[Samba] Logging into Samba PDC with LDAP + Kerberos Backend

Cliff Flood Mon, 28 Jun 2010 11:21:03 -0700

Hi,

I've been working to integrating a Samba PDC, running 3.5.3, with an
existing LDAP + Kerberos backend.


After much research and testing I've gotten to the point where I can
join Windows clients to my domains but I haven't yet managed to get
authentication via Samba to work. The goal is to have Windows clients
use our single sign-on as we do with the rest of our infrastructure.

I'm attempting to use winbind to pass authentication to our existing
Kerberos.

wbinfo -u and wbinfo -g work as expected but wbinfo -a username%password
does not and instead I get:

plaintext password authentication failed
Could not authenticate user username%password with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_INVALID_HANDLE (0xc0000008)
error messsage was: Invalid handle
Could not authenticate user username with challenge/response

(I get the same result whether I specify the domain in the command or not.

I have attached my krb5.conf and smb.conf, level 10 log files
log.winbindd and log.wb-$DOMAIN of a failed wbinfo -a

Even though I have been working on this for a few weeks I think there
are still some big gaps in my understanding of how this stack of
technologies work together so please excuse any glaring errors I have made.

I'm eager to know where I've gone wrong so please let me know what I
should be looking into and any other information I can provide.

Sounds like I could be experiencing this recently reported unconfirmed bug:

https://bugzilla.samba.org/show_bug.cgi?id=7481

Anyone else seen this?

All responses appreciated.

-- 
Cliff Flood
System Administrator
+1 416 673 4151

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = ORGANISATION.INFO
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 ORGANISATION.INFO = {
  kdc = ldapsandbox.organisation.com
  admin_server = kerberos.organisation.com
 }

[domain_realm]
  afilias.info = ORGANISATION.INFO
 .afilias.info = ORGANISATION.INFO

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

[2010/06/28 11:50:20.800514,  4] 
winbindd/winbindd_dual.c:1517(fork_domain_child)
  child daemon request 13
[2010/06/28 11:50:20.800616, 10] 
winbindd/winbindd_dual.c:479(child_process_request)
  child_process_request: request fn PAM_AUTH
[2010/06/28 11:50:20.800643,  3] 
winbindd/winbindd_pam.c:1468(winbindd_dual_pam_auth)
  [21180]: dual pam auth username
[2010/06/28 11:50:20.800673, 10] 
winbindd/winbindd_pam.c:1513(winbindd_dual_pam_auth)
  winbindd_dual_pam_auth: domain: SAMBALAB last was online
[2010/06/28 11:50:20.800700, 10] 
winbindd/winbindd_pam.c:1214(winbindd_dual_pam_auth_samlogon)
  winbindd_dual_pam_auth_samlogon
[2010/06/28 11:50:20.800913,  3] 
winbindd/winbindd_pam.c:1308(winbindd_dual_pam_auth_samlogon)
  could not open handle to NETLOGON pipe
[2010/06/28 11:50:20.800941, 10] 
winbindd/winbindd_pam.c:1578(winbindd_dual_pam_auth)
  winbindd_dual_pam_auth_samlogon failed: NT_STATUS_INVALID_HANDLE
[2010/06/28 11:50:20.800971,  2] 
winbindd/winbindd_pam.c:1724(winbindd_dual_pam_auth)
  Plain-text authentication for user username returned NT_STATUS_INVALID_HANDLE 
(PAM: 4)
[2010/06/28 11:50:20.801001,  4] 
winbindd/winbindd_dual.c:1525(fork_domain_child)
  Finished processing child request 13
[2010/06/28 11:50:20.801027, 10] 
winbindd/winbindd_dual.c:1541(fork_domain_child)
  Writing 3496 bytes to parent
[2010/06/28 11:50:20.803008,  4] 
winbindd/winbindd_dual.c:1517(fork_domain_child)
  child daemon request 14
[2010/06/28 11:50:20.803040, 10] 
winbindd/winbindd_dual.c:479(child_process_request)
  child_process_request: request fn AUTH_CRAP
[2010/06/28 11:50:20.803066,  3] 
winbindd/winbindd_pam.c:1841(winbindd_dual_pam_auth_crap)
  [21180]: pam auth crap domain: SAMBALAB user: username
[2010/06/28 11:50:20.803096,  3] 
winbindd/winbindd_pam.c:1902(winbindd_dual_pam_auth_crap)
  could not open handle to NETLOGON pipe (error: NT_STATUS_INVALID_HANDLE)
[2010/06/28 11:50:20.803129,  2] 
winbindd/winbindd_pam.c:2003(winbindd_dual_pam_auth_crap)
  NTLM CRAP authentication for user [SAMBALAB]\[username] returned 
NT_STATUS_INVALID_HANDLE (PAM: 4)
[2010/06/28 11:50:20.803156,  4] 
winbindd/winbindd_dual.c:1525(fork_domain_child)
  Finished processing child request 14
[2010/06/28 11:50:20.803181, 10] 
winbindd/winbindd_dual.c:1541(fork_domain_child)
  Writing 3496 bytes to parent

[2010/06/28 11:48:45.112322,  6] winbindd/winbindd.c:768(new_connection)
  accepted socket 19
[2010/06/28 11:48:45.112628, 10] winbindd/winbindd.c:620(process_request)
  process_request: request fn INTERFACE_VERSION
[2010/06/28 11:48:45.112662,  3] 
winbindd/winbindd_misc.c:352(winbindd_interface_version)
  [21213]: request interface version
[2010/06/28 11:48:45.112727, 10] 
winbindd/winbindd.c:716(winbind_client_response_written)
  winbind_client_response_written[21213:INTERFACE_VERSION]: deliverd response 
to client
[2010/06/28 11:48:45.112828, 10] winbindd/winbindd.c:620(process_request)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2010/06/28 11:48:45.112857,  3] 
winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
  [21213]: request location of privileged pipe
[2010/06/28 11:48:45.112930, 10] 
winbindd/winbindd.c:716(winbind_client_response_written)
  winbind_client_response_written[21213:WINBINDD_PRIV_PIPE_DIR]: deliverd 
response to client
[2010/06/28 11:48:45.113075,  6] winbindd/winbindd.c:768(new_connection)
  accepted socket 22
[2010/06/28 11:48:45.113150,  6] 
winbindd/winbindd.c:816(winbind_client_request_read)
  closing socket 19, client exited
[2010/06/28 11:48:45.113238, 10] winbindd/winbindd.c:620(process_request)
  process_request: request fn PAM_AUTH
[2010/06/28 11:48:45.113267,  3] winbindd/winbindd_pam.c:818(winbindd_pam_auth)
  [21213]: pam auth username
[2010/06/28 11:48:45.113943, 10] 
winbindd/winbindd.c:716(winbind_client_response_written)
  winbind_client_response_written[21213:PAM_AUTH]: deliverd response to client
[2010/06/28 11:48:45.114467, 10] winbindd/winbindd.c:620(process_request)
  process_request: request fn INTERFACE_VERSION
[2010/06/28 11:48:45.114498,  3] 
winbindd/winbindd_misc.c:352(winbindd_interface_version)
  [21213]: request interface version
[2010/06/28 11:48:45.114544, 10] 
winbindd/winbindd.c:716(winbind_client_response_written)
  winbind_client_response_written[21213:INTERFACE_VERSION]: deliverd response 
to client
[2010/06/28 11:48:45.114634, 10] winbindd/winbindd.c:620(process_request)
  process_request: request fn INFO
[2010/06/28 11:48:45.114663,  3] winbindd/winbindd_misc.c:340(winbindd_info)
  [21213]: request misc info
[2010/06/28 11:48:45.114709, 10] 
winbindd/winbindd.c:716(winbind_client_response_written)
  winbind_client_response_written[21213:INFO]: deliverd response to client
[2010/06/28 11:48:45.114816, 10] winbindd/winbindd.c:620(process_request)
  process_request: request fn NETBIOS_NAME
[2010/06/28 11:48:45.114851,  3] 
winbindd/winbindd_misc.c:373(winbindd_netbios_name)
  [21213]: request netbios name
[2010/06/28 11:48:45.114896, 10] 
winbindd/winbindd.c:716(winbind_client_response_written)
  winbind_client_response_written[21213:NETBIOS_NAME]: deliverd response to 
client
[2010/06/28 11:48:45.114991, 10] winbindd/winbindd.c:620(process_request)
  process_request: request fn DOMAIN_NAME
[2010/06/28 11:48:45.115081,  3] 
winbindd/winbindd_misc.c:362(winbindd_domain_name)
  [21213]: request domain name
[2010/06/28 11:48:45.115131, 10] 
winbindd/winbindd.c:716(winbind_client_response_written)
  winbind_client_response_written[21213:DOMAIN_NAME]: deliverd response to 
client
[2010/06/28 11:48:45.115230, 10] winbindd/winbindd.c:620(process_request)
  process_request: request fn DOMAIN_INFO
[2010/06/28 11:48:45.115258,  3] 
winbindd/winbindd_misc.c:244(winbindd_domain_info)
  [21213]: domain_info [SAMBALAB]
[2010/06/28 11:48:45.115310, 10] 
winbindd/winbindd.c:716(winbind_client_response_written)
  winbind_client_response_written[21213:DOMAIN_INFO]: deliverd response to 
client
[2010/06/28 11:48:45.115824, 10] winbindd/winbindd.c:620(process_request)
  process_request: request fn AUTH_CRAP
[2010/06/28 11:48:45.115855,  3] 
winbindd/winbindd_pam.c:1770(winbindd_pam_auth_crap)
  [21213]: pam auth crap domain: [SAMBALAB] user: username
[2010/06/28 11:48:45.116242, 10] 
winbindd/winbindd.c:716(winbind_client_response_written)
  winbind_client_response_written[21213:AUTH_CRAP]: deliverd response to client
[2010/06/28 11:48:45.117701,  6] 
winbindd/winbindd.c:816(winbind_client_request_read)
  closing socket 22, client exited

[global]
debuglevel = 10
unix charset = UTF8
# passdb backend = smbpasswd
passdb backend = ldapsam:ldap://ldapsandbox.organisation.com
username map = /etc/samba/smbusers

winbind separator = \
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes

netbios name = sambalab-vm
workgroup = SAMBALAB
# realm = SAMBALAB
# password server = kerberos.organisation.com
# realm = kerberos.organisation.com
realm = ORGANISATION.INFO
server string = Samba %v on %L

os level = 65
preferred master = auto
domain master = yes
local master = yes
security = user
domain logons = yes
wins support = yes

add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%g' '%u'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%g' '%u'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
# add machine script = /usr/sbin/smbldap-useradd -i -w "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"

ldap suffix = dc=organisation,dc=info
ldap machine suffix = ou=People
ldap user suffix = ou=People
# ldap group suffix = ou=Groups
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap admin dn = uid=sambaadmin,ou=samba,ou=apps,dc=organisation,dc=info
# idmap backend = ldap://ldapsandbox.organisation.com
idmap uid = 10000-20000
idmap gid = 10000-20000

logon path = \\%N\profiles\%U
logon drive = H:
logon home = \\homeserver\%U\winprofile
logon script = logon.cmd

[netlogon]
path = /var/lib/samba/netlogon
read only = yes

[profiles]
path = /var/lib/samba/profiles
read only = no
create mask = 0600
directory mask = 0700

[IPC$]
path = /tmp

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Logging into Samba PDC with LDAP + Kerberos Backend

Reply via email to