francis picabia
2015-Jan-22 18:19 UTC
[Samba] Samba 3.6.6, ADS, Winbind, no local Unix account
We run AD on Windows servers and have Linux systems authenticate against AD with pam, for shares, cyrus mail, or shell logins. For shares on a Linux system we often have no local account. We've had success with Samba 3.5.10 and prior versions using security = ads with winbind, pam, nsswitch.conf, krb5.conf while there is no local Unix account. Starting after this version, possibly 3.6.0 and above, I can only get shares to work by using an AD account and auth which maps to a local shell account name. Here are very minimal settings, not ideal, just trying to get this to work... /etc/pam.d/samba: auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_permit.so /etc/nsswitch.conf passwd: files winbind group: files winbind shadow: files winbind If I use an account having a local shell and the AD password, the share works. If I use another AD account which does appear in wbinfo -u output, it cannot login to the share. If I add the AD user with a shell of /bin/false the login works. I've gone through many howtos trying for a formula, but the unmatched user issue remains. Here is the last attempt in smb.conf: security = ads password server = adc2.mydom.ca loglevel = 3 template shell = /bin/false encrypt passwords = yes realm = AD.MYDOM.CA dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config MYDOM:backend = ad idmap config MYDOM:schema_mode = rfc2307 idmap config MYDOM:range=10000-19000000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes I've only changed the actual domain to mydom in that config. krb5.conf must be alright otherwise my shell account user would fail to login to the share with the AD credentials. I had a thought on how to make non-local accounts access the share by using map to guest = Bad Uid but the comments in man page for smb.conf make it sound like I still shouldn't need that with winbind and nsswitch. If anyone has seen a sample for non-local accounts and Samba 3.6 it might be useful.
Rowland Penny
2015-Jan-22 18:32 UTC
[Samba] Samba 3.6.6, ADS, Winbind, no local Unix account
On 22/01/15 18:19, francis picabia wrote:> We run AD on Windows servers and have Linux systems > authenticate against AD with pam, for shares, cyrus mail, or shell logins. > For shares on a Linux system we often have no local account. > > We've had success with Samba 3.5.10 and prior versions using > security = ads with winbind, pam, nsswitch.conf, krb5.conf > while there is no local Unix account. > > Starting after this version, possibly 3.6.0 and above, I can only get > shares to work by using an AD account and auth > which maps to a local shell account name. > > Here are very minimal settings, not ideal, just trying to get this to > work... > > /etc/pam.d/samba: > > auth sufficient pam_winbind.so use_first_pass > auth required pam_deny.so > account required pam_permit.so > > /etc/nsswitch.conf > > passwd: files winbind > group: files winbind > shadow: files winbind > > If I use an account having a local shell and the AD password, the > share works. If I use another AD account which does appear > in wbinfo -u output, it cannot login to the share. If I add the > AD user with a shell of /bin/false the login works. > > I've gone through many howtos trying for a formula, but the unmatched > user issue remains. Here is the last attempt in smb.conf: > > security = ads > password server = adc2.mydom.ca > loglevel = 3 > template shell = /bin/false > encrypt passwords = yes > > realm = AD.MYDOM.CA > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > idmap config MYDOM:backend = ad > idmap config MYDOM:schema_mode = rfc2307 > idmap config MYDOM:range=10000-19000000 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > > I've only changed the actual domain to mydom in that config. > > krb5.conf must be alright otherwise my shell account user > would fail to login to the share with the AD credentials. > > I had a thought on how to make non-local accounts access > the share by using map to guest = Bad Uid > but the comments in man page for smb.conf make it sound > like I still shouldn't need that with winbind and nsswitch. > > If anyone has seen a sample for non-local accounts and Samba 3.6 > it might be useful.OK, you have three options. Use the winbind 'ad' backend (this is what you are using), but your users must have a 'uidNumber' in AD. Use the 'rid' backend, your users will get a uid number automatically. Use 'map to guest = bad user', only problem with the last one, all unknown users end up as 'nobody' If you want to try the rid backend, change 'idmap config MYDOM:backend = ad' to 'idmap config MYDOM:backend = rid' and remove 'idmap config MYDOM:schema_mode = rfc2307' Rowland
francis picabia
2015-Jan-22 19:20 UTC
[Samba] Samba 3.6.6, ADS, Winbind, no local Unix account
On Thu, Jan 22, 2015 at 2:32 PM, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 22/01/15 18:19, francis picabia wrote: > >> We run AD on Windows servers and have Linux systems >> authenticate against AD with pam, for shares, cyrus mail, or shell logins. >> For shares on a Linux system we often have no local account. >> >> We've had success with Samba 3.5.10 and prior versions using >> security = ads with winbind, pam, nsswitch.conf, krb5.conf >> while there is no local Unix account. >> >> Starting after this version, possibly 3.6.0 and above, I can only get >> shares to work by using an AD account and auth >> which maps to a local shell account name. >> >> Here are very minimal settings, not ideal, just trying to get this to >> work... >> >> /etc/pam.d/samba: >> >> auth sufficient pam_winbind.so use_first_pass >> auth required pam_deny.so >> account required pam_permit.so >> >> /etc/nsswitch.conf >> >> passwd: files winbind >> group: files winbind >> shadow: files winbind >> >> If I use an account having a local shell and the AD password, the >> share works. If I use another AD account which does appear >> in wbinfo -u output, it cannot login to the share. If I add the >> AD user with a shell of /bin/false the login works. >> >> I've gone through many howtos trying for a formula, but the unmatched >> user issue remains. Here is the last attempt in smb.conf: >> >> security = ads >> password server = adc2.mydom.ca >> loglevel = 3 >> template shell = /bin/false >> encrypt passwords = yes >> >> realm = AD.MYDOM.CA >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> idmap config * : backend = tdb >> idmap config * : range = 2000-9999 >> idmap config MYDOM:backend = ad >> idmap config MYDOM:schema_mode = rfc2307 >> idmap config MYDOM:range=10000-19000000 >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind refresh tickets = Yes >> >> I've only changed the actual domain to mydom in that config. >> >> krb5.conf must be alright otherwise my shell account user >> would fail to login to the share with the AD credentials. >> >> I had a thought on how to make non-local accounts access >> the share by using map to guest = Bad Uid >> but the comments in man page for smb.conf make it sound >> like I still shouldn't need that with winbind and nsswitch. >> >> If anyone has seen a sample for non-local accounts and Samba 3.6 >> it might be useful. >> > > OK, you have three options. > Use the winbind 'ad' backend (this is what you are using), but your users > must have a 'uidNumber' in AD. > Use the 'rid' backend, your users will get a uid number automatically. > Use 'map to guest = bad user', only problem with the last one, all unknown > users end up as 'nobody' > > If you want to try the rid backend, change 'idmap config MYDOM:backend > ad' to 'idmap config MYDOM:backend = rid' and remove 'idmap config > MYDOM:schema_mode = rfc2307' > > RowlandThank you very much. That was a clue to get the configuration solid so I plugged along with that set up. I didn't know what 'rid' handled, but I had used it before in the multiple settings I've tried. Good to know. I finally found the solution. I'm on Debian 7 and winbind did not include the package libpam-winbind. I installed that, restarted winbind and samba and now the unmatched user can connect. It provided the file: /lib/x86_64-linux-gnu/security/pam_winbind.so I should have been looking in /var/log/auth.log rather than in /var/log/samba for my errors! Thanks again...
Seemingly Similar Threads
- Samba 3.6.6, ADS, Winbind, no local Unix account
- 4.4.14 on solaris, using ads, can't read/write as user
- Man page for idmap_rid
- 4.4.14 on solaris, using ads, can't read/write as user
- Not Obeying "require_membership_of" winbind.so when "User must change password at next logon"