On Wed, Oct 20, 2010 at 12:46 PM, Andrew Lyon <[email protected]> wrote: > Hi, > > I've setup Samba 3.5.6 as a member server in a 2003R2 domain with a > single dc, idmapping is by rfc2307 with a tdb backend for builtin > accounts etc, I can list users and groups using wbinfo and I can > create shares and access them from the windows server, files and > folders owned by ad users show the correct user and group names so > mapping appears to be working, I can su to ad accounts but I am unable > to ssh into the system as a AD user. > > Relevant config files: > > cat /etc/samba/smb.conf > > > [global] > debug hires timestamp = yes > workgroup = SAMBATEST > security = ADS > winbind use default domain = true > realm = SAMBATEST.LOCAL > server string = Samba file and print server > log level = 3 > max log size = 4192 > printcap name = cups > idmap config SAMBATEST : backend = ad > idmap config SAMBATEST : range = 10000-10020 > idmap config SAMBATEST : schema_mode = rfc2307 > idmap config SAMBATEST : default = yes > idmap backend = tdb > idmap uid = 10100-10110 > idmap gid = 10100-10110 > winbind separator = + > winbind enum users = Yes > winbind enum groups = Yes > winbind refresh tickets = Yes > winbind normalize names = Yes > winbind nested groups = Yes > client ntlmv2 auth = yes > encrypt passwords = yes > password server = w2k3r2svr.sambatest.local > template shell = /bin/bash > [homes] > comment = Home Directories > read only = No > > [printers] > comment = All Printers > guest ok = Yes > printable = Yes > browseable = No > available = No > > cat /etc/pam.d/sshd > auth include system-remote-login > account include system-remote-login > password include system-remote-login > session include system-remote-login > > cat /etc/pam.d/system-remote-login > auth include system-login > account include system-login > password include system-login > session include system-login > > cat /etc/pam.d/system-login > auth required pam_tally.so onerr=succeed > auth required pam_shells.so > auth required pam_nologin.so > auth include system-auth > > account required pam_access.so > account required pam_nologin.so > account include system-auth > account required pam_tally.so onerr=succeed > > password include system-auth > > session required pam_env.so > session optional pam_lastlog.so > session include system-auth > session optional pam_ck_connector.so nox11 > session optional pam_motd.so motd=/etc/motd > session optional pam_mail.so > > file /etc/pam.d/system-auth > /etc/pam.d/system-auth: symbolic link to `system-auth-winbind' > > cat /etc/pam.d/system-auth-winbind > #%PAM-1.0 > # $Header: > /var/cvsroot/gentoo-x86/net-fs/samba/files/3.5/system-auth-winbind.pam,v > 1.1 2010/03/01 16:19:54 patrick Exp $ > > auth required pam_env.so > auth sufficient pam_winbind.so > auth sufficient pam_unix.so likeauth nullok use_first_pass > auth required pam_deny.so > > account sufficient pam_winbind.so > account sufficient pam_unix.so > > password required pam_cracklib.so retry=3 > password sufficient pam_unix.so nullok use_authtok md5 shadow > password required pam_deny.so > > session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 > session required pam_limits.so > session sufficient pam_unix.so > > Trust is ok: > > wbinfo -t > checking the trust secret for domain SAMBATEST via RPC calls succeeded > > > I can authenticate the user using kerberos > > kinit testuser > Password for [email protected]: > klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [email protected] > > Valid starting Expires Service principal > 10/20/10 12:28:11 10/20/10 19:08:11 krbtgt/[email protected] > > And with wbinfo: > > > wbinfo -a testuser%abcABC123 > plaintext password authentication failed > Could not authenticate user testuser%abcABC123 with plaintext password > challenge/response password authentication succeeded > > When authenticating with wbinfo the following events are logged to > log.winbindd > > [2010/10/20 12:39:25.902284, 3] > winbindd/winbindd_misc.c:352(winbindd_interface_version) > [ 2329]: request interface version > [2010/10/20 12:39:25.902435, 3] > winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) > [ 2329]: request location of privileged pipe > [2010/10/20 12:39:25.902626, 3] > winbindd/winbindd_pam.c:818(winbindd_pam_auth) > [ 2329]: pam auth testuser > [2010/10/20 12:39:25.911435, 3] > winbindd/winbindd_misc.c:352(winbindd_interface_version) > [ 2329]: request interface version > [2010/10/20 12:39:25.911533, 3] winbindd/winbindd_misc.c:340(winbindd_info) > [ 2329]: request misc info > [2010/10/20 12:39:25.911628, 3] > winbindd/winbindd_misc.c:373(winbindd_netbios_name) > [ 2329]: request netbios name > [2010/10/20 12:39:25.911724, 3] > winbindd/winbindd_misc.c:362(winbindd_domain_name) > [ 2329]: request domain name > [2010/10/20 12:39:25.911816, 3] > winbindd/winbindd_misc.c:244(winbindd_domain_info) > [ 2329]: domain_info [SAMBATEST] > [2010/10/20 12:39:25.912161, 3] > winbindd/winbindd_pam.c:1768(winbindd_pam_auth_crap) > [ 2329]: pam auth crap domain: [SAMBATEST] user: testuser > > > But when I try to ssh into the samba server as testuser the > authentication fails, the winbindd log entries are: > > [2010/10/20 12:41:39.712313, 3] > winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) > getpwnam testuser > [2010/10/20 12:41:41.208210, 3] > winbindd/winbindd_misc.c:352(winbindd_interface_version) > [ 6462]: request interface version > [2010/10/20 12:41:41.208378, 3] > winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) > [ 6462]: request location of privileged pipe > [2010/10/20 12:41:41.208596, 3] > winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) > getpwnam testuser > [2010/10/20 12:41:41.209050, 3] > winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) > getpwnam testuser > [2010/10/20 12:41:55.790569, 3] > winbindd/winbindd_misc.c:352(winbindd_interface_version) > [ 6889]: request interface version > [2010/10/20 12:41:55.790795, 3] > winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) > [ 6889]: request location of privileged pipe > [2010/10/20 12:41:55.791038, 3] > winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) > getpwnam testuser > [2010/10/20 12:41:55.795625, 3] > winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send) > getgroups testuser > [2010/10/20 12:41:55.798148, 3] > winbindd/winbindd_misc.c:352(winbindd_interface_version) > [ 6891]: request interface version > [2010/10/20 12:41:55.798304, 3] > winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) > [ 6891]: request location of privileged pipe > [2010/10/20 12:41:55.798580, 3] > winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) > getpwnam testuser > [2010/10/20 12:41:55.799019, 3] > winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) > getpwnam testuser > [2010/10/20 12:41:57.789992, 3] > winbindd/winbindd_misc.c:352(winbindd_interface_version) > [ 6891]: request interface version > [2010/10/20 12:41:57.790115, 3] > winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) > [ 6891]: request location of privileged pipe > [2010/10/20 12:41:57.790277, 3] > winbindd/winbindd_pam.c:818(winbindd_pam_auth) > [ 6891]: pam auth testuser > [2010/10/20 12:41:57.807080, 3] > winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) > getpwnam testuser > [2010/10/20 12:41:59.716477, 3] > winbindd/winbindd_misc.c:352(winbindd_interface_version) > [ 7019]: request interface version > [2010/10/20 12:41:59.716632, 3] > winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) > [ 7019]: request location of privileged pipe > [2010/10/20 12:41:59.716828, 3] > winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) > getpwnam testuser > [2010/10/20 12:41:59.717221, 3] > winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) > getpwnam testuser > > > log.wb-SAMBATEST (the name of the windows dc) logs the following errors: > > [2010/10/20 12:43:15.749729, 3] > winbindd/winbindd_pam.c:1466(winbindd_dual_pam_auth) > [ 2769]: dual pam auth SAMBATEST+testuser > [2010/10/20 12:43:15.750852, 2] > winbindd/winbindd_pam.c:1722(winbindd_dual_pam_auth) > Plain-text authentication for user SAMBATEST\testuser returned > NT_STATUS_NO_SUCH_USER (PAM: 10) > > > I've tried using ssh -l testuser and ssh -l SAMBATEST+testuser, it > makes no difference to the result or the log entries. > > getent passwd/group returns only local users, perhaps a clue as to > what is wrong? > > Any suggestions would be appreciated, I've been trying to get this > working for quite a while but I seem to have hit a wall. > > Andy >
Trypical, try to fix something for 2 days and a few mins after posting the problem I figured it out, it appears that winbind separator = + causes pam authentication to fail, after commenting out that line I can login using ssh. Looks like I'm not the only person to hit this problem http://www.linuxquestions.org/questions/linux-server-73/getting-pam-working-with-samba-with-active-directory-authentication-639165/ , perhaps it is a bug after all? winbind should know what separator is being used shouldn't it? Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
