Pisch Tamás
2018-Aug-24 06:33 UTC
[Samba] login a Linux client to a Samba NT4 style domain
Hi, I would like to do what I mentioned in the subject on an Ububtu 18.04. I tried it with the following steps: https://lists.samba.org/archive/samba/2011-March/161372.html My files on the client: smb.conf [global] ;Workstation Settings workgroup = PM netbios name = DS1223 server string = %h security = domain idmap backend = tdb idmap uid = 15000-20000 idmap gid = 15000-20000 wins server = 1.2.3.4 winbind use default domain = yes winbind enum groups = yes winbind enum users = yes password server = 1.2.3.4 template shell = /bin/bash template homedir = /home/%D/%U ;Logging log level = 2 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d common-account: account [success=2 default=ignore] pam_winbind.so account [success=1 default=ignore] pam_unix.so account requisite pam_deny.so account required pam_permit.so common-auth: auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_winbind.so use_first_pass auth requisite pam_deny.so auth optional pam_mount.so auth required pam_permit.so common-password: # here are the per-package modules (the "Primary" block) password [success=1 default=ignore] pam_unix.so obscure sha512 # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) password optional pam_mount.so disable_interactive password optional pam_gnome_keyring.so # end of pam-auth-update config common-session: session required pam_unix.so nullok_secure session required pam_mkhomedir.so skel=/etc/skel umask=0022 session optional pam_mount.so session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_ck_connector.so nox11 pam_mount.conf.xml: <?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <pam_mount> <debug enable="0" /> <volume options="user=%(DOMAIN_USER),domain=PM" fstype="cifs" server="srv3" path="Diak" mountpoint="/home/PM/%(DOMAIN_USER)/Diak"></volume> <volume options="user=%(DOMAIN_USER),domain=PM" fstype="cifs" server="srv3" path="%(DOMAIN_USER)" mountpoint="/home/PM/%(DOMAIN_USER)/H"></volume> <path</sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path> <logout wait="0" hup="0" term="0" kill="0" /> <mkmountpoint enable="1" remove="true" /> </pam_mount> net join runs correctly, but after reboot, I can login only with the local account. Portion from the auth.log: Aug 23 14:06:01 localhost lightdm: pam_unix(lightdm:auth): check pass; user unknown Aug 23 14:06:01 localhost lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhostAug 23 14:06:01 localhost lightdm: pam_winbind(lightdm:auth): getting password (0x00000010) Aug 23 14:06:01 localhost lightdm: pam_winbind(lightdm:auth): pam_get_item returned a password Aug 23 14:06:01 localhost lightdm: pam_winbind(lightdm:auth): user 'torolni' granted access Aug 23 14:06:01 localhost lightdm: gkr-pam: error looking up user information Aug 23 14:06:01 localhost lightdm: pam_unix(lightdm:account): could not identify user (from getpwnam(torolni)) Aug 23 14:06:01 localhost lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory Aug 23 14:06:01 localhost lightdm: PAM adding faulty module: pam_kwallet.so Aug 23 14:06:01 localhost lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory Aug 23 14:06:01 localhost lightdm: PAM adding faulty module: pam_kwallet5.so Aug 23 14:52:29 localhost login[1371]: pam_unix(login:auth): check pass; user unknown Aug 23 14:52:29 localhost login[1371]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhostAug 23 14:52:29 localhost login[1371]: pam_winbind(login:auth): getting password (0x00000010) Aug 23 14:52:29 localhost login[1371]: pam_winbind(login:auth): pam_get_item returned a password Aug 23 14:52:29 localhost login[1371]: pam_winbind(login:auth): user 'torolni' granted access Aug 23 14:52:29 localhost login[1371]: pam_unix(login:account): could not identify user (from getpwnam(torolni)) Aug 23 14:52:29 localhost login[1371]: Authentication failure Best regards, Tamas.
Rowland Penny
2018-Aug-24 07:39 UTC
[Samba] login a Linux client to a Samba NT4 style domain
On Fri, 24 Aug 2018 08:33:59 +0200 Pisch Tamás via samba <samba at lists.samba.org> wrote:> Hi, > > I would like to do what I mentioned in the subject > on an Ububtu 18.04. I tried it with the following steps: > https://lists.samba.org/archive/samba/2011-March/161372.html > > My files on the client: > smb.conf > [global] > ;Workstation Settings > workgroup = PM > netbios name = DS1223 > server string = %h > security = domain > idmap backend = tdb > idmap uid = 15000-20000 > idmap gid = 15000-20000 > wins server = 1.2.3.4 > winbind use default domain = yes > winbind enum groups = yes > winbind enum users = yes > password server = 1.2.3.4 > template shell = /bin/bash > template homedir = /home/%D/%U > ;Logging > log level = 2 > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > > common-account: > > account [success=2 default=ignore] pam_winbind.so > account [success=1 default=ignore] pam_unix.so > account requisite pam_deny.so > account required pam_permit.so > > common-auth: > > auth [success=2 default=ignore] pam_unix.so nullok_secure > auth [success=1 default=ignore] pam_winbind.so use_first_pass > auth requisite pam_deny.so > auth optional pam_mount.so > auth required pam_permit.so > > common-password: > > # here are the per-package modules (the "Primary" block) > password [success=1 default=ignore] pam_unix.so obscure sha512 > # here's the fallback if no module succeeds > password requisite pam_deny.so > # prime the stack with a positive return value if there isn't one > already; # this avoids us returning an error just because nothing > sets a success code # since the modules above will each just jump > around password required pam_permit.so > # and here are more per-package modules (the "Additional" block) > password optional pam_mount.so disable_interactive > password optional pam_gnome_keyring.so > # end of pam-auth-update config > > common-session: > > session required pam_unix.so nullok_secure > session required pam_mkhomedir.so skel=/etc/skel umask=0022 > session optional pam_mount.so > session [default=1] pam_permit.so > session requisite pam_deny.so > session required pam_permit.so > session optional pam_ck_connector.so nox11 > > pam_mount.conf.xml: > <?xml version="1.0" encoding="utf-8" ?> > <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> > <pam_mount> > <debug enable="0" /> > <volume options="user=%(DOMAIN_USER),domain=PM" fstype="cifs" > server="srv3" path="Diak" > mountpoint="/home/PM/%(DOMAIN_USER)/Diak"></volume> <volume > options="user=%(DOMAIN_USER),domain=PM" fstype="cifs" server="srv3" > path="%(DOMAIN_USER)" > mountpoint="/home/PM/%(DOMAIN_USER)/H"></volume> > <path</sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path> > <logout wait="0" hup="0" term="0" kill="0" /> <mkmountpoint > enable="1" remove="true" /> </pam_mount> > > net join runs correctly, but after reboot, I can login only with the > local account. > Portion from the auth.log: > Aug 23 14:06:01 localhost lightdm: pam_unix(lightdm:auth): check > pass; user unknown > Aug 23 14:06:01 localhost lightdm: pam_unix(lightdm:auth): > authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost> Aug 23 14:06:01 localhost lightdm: pam_winbind(lightdm:auth): getting > password (0x00000010) > Aug 23 14:06:01 localhost lightdm: pam_winbind(lightdm:auth): > pam_get_item returned a password > Aug 23 14:06:01 localhost lightdm: pam_winbind(lightdm:auth): user > 'torolni' granted access > Aug 23 14:06:01 localhost lightdm: gkr-pam: error looking up user > information > Aug 23 14:06:01 localhost lightdm: pam_unix(lightdm:account): could > not identify user (from getpwnam(torolni)) > Aug 23 14:06:01 localhost lightdm: PAM unable to > dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open > shared object file: No such file or directory > Aug 23 14:06:01 localhost lightdm: PAM adding faulty module: > pam_kwallet.so Aug 23 14:06:01 localhost lightdm: PAM unable to > dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open > shared object file: No such file or directory > Aug 23 14:06:01 localhost lightdm: PAM adding faulty module: > pam_kwallet5.so Aug 23 14:52:29 localhost login[1371]: > pam_unix(login:auth): check pass; user unknown > Aug 23 14:52:29 localhost login[1371]: pam_unix(login:auth): > authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 > ruser= rhost= Aug 23 14:52:29 localhost login[1371]: > pam_winbind(login:auth): getting password (0x00000010) > Aug 23 14:52:29 localhost login[1371]: pam_winbind(login:auth): > pam_get_item returned a password > Aug 23 14:52:29 localhost login[1371]: pam_winbind(login:auth): user > 'torolni' granted access > Aug 23 14:52:29 localhost login[1371]: pam_unix(login:account): could > not identify user (from getpwnam(torolni)) > Aug 23 14:52:29 localhost login[1371]: Authentication failure > > Best regards, > > Tamas.I recently set up a test PDC (which worked okay) and then set up a test Unix client and joined it to the test PDC, this again joined okay. From there on it was just downhill, no matter what settings I tried in smb.conf on the Unix client, I couldn't get it to work. Testing the join with 'net' said the join was okay, but wbinfo claimed it couldn't find the PDC. I spent a day trying to get it to work and finally gave up. My gut feeling is that something got changed in the work to get AD working better and now Unix nt4-style clients don't work any more. I have no idea why they don't work and have no real compunction to try and find out why, mainly because Microsoft seems to be trying to remove all traces of nt4-style domain code from their OS. All I can suggest is that you upgrade to AD, this definitely works ;-) Rowland