
auth required pam_env.so # [1]
auth required pam_env.so envfile=/etc/default/locale
@include common-auth
account required pam_nologin.so
@include common-account
@include common-session
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
@include common-password
root at cafs01tst:~# cat /etc/pam.d/common-auth
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok_secure debug
auth sufficient pam_winbind.so try_first_pass use_authtok \
krb5_auth cached_login debug debug_state
auth required pam_deny.so
root at cafs01tst:~# cat /etc/pam.d/common-account
account required pam_unix.so debug
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 10000 quiet
account sufficient pam_winbind.so krb5_auth cached_login debug \
debug_state
account required pam_permit.so
root at cafs01tst:~# cat /etc/pam.d/common-session
session optional pam_keyinit.so revoke
session required pam_mkhomedir.so silent umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond \
quiet use_uid
session required pam_unix.so debug
session optional pam_winbind.so krb5_auth cached_login debug \
debug_state
root at cafs01tst:~# cat /etc/pam.d/common-password
password required pam_cracklib.so retry=3 minlen=6 difok=3 debug
password sufficient pam_unix.so try_first_pass use_authtok nullok \
md5 debug
password sufficient pam_winbind.so try_first_pass use_authtok \
krb5_auth cached_login debug debug_state
password required pam_deny.so
- -->8--
Output of testparm (attached an extended "testparm -sv" output):
- --8<--
root at cafs01tst:~# testparm -s
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[printers]"
Processing section "[print$]"
WARNING: The "printer admin" option is deprecated
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[print$]"
Processing section "[trusttst]"
Processing section "[trusttst_a]"
Processing section "[trusttst_l]"
Processing section "[trusttst_2]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_DOMAIN_MEMBER
[global]
unix charset = LOCALE
workgroup = ABRANTINA
realm = ABRANTINA.ORG
server string = %h - %i
security = ADS
obey pam restrictions = Yes
passdb backend = tdbsam
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n \
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
username map = /etc/samba/smbusers
unix password sync = Yes
use kerberos keytab = Yes
log level = 10
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1024
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = cups
wins server = abrantapp01
utmp = Yes
panic action = /usr/share/samba/panic-action %d
idmap domains = ABRANTINA, REDE-LC
idmap alloc backend = tdb
template shell = /bin/sh
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind expand groups = 2
winbind offline logon = Yes
idmap config REDE-LC:range = 20000-29999
idmap config REDE-LC:base_rid = 1000
idmap config REDE-LC:backend = rid
idmap config ABRANTINA:schema_mode = rfc2307
idmap config ABRANTINA:readonly = yes
idmap config ABRANTINA:range = 10000-19999
idmap config ABRANTINA:default = yes
idmap config ABRANTINA:backend = ad
idmap alloc config:range = 9000-9999
printer admin = "@ABRANTINA\Domain Admins"
delete veto files = Yes
veto files = \
/.AppleDesktop/.AppleDouble/.bin/DesktopFolderDB/Network Trash \
Folder/TrashFor%m/resource.frk/
include = /etc/samba/smb.conf.shares
[homes]
comment = Home Directories
printer admin read only = No
create mask = 0700
directory mask = 0700
delete veto files = No
veto files = \
/.bash*/.profile/.*rc/.forward*/.ssh/.vim*/.smbprofile/.w3m/.less*/.mysql*/
browseable = No
include
[netlogon]
comment = Network Logon Service
path = /srv/netlogon
write list = "@ABRANTINA\Domain Admins"
printer admin force create mode = 0755
force directory mode = 0755
guest ok = Yes
delete veto files = No
veto files share modes = No
include
[printers]
comment = All Printers
path = /var/spool/samba
printer admin create mask = 0700
printable = Yes
delete veto files = No
veto files browseable = No
include
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
write list = "@ABRANTINA\Domain Admins"
printer admin delete veto files = No
veto files browseable = No
include
[trusttst]
path = /srv/shares/%S
valid users = @ABRANTINA\l%S
write list = @ABRANTINA\l%S
force group = "l%S"
force create mode = 02770
force directory mode = 02770
[trusttst_a]
path = /srv/shares/%S
valid users = @ABRANTINA\trusttst
write list = @ABRANTINA\trusttst
force group = "ltrusttst"
force create mode = 02770
force directory mode = 02770
[trusttst_l]
path = /srv/shares/%S
valid users = @REDE-LC\trusttst
write list = @REDE-LC\trusttst
force group = "ltrusttst"
force create mode = 02770
force directory mode = 02770
[trusttst_2]
path = /srv/shares/%S
valid users = @ABRANTINA\ltrusttst, @ABRANTINA\trusttst, \
@REDE-LC\trusttst
write list = @ABRANTINA\ltrusttst, @ABRANTINA\trusttst, \
@REDE-LC\trusttst
force group = "ltrusttst"
force create mode = 02770
force directory mode = 02770
- -->8--
Attached a level 10 logging of the system winbind while reproducing the
"getent passwd" problem.
Thank you very much for any support on this matter.
- --
Lazarus Long
<lazarus (dot) long (at) bigfoot (dot) com>
+--------------------------------------------------------------+
| PGP or GnuPG Key: |
| http://wwwkeys.eu.pgp.net:11371/pks/lookup?search=0x5C1DC205 |
+--------------------------------------------------------------+
Please do not send me attachments in proprietary formats
without request (i.e. Word, PowerPoint or Excel documents),
see <http://www.gnu.org/philosophy/no-word-attachments.html>
Por favor n?o me envie anexos em formatos propriet?rios sem que
os tenha pedido (p.e. documentos em Word, PowerPoint ou Excel),
veja <http://www.gnu.org/philosophy/no-word-attachments.pt.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkqqKn0ACgkQCXRGvVwdwgWwOQCgkQA/N6Zl91hJuJt9l0xbPE7P
XPwAoJYR+4rS9+HfBGP2BZ9ID2HGh570
=60ZX
-----END PGP SIGNATURE-----
Lazarus Long
2009-Sep-14 13:08 UTC
[Samba] pam_winbind seems unable to return full list of trusted relationship domain members
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lazarus Long wrote:> Our scenario: > - Our domain (ABRANTINA) is a Windows 2003R2 AD (RFC2307 enabled) > - Trusted domain (REDE-LC) is a Windows 2003R2 AD > - cafs01tst is a Debian "stable" based SAMBA 3.2.5 file server > > Our goal: > - Serve home and shares for users of both domains ABRANTINA and REDE-LC > > Our implementation: > (following guidelines from "Samba-3 by Example", and misc info gathered > from the net) > - Configured MIT Kerberos with info for both domains > - Configured PAM to use pam_winbind > - Configured NSS to use nss_winbind > - Configured SAMBA to use the ADS security mechanism > - Joined cafs01tst to ABRANTINA domain > > Our problems: > - Users from REDE-LC domain are unable to access cafs01tst, being asked > for a username/password pair (ABRANTINA users access without problem) > - "getent passwd" only lists five REDE-LC users (always the same five), > while "wbinfo -u" lists all > - SSH logging on to the system from REDE-LC users fails with > "pam_sm_authenticate returning 10" (ABRANTINA users access without > problem)Can anybody be so kind to try to help us out here? Although the SAMBA documentation states that this works we have been unable to get it right. Thank you very much, - -- Lazarus Long <lazarus (dot) long (at) bigfoot (dot) com> +--------------------------------------------------------------+ | PGP or GnuPG Key: | | http://wwwkeys.eu.pgp.net:11371/pks/lookup?search=0x5C1DC205 | +--------------------------------------------------------------+ Please do not send me attachments in proprietary formats without request (i.e. Word, PowerPoint or Excel documents), see <http://www.gnu.org/philosophy/no-word-attachments.html> Por favor n?o me envie anexos em formatos propriet?rios sem que os tenha pedido (p.e. documentos em Word, PowerPoint ou Excel), veja <http://www.gnu.org/philosophy/no-word-attachments.pt.html> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkquQDIACgkQCXRGvVwdwgUHuACfWW7GnnqcOda1CrMEhp2DVDaH eX0AoMTbopqYjJjc+yqBa9bHPDPZwcZK =Lpp5 -----END PGP SIGNATURE-----