Hi List, I'm installing a Samba server with the intended purpose of serving files to Windows users with seamless authentication on the smb server. For that, I've been reading and following every single google search result regarding the subject, but it seems I'm stuck at some point where other people are not blocked ... To summarize, I have these commands OK: # kinit admin_user at DOMAIN.EXAMPLE.COM # klist (ticket ok) # net join ads -S server -U admin_user # wbinfo -u and -g (both showing "DOMAIN\...") # wbinfo -t (succeeded) I configured PAM to use winbind, and to test it I'm using ssh with the same config as I will for samba Here's what I get when I try to ssh into my smb server using my AD credentials: Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): getting password (0x00000000) Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): request failed: Named pipe dicconnected, PAM error was System error (4), NT error was NT_STATUS_PIPE_DISCONNECTED Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): internal module error (retval = 4, user = 'DOMAIN\myusername') Jan 18 15:34:18 smb sshd[9157]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.6 user= DOMAIN\myusername Jan 18 15:34:20 smb sshd[9157]: Failed password for DOMAIN\myusername from 192.168.5.6 port 50872 ssh2 Any idea on what this error (NT_STATUS...) means ? Also when trying this I get an error: smb:~# wbinfo -a admin_user%admin_pwd plaintext password authentication failed Could not authenticate user henry_admin with plaintext password challenge/response password authentication failed error code was NT_STATUS_PIPE_DISCONNECTED (0xc00000b0) error messsage was: Named pipe dicconnected Could not authenticate user admin_user with challenge/response smb:~# Here's my PAM config: auth sufficient pam_winbind.so auth required pam_unix.so use_first_pass account sufficient pam_winbind.so account required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session sufficient pam_winbind.so session required pam_unix.so password requisite pam_cracklib.so retry=3 typepassword sufficient pam_unix.so nullok use_authtok md5 shadow password sufficient pam_winbind.so use_first_pass password required pam_deny.so Any help would be greatly appreciated. Thanks, k.
On Mon, 2010-01-18 at 16:33 +0100, Kris Kaido wrote:> Hi List, > > I'm installing a Samba server with the intended purpose of serving files to > Windows users with seamless authentication on the smb server. > For that, I've been reading and following every single google search result > regarding the subject, but it seems I'm stuck at some point where other > people are not blocked ... > > To summarize, I have these commands OK: > # kinit admin_user at DOMAIN.EXAMPLE.COM > # klist (ticket ok) > # net join ads -S server -U admin_user > # wbinfo -u and -g (both showing "DOMAIN\...") > # wbinfo -t (succeeded) > > I configured PAM to use winbind, and to test it I'm using ssh with the same > config as I will for samba > > Here's what I get when I try to ssh into my smb server using my AD > credentials: > Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): getting password > (0x00000000) > Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): request failed: > Named pipe dicconnected, PAM error was System error (4), NT error was > NT_STATUS_PIPE_DISCONNECTED > Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): internal module > error (retval = 4, user = 'DOMAIN\myusername') > Jan 18 15:34:18 smb sshd[9157]: pam_unix(sshd:auth): authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.6 > user= DOMAIN\myusername > Jan 18 15:34:20 smb sshd[9157]: Failed password for DOMAIN\myusername from > 192.168.5.6 port 50872 ssh2 > > Any idea on what this error (NT_STATUS...) means ? > > Also when trying this I get an error: > smb:~# wbinfo -a admin_user%admin_pwd > plaintext password authentication failed > Could not authenticate user henry_admin with plaintext password > challenge/response password authentication failed > error code was NT_STATUS_PIPE_DISCONNECTED (0xc00000b0) > error messsage was: Named pipe dicconnected > Could not authenticate user admin_user with challenge/response > smb:~# > > Here's my PAM config: > auth sufficient pam_winbind.so > auth required pam_unix.so use_first_pass > account sufficient pam_winbind.so > account required pam_unix.so > session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 > session sufficient pam_winbind.so > session required pam_unix.so > password requisite pam_cracklib.so retry=3 type> password sufficient pam_unix.so nullok use_authtok md5 shadow > password sufficient pam_winbind.so use_first_pass > password required pam_deny.so > > Any help would be greatly appreciated. > > Thanks, > > k.Two things. 1 - make sure nscd is disabled (not just stopped - disable it to prevent restarting on the next reboot) 2 - I found that using "winbind use default domain = yes" caused a lot of my default authentication issues to go away. I only have one domain and so I don't need the extra information / complexity of having to specify domains. Regards, Frank
Alexander R. Fahrutdinov
2010-Jan-19 04:23 UTC
[Samba] Samba/winbind with Active Directory auth
? ????????? ?? ??????????? 18 ?????? 2010 19:33:00 ????? Kris Kaido ???????:> Hi List, > > I'm installing a Samba server with the intended purpose of serving files to > Windows users with seamless authentication on the smb server. > For that, I've been reading and following every single google search result > regarding the subject, but it seems I'm stuck at some point where other > people are not blocked ... > > To summarize, I have these commands OK: > # kinit admin_user at DOMAIN.EXAMPLE.COM > # klist (ticket ok) > # net join ads -S server -U admin_user > # wbinfo -u and -g (both showing "DOMAIN\...") > # wbinfo -t (succeeded)Try to use Kerberos auth (wbinfo -K login%pass). It's possible, Windows PDC does not support NT-style auth via pipe. Also, try 'nt pipe support = no' option in smb.conf file.