Hi, I've setup Samba 3.5.6 as a member server in a 2003R2 domain with a single dc, idmapping is by rfc2307 with a tdb backend for builtin accounts etc, I can list users and groups using wbinfo and I can create shares and access them from the windows server, files and folders owned by ad users show the correct user and group names so mapping appears to be working, I can su to ad accounts but I am unable to ssh into the system as a AD user.
Relevant config files: cat /etc/samba/smb.conf [global] debug hires timestamp = yes workgroup = SAMBATEST security = ADS winbind use default domain = true realm = SAMBATEST.LOCAL server string = Samba file and print server log level = 3 max log size = 4192 printcap name = cups idmap config SAMBATEST : backend = ad idmap config SAMBATEST : range = 10000-10020 idmap config SAMBATEST : schema_mode = rfc2307 idmap config SAMBATEST : default = yes idmap backend = tdb idmap uid = 10100-10110 idmap gid = 10100-10110 winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind refresh tickets = Yes winbind normalize names = Yes winbind nested groups = Yes client ntlmv2 auth = yes encrypt passwords = yes password server = w2k3r2svr.sambatest.local template shell = /bin/bash [homes] comment = Home Directories read only = No [printers] comment = All Printers guest ok = Yes printable = Yes browseable = No available = No cat /etc/pam.d/sshd auth include system-remote-login account include system-remote-login password include system-remote-login session include system-remote-login cat /etc/pam.d/system-remote-login auth include system-login account include system-login password include system-login session include system-login cat /etc/pam.d/system-login auth required pam_tally.so onerr=succeed auth required pam_shells.so auth required pam_nologin.so auth include system-auth account required pam_access.so account required pam_nologin.so account include system-auth account required pam_tally.so onerr=succeed password include system-auth session required pam_env.so session optional pam_lastlog.so session include system-auth session optional pam_ck_connector.so nox11 session optional pam_motd.so motd=/etc/motd session optional pam_mail.so file /etc/pam.d/system-auth /etc/pam.d/system-auth: symbolic link to `system-auth-winbind' cat /etc/pam.d/system-auth-winbind #%PAM-1.0 # $Header: /var/cvsroot/gentoo-x86/net-fs/samba/files/3.5/system-auth-winbind.pam,v 1.1 2010/03/01 16:19:54 patrick Exp $ auth required pam_env.so auth sufficient pam_winbind.so auth sufficient pam_unix.so likeauth nullok use_first_pass auth required pam_deny.so account sufficient pam_winbind.so account sufficient pam_unix.so password required pam_cracklib.so retry=3 password sufficient pam_unix.so nullok use_authtok md5 shadow password required pam_deny.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_limits.so session sufficient pam_unix.so Trust is ok: wbinfo -t checking the trust secret for domain SAMBATEST via RPC calls succeeded I can authenticate the user using kerberos kinit testuser Password for testu...@sambatest.local: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: testu...@sambatest.local Valid starting Expires Service principal 10/20/10 12:28:11 10/20/10 19:08:11 krbtgt/sambatest.lo...@sambatest.local And with wbinfo: wbinfo -a testuser%abcABC123 plaintext password authentication failed Could not authenticate user testuser%abcABC123 with plaintext password challenge/response password authentication succeeded When authenticating with wbinfo the following events are logged to log.winbindd [2010/10/20 12:39:25.902284, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 2329]: request interface version [2010/10/20 12:39:25.902435, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [ 2329]: request location of privileged pipe [2010/10/20 12:39:25.902626, 3] winbindd/winbindd_pam.c:818(winbindd_pam_auth) [ 2329]: pam auth testuser [2010/10/20 12:39:25.911435, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 2329]: request interface version [2010/10/20 12:39:25.911533, 3] winbindd/winbindd_misc.c:340(winbindd_info) [ 2329]: request misc info [2010/10/20 12:39:25.911628, 3] winbindd/winbindd_misc.c:373(winbindd_netbios_name) [ 2329]: request netbios name [2010/10/20 12:39:25.911724, 3] winbindd/winbindd_misc.c:362(winbindd_domain_name) [ 2329]: request domain name [2010/10/20 12:39:25.911816, 3] winbindd/winbindd_misc.c:244(winbindd_domain_info) [ 2329]: domain_info [SAMBATEST] [2010/10/20 12:39:25.912161, 3] winbindd/winbindd_pam.c:1768(winbindd_pam_auth_crap) [ 2329]: pam auth crap domain: [SAMBATEST] user: testuser But when I try to ssh into the samba server as testuser the authentication fails, the winbindd log entries are: [2010/10/20 12:41:39.712313, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam testuser [2010/10/20 12:41:41.208210, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 6462]: request interface version [2010/10/20 12:41:41.208378, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [ 6462]: request location of privileged pipe [2010/10/20 12:41:41.208596, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam testuser [2010/10/20 12:41:41.209050, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam testuser [2010/10/20 12:41:55.790569, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 6889]: request interface version [2010/10/20 12:41:55.790795, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [ 6889]: request location of privileged pipe [2010/10/20 12:41:55.791038, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam testuser [2010/10/20 12:41:55.795625, 3] winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send) getgroups testuser [2010/10/20 12:41:55.798148, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 6891]: request interface version [2010/10/20 12:41:55.798304, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [ 6891]: request location of privileged pipe [2010/10/20 12:41:55.798580, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam testuser [2010/10/20 12:41:55.799019, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam testuser [2010/10/20 12:41:57.789992, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 6891]: request interface version [2010/10/20 12:41:57.790115, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [ 6891]: request location of privileged pipe [2010/10/20 12:41:57.790277, 3] winbindd/winbindd_pam.c:818(winbindd_pam_auth) [ 6891]: pam auth testuser [2010/10/20 12:41:57.807080, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam testuser [2010/10/20 12:41:59.716477, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 7019]: request interface version [2010/10/20 12:41:59.716632, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [ 7019]: request location of privileged pipe [2010/10/20 12:41:59.716828, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam testuser [2010/10/20 12:41:59.717221, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam testuser log.wb-SAMBATEST (the name of the windows dc) logs the following errors: [2010/10/20 12:43:15.749729, 3] winbindd/winbindd_pam.c:1466(winbindd_dual_pam_auth) [ 2769]: dual pam auth SAMBATEST+testuser [2010/10/20 12:43:15.750852, 2] winbindd/winbindd_pam.c:1722(winbindd_dual_pam_auth) Plain-text authentication for user SAMBATEST\testuser returned NT_STATUS_NO_SUCH_USER (PAM: 10) I've tried using ssh -l testuser and ssh -l SAMBATEST+testuser, it makes no difference to the result or the log entries. getent passwd/group returns only local users, perhaps a clue as to what is wrong? Any suggestions would be appreciated, I've been trying to get this working for quite a while but I seem to have hit a wall. Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba