samba - Dec 2013 - winbind when machine account is not allowed to read users from ad

HI,

I want to use samba winbind (3.6.18 - Ubuntu) to login to a machine
using ads. The problem I have is that the ad server (win 2008) does not
grant read access to the user list for the machine account. Only each
user can read his own entry. Due to the privacy police this behaviour
can not be changed.
How do I tell winbind to use the user account to look up the user and
not use the machine account.
Kerberos is working fine: kinit user at DOAIN.NET gives a ticket.
Also ntlm_auth is also working:
ntlm_auth --username=USER -> NT_STATUS_OK: Success (0x0)

wbinfo -u only show local users and old (deprecated) domain users.
wbinfo -g works normal. (groups are readable by machine accounts)

For idmap we use the rid mechanism.

Has anybody a hint how to solve this issue?


smb.conf
[global]
        workgroup = DOMAIN
        realm = DOMAIN.NET
        server string = %h
        security = ADS
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = ...
        unix password sync = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        dns proxy = No
        usershare allow guests = Yes
        panic action = /usr/share/samba/panic-action %d
        template homedir = /home/%U
        template shell = /bin/bash
        winbind cache time = 3600
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind refresh tickets = Yes
        winbind offline logon = Yes
        idmap config DOMAIN:range = 10000-999999
        idmap config DOMAIN:backend = rid
        idmap config * : range = 2000-9999
        idmap config * : backend = tdb
        valid users = %U


/var/log/auth.log:

login[739]: pam_unix(login:auth): check pass; user unknown
login[739]: pam_unix(login:auth): authentication failure; logname=LOGIN
uid=0 euid=0 tty=/dev/tty2 ruser= rhostlogin[739]: pam_winbind(login:auth):
[pamh: 0x190d460] ENTER:
pam_sm_authenticate (flags: 0x0000)
login[739]: pam_winbind(login:auth): getting password (0x00004389)
login[739]: pam_winbind(login:auth): pam_get_item returned a password
login[739]: pam_winbind(login:auth): Verify user 'USER'
login[739]: pam_winbind(login:auth): PAM config: krb5_ccache_type 'FILE'
login[739]: pam_winbind(login:auth): [pamh: 0x190d460] LEAVE:
pam_sm_authenticate returning 10 (PAM_USER_UNKNOWN)
login[739]: pam_krb5(login:auth): user ac111286 authenticated as
USER at DOMAIN.NET
login[739]: pam_unix(login:account): could not identify user (from
getpwnam(USER))
login[739]: Authentication failure 


Thanks
Stefan

On Tue, 2013-12-03 at 14:08 +0100, Stefan He? wrote:
> /var/log/auth.log:
> 
> login[739]: pam_unix(login:auth): check pass; user unknown
> login[739]: pam_unix(login:auth): authentication failure; logname=LOGIN
> uid=0 euid=0 tty=/dev/tty2 ruser= rhost> login[739]:
pam_winbind(login:auth): [pamh: 0x190d460] ENTER:
> pam_sm_authenticate (flags: 0x0000)
> login[739]: pam_winbind(login:auth): getting password (0x00004389)
> login[739]: pam_winbind(login:auth): pam_get_item returned a password
> login[739]: pam_winbind(login:auth): Verify user 'USER'
> login[739]: pam_winbind(login:auth): PAM config: krb5_ccache_type
'FILE'
> login[739]: pam_winbind(login:auth): [pamh: 0x190d460] LEAVE:
> pam_sm_authenticate returning 10 (PAM_USER_UNKNOWN)
> login[739]: pam_krb5(login:auth): user ac111286 authenticated as
> USER at DOMAIN.NET
> login[739]: pam_unix(login:account): could not identify user (from
> getpwnam(USER))
> login[739]: Authentication failure 
> 
> 
> Thanks
> Stefan
> 
Hi
I think your pam stack is in the wrong order or has the wrong options.
RU allowed to post it?
Cheers,
Steve

On Tue, 2013-12-03 at 14:08 +0100, Stefan He? wrote:
> HI,
> 
> I want to use samba winbind (3.6.18 - Ubuntu) to login to a machine
> using ads. The problem I have is that the ad server (win 2008) does not
> grant read access to the user list for the machine account. Only each
> user can read his own entry. Due to the privacy police this behaviour
> can not be changed.
> How do I tell winbind to use the user account to look up the user and
> not use the machine account.
> Kerberos is working fine: kinit user at DOAIN.NET gives a ticket.
> Also ntlm_auth is also working:
> ntlm_auth --username=USER -> NT_STATUS_OK: Success (0x0)
> 
> wbinfo -u only show local users and old (deprecated) domain users.
> wbinfo -g works normal. (groups are readable by machine accounts)
> 
> For idmap we use the rid mechanism.
> 
> Has anybody a hint how to solve this issue?
Which type of login is this?  Access over SMB or local user login?

Either way, this is a very interesting restriction we have not come
across before. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba