On 06/26/2011 7:14 PM, Moe, John wrote:
-----Original Message-----
From: Linda Walsh [mailto:[email protected]]
Sent: Saturday, 25 June 2011 8:02 PM
To: Moe, John
Cc: Samba mailing list
Subject: Re: Problem getting Samba fully working
Moe, John wrote:
Hello all,
Relevant info up front: Gentoo PC, using 2.6.38 kernel and Samba
3.4.12.
I'm trying to get a FreeRadius instance working for our Windows
network.
To do so, I need a Linux box running Samba. I've installed and
configured Kerberos, Samba and FreeRadius, and can get most things
to
work. I can get a Kerberos key using kinit, and "sudo net ads
keytab
list" shows me tickets. I can use things like "net ads user myuser
-
U
myuser" to get info about my user account. I can use "sudo wbinfo -
t"
to show the secret trust is OK, and "sudo net ads testjoin" works as
well. I can even log on to my switch using RADIUS authentication to
my
AD account (using ntlm_auth). So a lot of the pieces are working
correctly.
[2011/06/21 07:12:21, 1]
rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu)
cli_pipe_validate_current_pdu: RPC fault code
DCERPC_FAULT_ACCESS_DENIED received from host MYGC.my.domain.name!
----
I am not sure the above messages are from your
ssh... And I know nothing about configuration with Free Radius or
Kerberos, so your problems may be completely different from ones
I've had but...
I take it you are running ssh on the Win7 workstation and trying to
login to the linux samba server.
if your username in the domain is 'user' (i.e. you are 'domain\user'),
and your linux account is 'user',
then on the ssh line, you might try
'ssh user@linux-server' instead of the "normal" 'ssh linux-server'
If that works, then your 'sshd' server on your linux server
is probably receiving 'domain\user' as the username, (not just 'user')
and doesn't know what to do with that.
Theoretically should be resolvable via proper pam and config files
(all the file ops map my 'domain\user' => 'user' on the PDC), but,
a _*hack*_ I use (but would find a better solution in a production
environment) is to create a 2nd /etc/passwd& /etc/shadow entry
that dups my 'user' but has the username field changed to
'DOMAIN\user'.
(getting the capitalization to agree with what the workstation think's
it is, is important in this case; upper case is norm, so unless you've
customized things in the win registry, shouldn't be a prob (not that I
would have any knowledge of this, of course...)....
But I'd try to get 'winbind' config'ed with pam to map the username
properly for a best fix (on my 'todo list') ... just hasn't
been that important ...
Best short term:
specify the username with the hostname when using the 'ssh' (or scp,
i.e. 'scp file user@remote:/tmp' ) ...
In any event, using kerberos/freeradius, there should be some way
to make sure that a 'domain\user' is mapped to 'user' on a PDC...
Or it might be the 'ssh' client that "shouldn't" be prepending the
windows domainname.... not sure.
But hopefully gives you some ideas where to look...
Thanks for the reply. Maybe I haven't made myself clear in the first
post. I'm not asking for any help relating to FreeRadius; I just want
to get basic Samba working properly. Share browsing via guest access
works, and I get a number of other successes from other tests, but I
can't seem to get login using AD username working, neither locally nor
via SSH.
To get integration with a native Windows 2003 AD domain, I was to
understand I needed Kerberos; was that wrong? Maybe I've complicated
things a bit here.
As to the login problem: I'm using OpenSSH on Cygwin on my Win7 PC, and
it doesn't matter if I try:
ssh servername
ssh user@servername
ssh domain\user@servername
ssh '[email protected]'@servername
They all return the same things in /var/log/messages:
Jun 27 09:58:05 servername sshd[27461]: SSH: Server;Ltype:
Version;Remote: 10.73.24.60-18606;Protocol: 2.0;Client: OpenSSH_5.8
Jun 27 09:58:05 servername sshd[27461]: Invalid user
[email protected] from 10.73.24.60
Jun 27 09:58:05 servername sshd[27463]: pam_tally2(sshd:auth):
pam_get_uid; no such user
Jun 27 09:58:08 servername sshd[27463]: pam_unix(sshd:auth): check pass;
user unknown
Jun 27 09:58:08 servername sshd[27463]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
mypcname.my.domain.name
Jun 27 09:58:08 servername sshd[27463]: pam_winbind(sshd:auth): getting
password (0x00000090)
Jun 27 09:58:08 servername sshd[27463]: pam_winbind(sshd:auth):
pam_get_item returned a password
Jun 27 09:58:09 servername sshd[27461]: error: PAM: Authentication
failure for illegal user<username OR DOMAIN\\username OR
[email protected]> from mypcname.my.domain.name
Jun 27 09:58:09 servername sshd[27461]: Failed keyboard-interactive/pam
for invalid user<username OR DOMAIN\\username OR
[email protected]> from 10.73.24.60 port 18606 ssh2
Jun 27 09:58:09 servername sshd[27464]: pam_tally2(sshd:auth):
pam_get_uid; no such user
And the same two lines in /var/log/samba/log.wb-DOMAINNAME:
[2011/06/27 10:03:39, 1]
rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu)
cli_pipe_validate_current_pdu: RPC fault code
DCERPC_FAULT_ACCESS_DENIED received from host MYGC.my.domain.name!
Logging in via console (as 'user', 'domain/user' and
'[email protected]') gives the same output in the Samba log, and a
slightly different set of errors in /var/log/messages:
Jun 27 10:06:44 servername login[1707]: pam_tally2(login:auth):
pam_get_uid; no such user
Jun 27 10:06:47 servername login[1707]: pam_unix(login:auth): check
pass; user unknown
Jun 27 10:06:47 servername login[1707]: pam_unix(login:auth):
authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty2 ruser=
rhost=
Jun 27 10:06:47 servername login[1707]: pam_winbind(login:auth): getting
password (0x00000090)
Jun 27 10:06:47 servername login[1707]: pam_winbind(login:auth):
pam_get_item returned a password
Jun 27 10:06:51 servername login[1707]: FAILED LOGIN (3) on '/dev/tty2'
FOR 'UNKNOWN', Authentication failure
Does this add any useful info?
John H. Moe
Network Support - Hatch IT
What options have you set in pam? Either in /etc/pam.d/sshd or
/etc/pam.d/common-*, you can place something like the following
(assuming Gentoo directory structure is like Debian):
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
If you have already done so, then does getent passwd, getent group or
wbinfo -u, wbinfo -g return all of your AD users?
If not, what do your winbind config options in smb.conf look like?
Dale
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
