Ive recently installed three servers with RHEL5u5. After some messing on the
original, I got samba working with ADS authentication. I then went and got it
working so that users could log in using their domain name & password to the
box. I got this working with both no restriction, and ADS group restriction. I
have left it on no restriction wheil I get these systems up and running.
I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf)
to the second machine. Everything works. Rebooted, everything is fine. System
running as expected.
I copied to the third machine. Everything worked fine. I was able to log in
using two users (mine and a colleagues). Set up some other machine stuff,
rebooted, and passed the machine over.
I was then informed (naturally 5mins after I left the office) that there was
something wrong. Those two accounts worked from both a samba perspective, and a
login perspective. However a third account that was supposed to work, failed
with "su: user ccadm does not exist". Now samba doesn't work for
any user other than the original too, and the same goes for logins.
I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined
the domain as both that system name, and a new one, with no issues:
[root at akbarTRAP log]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root at akbarTRAP log]# net ads testjoin
Join is OK
[root at akbarTRAP log]# wbinfo -u | grep ccadm
Ccadm
So my questions are:
1. Where the hell are these accounts being cached, that work.
2. What the hell has happened to make this no longer work.
3. Why if I can see all the users & groups can I not log in, or get
samba working.
This is really starting to get on my nerves. I just cannot understand why if it
can see the users using wbinfo, why it is telling me they don't exist.
Would really appreciate some help on this.
Regards
B
[root at akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind
passwd: files winbind
shadow: files winbind
group: files winbind
log.winbind:
[2011/03/30 14:29:03, 3]
winbindd/winbindd_misc.c:754(winbindd_interface_version)
[ 7381]: request interface version
[2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir)
[ 7381]: request location of privileged pipe
[2011/03/30 14:29:03, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
[ 7381]: getpwnam ccadm
[2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
[ 7381]: getpwnam ccadm
[2011/03/30 14:29:05, 3]
winbindd/winbindd_misc.c:754(winbindd_interface_version)
[ 7381]: request interface version
[2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir)
[ 7381]: request location of privileged pipe
[2011/03/30 14:29:05, 3] winbindd/winbindd_pam.c:829(winbindd_pam_auth)
[ 7381]: pam auth ccadm
[2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
[ 7381]: getpwnam ccadm
Secure log:
Mar 30 14:29:03 akbartrap sshd[7381]: Invalid user ccadm from 172.16.165.248
Mar 30 14:29:03 akbartrap sshd[7382]: input_userauth_request: invalid user ccadm
Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): check pass; user
unknown
Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=galvatron.MYDOMAIN.com
Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): getting password
(0x00000010)
Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): pam_get_item
returned a password
Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS:
NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password [I know the pass is
right here. It works elsewhere]
Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): user
'ccadm' denied access (incorrect password or invalid membership)
Mar 30 14:29:05 akbartrap sshd[7381]: pam_succeed_if(sshd:auth): error
retrieving information about user ccadm
Mar 30 14:29:07 akbartrap sshd[7381]: Failed password for invalid user ccadm
from 172.16.165.248 port 39699 ssh2
# Global parameters
[global]
workgroup = GROUP
realm = MYDOMAIN.COM
security = ads
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = Yes
winbind separator = /
encrypt passwords = Yes
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
preferred master = No
dns proxy = No
wins server = 172.16.164.100
template homedir = /home/%U
template shell = /bin/bash
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_winbind.so use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account sufficient pam_winbind.so use_first_pass
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_winbind.so use_first_pass
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
session required pam_winbind.so use_first_pass
session required pam_mkhomedir.so
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. If you are not the intended recipient, any disclosure,
copying, distribution or any action taken or omitted to be taken in reliance
on it, is prohibited and may be unlawful. If you are not the intended
addressee please contact the sender and dispose of this e-mail. Thank you.
After a bit of googling, I found that the idmap has been corrupted. Why
would/could this happen?
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Brian O'Mahony
Sent: Wednesday, March 30, 2011 2:37 PM
To: samba at lists.samba.org
Subject: [Samba] Samba Authentication wrecking my head [ADS]
Ive recently installed three servers with RHEL5u5. After some messing on the
original, I got samba working with ADS authentication. I then went and got it
working so that users could log in using their domain name & password to the
box. I got this working with both no restriction, and ADS group restriction. I
have left it on no restriction wheil I get these systems up and running.
I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf)
to the second machine. Everything works. Rebooted, everything is fine. System
running as expected.
I copied to the third machine. Everything worked fine. I was able to log in
using two users (mine and a colleagues). Set up some other machine stuff,
rebooted, and passed the machine over.
I was then informed (naturally 5mins after I left the office) that there was
something wrong. Those two accounts worked from both a samba perspective, and a
login perspective. However a third account that was supposed to work, failed
with "su: user ccadm does not exist". Now samba doesn't work for
any user other than the original too, and the same goes for logins.
I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined
the domain as both that system name, and a new one, with no issues:
[root at akbarTRAP log]# wbinfo -t
checking the trust secret via RPC calls succeeded [root at akbarTRAP log]# net
ads testjoin Join is OK [root at akbarTRAP log]# wbinfo -u | grep ccadm Ccadm
So my questions are:
1. Where the hell are these accounts being cached, that work.
2. What the hell has happened to make this no longer work.
3. Why if I can see all the users & groups can I not log in, or get
samba working.
This is really starting to get on my nerves. I just cannot understand why if it
can see the users using wbinfo, why it is telling me they don't exist.
Would really appreciate some help on this.
Regards
B
[root at akbarTRAP etc]# cat /etc/nsswitch.conf | grep winbind
passwd: files winbind
shadow: files winbind
group: files winbind
log.winbind:
[2011/03/30 14:29:03, 3]
winbindd/winbindd_misc.c:754(winbindd_interface_version)
[ 7381]: request interface version
[2011/03/30 14:29:03, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir)
[ 7381]: request location of privileged pipe
[2011/03/30 14:29:03, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
[ 7381]: getpwnam ccadm
[2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
[ 7381]: getpwnam ccadm
[2011/03/30 14:29:05, 3]
winbindd/winbindd_misc.c:754(winbindd_interface_version)
[ 7381]: request interface version
[2011/03/30 14:29:05, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir)
[ 7381]: request location of privileged pipe
[2011/03/30 14:29:05, 3] winbindd/winbindd_pam.c:829(winbindd_pam_auth)
[ 7381]: pam auth ccadm
[2011/03/30 14:29:05, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
[ 7381]: getpwnam ccadm
Secure log:
Mar 30 14:29:03 akbartrap sshd[7381]: Invalid user ccadm from 172.16.165.248 Mar
30 14:29:03 akbartrap sshd[7382]: input_userauth_request: invalid user ccadm Mar
30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): check pass; user unknown
Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=galvatron.MYDOMAIN.com Mar
30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): getting password
(0x00000010) Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth):
pam_get_item returned a password Mar 30 14:29:05 akbartrap sshd[7381]:
pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM
error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was:
Wrong Password [I know the pass is right here. It works elsewhere] Mar 30
14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): user 'ccadm'
denied access (incorrect password or invalid membership) Mar 30 14:29:05
akbartrap sshd[7381]: pam_succeed_if(sshd:auth): error retrieving information
about user ccadm Mar 30 14:29:07 akbartrap sshd[7381]: Failed password for
invalid user ccadm from 172.16.165.248 port 39699 ssh2
# Global parameters
[global]
workgroup = GROUP
realm = MYDOMAIN.COM
security = ads
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = Yes
winbind separator = /
encrypt passwords = Yes
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
preferred master = No
dns proxy = No
wins server = 172.16.164.100
template homedir = /home/%U
template shell = /bin/bash
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_winbind.so use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account sufficient pam_winbind.so use_first_pass
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_winbind.so use_first_pass
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
session required pam_winbind.so use_first_pass
session required pam_mkhomedir.so
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else is
unauthorized. If you are not the intended recipient, any disclosure, copying,
distribution or any action taken or omitted to be taken in reliance on it, is
prohibited and may be unlawful. If you are not the intended addressee please
contact the sender and dispose of this e-mail. Thank you.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. If you are not the intended recipient, any disclosure,
copying, distribution or any action taken or omitted to be taken in reliance
on it, is prohibited and may be unlawful. If you are not the intended
addressee please contact the sender and dispose of this e-mail. Thank you.
Maybe Matching Threads
- ntlm_auth: (pipe \PIPE\NETLOGON) has died or was never started (fd == -1)
- winbindd reporting "killing connections to DOMAIN"
- Samba 3.5.6 pam problems
- How to configure Winbind to use uidNumber and gidNumber
- Interdomain Trust, wbinfo works on both servers, getent doesn't work on one server