mourik jan c heupink
2015-Oct-26 18:59 UTC
[Samba] self compiled samba domain member, jessie, pam config
Hi, I installed a debian jessie machine, compiled/installed samba 4.3.1, configured as a domain member server, configured winbind: all working nicely. Great docs on the wiki. (https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server) One remaining thing: How do I exactly configure pam_winbind in the setup above? On the wiki I read that debian uses pam-auth-update. That does not seem to detect the winbind install. Installing doing apt-get install libpam-winbind wants to install the complete samba package from debian jessie. I have read this page also: https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory but it seems very old, and the pam files on my system look very different. Are there instructions somewhere on the wiki, or does someone have some notes in the subject he or she would care to share? MJ
Rowland Penny
2015-Oct-26 19:13 UTC
[Samba] self compiled samba domain member, jessie, pam config
On 26/10/15 18:59, mourik jan c heupink wrote:> Hi, > > I installed a debian jessie machine, compiled/installed samba 4.3.1, > configured as a domain member server, configured winbind: all working > nicely. Great docs on the wiki. > (https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server) > > One remaining thing: How do I exactly configure pam_winbind in the > setup above? > > On the wiki I read that debian uses pam-auth-update. That does not > seem to detect the winbind install. Installing doing apt-get install > libpam-winbind wants to install the complete samba package from debian > jessie. > > I have read this page also: > https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory but it > seems very old, and the pam files on my system look very different. > > Are there instructions somewhere on the wiki, or does someone have > some notes in the subject he or she would care to share? > > MJ >OK, create a file called /usr/share/pam-configs/winbind containing this: Name: Winbind NT/Active Directory authentication Default: yes Priority: 192 Auth-Type: Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_winbind.so Password-Type: Primary Password: [success=end default=ignore] pam_winbind.so use_authtok try_first_pass Password-Initial: [success=end default=ignore] pam_winbind.so Session-Type: Additional Session: optional pam_winbind.so See: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#libnss_winbind Follow the link to: https://wiki.samba.org/index.php/Libnss_winbind_links Rowland
mourik jan c heupink
2015-Oct-26 19:50 UTC
[Samba] self compiled samba domain member, jessie, pam config
Hi Rowland,
Thanks for the very quick reply. :-)
On the page you reference
(https://wiki.samba.org/index.php/Libnss_winbind_links) it says:
# smbd -B | grep LIBDIR
LIBDIR: /usr/local/samba/lib/
On my install, I need to use lower case b. Capitol doesn't work. Perhaps
the wiki needs to be updated?
Anyway: I created the symlinks, ldconfig, all seemed to work. Your
recipe for pam-auth-update also seems to work, I could enable winbind
authentication in pam-auth-update.
And just for the record: kinit / klist both work, I can browse to my
4.3.1 samba server from windows: \\servername and \\1.2.3.4,
smbd/nmbd/winbindd are all three running.
However...logging on using ssh doesn't work, in syslog I
get:> Oct 26 20:43:34 meet winbindd[906]: [2015/10/26 20:43:34.110597, 0]
../lib/util/fault.c:78(fault_report)
> Oct 26 20:43:34 meet winbindd[906]:
==============================================================> Oct 26
20:43:34 meet winbindd[906]: [2015/10/26 20:43:34.110635, 0]
../lib/util/fault.c:79(fault_report)
> Oct 26 20:43:34 meet winbindd[906]: INTERNAL ERROR: Signal 11 in pid 906
(4.3.1)
> Oct 26 20:43:34 meet winbindd[906]: Please read the Trouble-Shooting
section of the Samba HOWTO
> Oct 26 20:43:34 meet winbindd[906]: [2015/10/26 20:43:34.110653, 0]
../lib/util/fault.c:81(fault_report)
> Oct 26 20:43:34 meet winbindd[906]:
==============================================================> Oct 26
20:43:34 meet winbindd[906]: [2015/10/26 20:43:34.110664, 0]
../source3/lib/util.c:789(smb_panic_s3)
> Oct 26 20:43:34 meet winbindd[906]: PANIC (pid 906): internal error
> Oct 26 20:43:34 meet winbindd[906]: [2015/10/26 20:43:34.111075, 0]
../source3/lib/util.c:900(log_stack_trace)
> Oct 26 20:43:34 meet winbindd[906]: BACKTRACE: 35 stack frames:
> Oct 26 20:43:34 meet winbindd[906]: #0
/usr/local/samba/lib/libsmbconf.so.0(log_stack_trace+0x1f) [0x7f290628b61f]
> Oct 26 20:43:34 meet winbindd[906]: #1
/usr/local/samba/lib/libsmbconf.so.0(smb_panic_s3+0x6f) [0x7f290628b46a]
> Oct 26 20:43:34 meet winbindd[906]: #2
/usr/local/samba/lib/libsamba-util.so.0(smb_panic+0x28) [0x7f2909e83a16]
> Oct 26 20:43:34 meet winbindd[906]: #3
/usr/local/samba/lib/libsamba-util.so.0(+0x236ee) [0x7f2909e836ee]
> Oct 26 20:43:34 meet winbindd[906]: #4
/usr/local/samba/lib/libsamba-util.so.0(+0x23703) [0x7f2909e83703]
> Oct 26 20:43:34 meet winbindd[906]: #5
/lib/x86_64-linux-gnu/libpthread.so.0(+0xf8d0) [0x7f290ba3e8d0]
> Oct 26 20:43:34 meet winbindd[906]: #6
/usr/local/samba/lib/private/libkrb5-samba4.so.26(krb5_storage_free+0x10)
[0x7f2908273ccc]
> Oct 26 20:43:34 meet winbindd[906]: #7
/usr/local/samba/lib/private/libkrb5-samba4.so.26(+0x47708) [0x7f2908259708]
> Oct 26 20:43:34 meet winbindd[906]: #8
/usr/local/samba/lib/private/libkrb5-samba4.so.26(krb5_kt_end_seq_get+0x68)
[0x7f2908257c87]
> Oct 26 20:43:34 meet winbindd[906]: #9
/usr/local/samba/lib/private/libgse-samba4.so(+0x98cf) [0x7f29049878cf]
> Oct 26 20:43:34 meet winbindd[906]: #10
/usr/local/samba/lib/private/libgse-samba4.so(gse_krb5_get_server_keytab+0x18d)
[0x7f2904987ccb]
> Oct 26 20:43:34 meet winbindd[906]: #11
/usr/local/samba/lib/private/libgse-samba4.so(+0xa781) [0x7f2904988781]
> Oct 26 20:43:34 meet winbindd[906]: #12
/usr/local/samba/lib/private/libgse-samba4.so(+0xafe5) [0x7f2904988fe5]
> Oct 26 20:43:34 meet winbindd[906]: #13
/usr/local/samba/lib/libgensec.so.0(gensec_start_mech+0x27e) [0x7f2904bc599f]
> Oct 26 20:43:34 meet winbindd[906]: #14
/usr/local/samba/lib/libgensec.so.0(gensec_start_mech_by_oid+0x11a)
[0x7f2904bc5d91]
> Oct 26 20:43:34 meet winbindd[906]: #15
winbindd(kerberos_return_pac+0x7fb) [0x7f290be945d8]
> Oct 26 20:43:34 meet winbindd[906]: #16 winbindd(+0x4e738)
[0x7f290bebd738]
> Oct 26 20:43:34 meet winbindd[906]: #17 winbindd(+0x501d4)
[0x7f290bebf1d4]
> Oct 26 20:43:34 meet winbindd[906]: #18
winbindd(winbindd_dual_pam_auth+0x394) [0x7f290bec072c]
> Oct 26 20:43:34 meet winbindd[906]: #19 winbindd(+0x6dd0a)
[0x7f290bedcd0a]
> Oct 26 20:43:34 meet winbindd[906]: #20 winbindd(+0x706f8)
[0x7f290bedf6f8]
> Oct 26 20:43:34 meet winbindd[906]: #21
/usr/local/samba/lib/private/libtevent.so.0(+0xcebd) [0x7f29093d7ebd]
> Oct 26 20:43:34 meet winbindd[906]: #22
/usr/local/samba/lib/private/libtevent.so.0(+0xd4da) [0x7f29093d84da]
> Oct 26 20:43:34 meet winbindd[906]: #23
/usr/local/samba/lib/private/libtevent.so.0(+0xa3c6) [0x7f29093d53c6]
> Oct 26 20:43:34 meet winbindd[906]: #24
/usr/local/samba/lib/private/libtevent.so.0(_tevent_loop_once+0xf4)
[0x7f29093cf589]
> Oct 26 20:43:34 meet winbindd[906]: #25 winbindd(+0x71243)
[0x7f290bee0243]
> Oct 26 20:43:34 meet winbindd[906]: #26 winbindd(+0x6ccf8)
[0x7f290bedbcf8]
> Oct 26 20:43:34 meet winbindd[906]: #27
/usr/local/samba/lib/private/libtevent.so.0(+0x57c0) [0x7f29093d07c0]
> Oct 26 20:43:34 meet winbindd[906]: #28
/usr/local/samba/lib/private/libtevent.so.0(tevent_common_loop_immediate+0x1f5)
[0x7f29093d0442]
> Oct 26 20:43:34 meet winbindd[906]: #29
/usr/local/samba/lib/private/libtevent.so.0(+0xd440) [0x7f29093d8440]
> Oct 26 20:43:34 meet winbindd[906]: #30
/usr/local/samba/lib/private/libtevent.so.0(+0xa3c6) [0x7f29093d53c6]
> Oct 26 20:43:34 meet winbindd[906]: #31
/usr/local/samba/lib/private/libtevent.so.0(_tevent_loop_once+0xf4)
[0x7f29093cf589]
> Oct 26 20:43:34 meet winbindd[906]: #32 winbindd(main+0xd18)
[0x7f290bea8862]
> Oct 26 20:43:34 meet winbindd[906]: #33
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f2903100b45]
> Oct 26 20:43:34 meet winbindd[906]: #34 winbindd(+0x24ae9)
[0x7f290be93ae9]
> Oct 26 20:43:34 meet winbindd[906]: [2015/10/26 20:43:34.113711, 0]
../source3/lib/dumpcore.c:313(dump_core)
> Oct 26 20:43:34 meet winbindd[906]: unable to change to
/usr/local/samba/var/cores/winbindd
> Oct 26 20:43:34 meet winbindd[906]: refusing to dump core
(the above log appears after I press <enter> after the password prompt)
I could only find this rather old bugreport, that seems to be irrelevant
now: https://bugzilla.samba.org/show_bug.cgi?id=11081
(note: unable to change to /usr/local/samba/var/cores/winbindd, however
the directory exists...)
Ideas?