On Tue, 13 Dec 2016 14:57:59 -0500
lingpanda101 via samba <samba at lists.samba.org> wrote:
> On 12/12/2016 3:27 PM, lingpanda101 wrote:
> > On 12/11/2016 8:59 AM, Brian Candler via samba wrote:
> >> On 10/12/2016 16:25, Brian Candler wrote:
> >>> I think there's plenty of emphasis now, but I think there
is a
> >>> part which is misleading:
> >>>
> >>> > To enable Samba to retrieve user and group information
from
> >>> > Active
> >>> Directory (AD):
> >>> >
> >>> > * Users must have at least the uidNumber and groups the
> >>> > gidNumber
> >>> attribute set.
> >>
> >> I'm so sorry: I misread this as "Users must have at least
the
> >> uidNumber and gidNumber attribute set", which is of course
*not*
> >> what it says. Hence the text is accurate (if you read it
> >> correctly); it's my brain which is at fault.
> >>
> >> I do still think that the alternative text I gave is clearer - for
> >> my brain anyway :-)
> >>
> >> Regards,
> >>
> >> Brian.
> >>
> >>
> >
> > OK finally solved. Added to my smb.conf
> >
> > 'winbind use default domain = yes'
> >
> > Disabling Avahi and using the above was the issue. Next to attempt
> > actually signing in from the login screen and not via. SSH.
> >
> >
> >
>
> Following the wiki and I'm stuck at 'Authenticating Domain Users
> Using PAM'. I see the section
>
> If you have compiled Samba, you need to add a symbolic links.
> Seepam_winbind Link
> <https://wiki.samba.org/index.php/Pam_winbind_Link>for OS specific
> information, where to place it.
>
>
> If I follow the link it appears to take me to a page similar to
> 'libnss_winbind' linking. I don't see any difference. I ran
Give that man a prize, the only difference between the 'Libnss winbind
Links' page and the 'Pam winbind Link' page is the title, they both
refer to setting up the libnss_winbind lib
I will fix it, not sure how because the links should probably all be on
one page.
> 'pam-auth-update' and made sure to enable Winbind NT/Active
Directory
> authentication. I did not manually edit pam config files. If I
> attempt to login with a domain account I get
>
> user1 at DR210:/$ su domainuser
>
> Password:
>
> su: Authentication failure
>
>
> Any ideas? Thanks.
>
>
You need three extra links:
ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so
ln -s /usr/local/samba/lib/libnss_wins.so.2
/lib/x86_64-linux-gnu/libnss_wins.so.2
ln
-s /usr/local/samba/lib/security/pam_winbind.so
/lib/x86_64-linux-gnu/security/pam_winbind.so
You also need a file /usr/share/pam-configs/winbind
Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE
cached_login try_first_pass
Auth-Initial:
[success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE
cached_login
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_winbind.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_winbind.so use_authtok try_first_pass
Password-Initial:
[success=end default=ignore] pam_winbind.so
Session-Type: Additional
Session:
optional pam_winbind.so
You will also need to install libpam-krb5
Finally check that the 'passwd' and 'group' lines in
/etc/nsswitch.conf
have 'winbind' in them.
Rowland