On 06/28/2011 4:35 PM, Moe, John wrote:
Sorry, it's been pointed out that the list strips attachments. Here's my
smb.conf, in case it helps someone.
A few options I've never used, but overall looks fairly standard.
There are numerous howto's for this sort of thing all over the web, and trying
to keep track of which bits are needed for a given setup is difficult. Maybe
in all my reading, I came away with some bad assumptions, and I need to check
them. Let's take FreeRadius out of the picture for the moment; I only
mentioned it in case it was interfering/interacting with Samba. Basically, I'm
trying to get a virtual machine on my network, with a Gentoo Linux OS, to be
able to allow logins based on AD accounts, so the other network admins can
administer this server, and for ntlm_auth to return success or failure of a
user's authentication request (which will be needed for step 2: FreeRadius). I
don't need shares, although it'd be handy so I can transfer files to and from
the box.
1) To get this to work, I assumed from my reading I needed Kerberos.
I always have since that's the MS AD way. I have never set the kerberos
method option. Don't know how that affects things.
2) I also assumed that "best practice" would be for this server to join the
domain.
I agree.
3) I assumed that tdb was the correct backend for this setup, not LDAP.
That's relative to a particular preference or need. I have multiple
member servers and prefer to keep uid's and gid's in sync, so I use rid
for the idmap.
Can anyone speak to these assumptions?
Perhaps look at pam config again. I have had default pam configs from
Debian that would not work out of the box with winbind. When that
happened, I always reverted to something simple like the example given here:
(modify to suit Gentoo, of course)
http://www.enterprisenetworkingplanet.com/netos/article.php/3502441
If simple works, you can always add other options back until it breaks.
Dale
-----------------------------------------------------------
[global]
add user script = /usr/local/bin/addsambauser %u
client lanman auth = no
client ntlmv2 auth = yes
client use spnego = yes
disable netbios = yes
domain master = no
encrypt passwords = yes
idmap alloc backend = tdb
# Defaults to tdb
idmap backend = tdb
idmap gid = 10000 - 99999
idmap uid = 10000 - 99999
lanman auth = no
kerberos method = system keytab
netbios name = MYSERVERNAME
ntlm auth = yes
# Defaults to tdbsam
passdb backend = tdbsam
password server = mygc.my.domain.name, mygc2.my.domain.name
preferred master = no
realm = MY.DOMAIN.NAME
security = ads
server string = %h (Samba)
template homedir = /home/%D/%U
template shell = /bin/bash
use spnego = yes
winbind enum groups = yes
winbind enum users = yes
winbind expand groups = yes
winbind nested groups = yes
winbind refresh tickets = yes
winbind use default domain = yes
workgroup = NTDOMAINNAME
[tmp]
comment = temporary files
path = /tmp
read only = yes
-----------------------------------------------------------
John H. Moe
Network Support - Hatch IT
HATCH
Tel: +61 (7) 3166 7777
Direct: +61 (7) 3166 7684
Fax: +61 (7) 3368 3754
Mobile: +61 438 772 425
61 Petrie Terrace, Brisbane, Queensland Australia 4011
-----Original Message-----
From: [email protected] [mailto:samba-
[email protected]] On Behalf Of Moe, John
Sent: Tuesday, 28 June 2011 7:26 AM
To: Samba mailing list
Subject: Re: [Samba] Problem getting Samba fully working
-----Original Message-----
From: Dale Schroeder [mailto:[email protected]]
Sent: Tuesday, 28 June 2011 4:42 AM
To: Moe, John
Cc: Samba mailing list
Subject: Re: [Samba] Problem getting Samba fully working
On 06/26/2011 7:14 PM, Moe, John wrote:
-----Original Message-----
From: Linda Walsh [mailto:[email protected]]
Sent: Saturday, 25 June 2011 8:02 PM
To: Moe, John
Cc: Samba mailing list
Subject: Re: Problem getting Samba fully working
Moe, John wrote:
Hello all,
Relevant info up front: Gentoo PC, using 2.6.38 kernel and Samba
3.4.12.
I'm trying to get a FreeRadius instance working for our Windows
network.
To do so, I need a Linux box running Samba. I've installed and
configured Kerberos, Samba and FreeRadius, and can get most
things
to
work. I can get a Kerberos key using kinit, and "sudo net ads
keytab
list" shows me tickets. I can use things like "net ads user
myuser
-
U
myuser" to get info about my user account. I can use "sudo
wbinfo
-
t"
to show the secret trust is OK, and "sudo net ads testjoin" works
as
well. I can even log on to my switch using RADIUS authentication
to
my
AD account (using ntlm_auth). So a lot of the pieces are working
correctly.
[2011/06/21 07:12:21, 1]
rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu)
cli_pipe_validate_current_pdu: RPC fault code
DCERPC_FAULT_ACCESS_DENIED received from host
MYGC.my.domain.name!
----
I am not sure the above messages are from your ssh... And I know
nothing about configuration with Free Radius or Kerberos, so your
problems may be completely different from ones I've had but...
I take it you are running ssh on the Win7 workstation and trying
to
login to the linux samba server.
if your username in the domain is 'user' (i.e. you are
'domain\user'),
and your linux account is 'user',
then on the ssh line, you might try
'ssh user@linux-server' instead of the "normal" 'ssh linux-
server'
If that works, then your 'sshd' server on your linux server is
probably receiving 'domain\user' as the username, (not just
'user')
and doesn't know what to do with that.
Theoretically should be resolvable via proper pam and config files
(all the file ops map my 'domain\user' => 'user' on the PDC),
but,
a _*hack*_ I use (but would find a better solution in a production
environment) is to create a 2nd /etc/passwd& /etc/shadow entry
that dups my 'user' but has the username field changed to
'DOMAIN\user'.
(getting the capitalization to agree with what the workstation
think's
it is, is important in this case; upper case is norm, so unless
you've
customized things in the win registry, shouldn't be a prob (not
that
I
would have any knowledge of this, of course...)....
But I'd try to get 'winbind' config'ed with pam to map the
username
properly for a best fix (on my 'todo list') ... just hasn't been
that important ...
Best short term:
specify the username with the hostname when using the 'ssh' (or
scp,
i.e. 'scp file user@remote:/tmp' ) ...
In any event, using kerberos/freeradius, there should be some way
to make sure that a 'domain\user' is mapped to 'user' on a PDC...
Or it might be the 'ssh' client that "shouldn't" be prepending the
windows domainname.... not sure.
But hopefully gives you some ideas where to look...
Thanks for the reply. Maybe I haven't made myself clear in the
first
post. I'm not asking for any help relating to FreeRadius; I just
want
to get basic Samba working properly. Share browsing via guest
access
works, and I get a number of other successes from other tests, but
I
can't seem to get login using AD username working, neither locally
nor
via SSH.
To get integration with a native Windows 2003 AD domain, I was to
understand I needed Kerberos; was that wrong? Maybe I've
complicated
things a bit here.
As to the login problem: I'm using OpenSSH on Cygwin on my Win7 PC,
and
it doesn't matter if I try:
ssh servername
ssh user@servername
ssh domain\user@servername
ssh '[email protected]'@servername
They all return the same things in /var/log/messages:
Jun 27 09:58:05 servername sshd[27461]: SSH: Server;Ltype:
Version;Remote: 10.73.24.60-18606;Protocol: 2.0;Client: OpenSSH_5.8
Jun 27 09:58:05 servername sshd[27461]: Invalid user
[email protected] from 10.73.24.60 Jun 27 09:58:05 servername
sshd[27463]: pam_tally2(sshd:auth):
pam_get_uid; no such user
Jun 27 09:58:08 servername sshd[27463]: pam_unix(sshd:auth): check
pass;
user unknown
Jun 27 09:58:08 servername sshd[27463]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
mypcname.my.domain.name Jun 27 09:58:08 servername sshd[27463]:
pam_winbind(sshd:auth):
getting
password (0x00000090)
Jun 27 09:58:08 servername sshd[27463]: pam_winbind(sshd:auth):
pam_get_item returned a password
Jun 27 09:58:09 servername sshd[27461]: error: PAM: Authentication
failure for illegal user<username OR DOMAIN\\username OR
[email protected]> from mypcname.my.domain.name Jun 27
09:58:09 servername sshd[27461]: Failed keyboard-
interactive/pam
for invalid user<username OR DOMAIN\\username OR
[email protected]> from 10.73.24.60 port 18606 ssh2 Jun 27
09:58:09 servername sshd[27464]: pam_tally2(sshd:auth):
pam_get_uid; no such user
And the same two lines in /var/log/samba/log.wb-DOMAINNAME:
[2011/06/27 10:03:39, 1]
rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu)
cli_pipe_validate_current_pdu: RPC fault code
DCERPC_FAULT_ACCESS_DENIED received from host MYGC.my.domain.name!
Logging in via console (as 'user', 'domain/user' and
'[email protected]') gives the same output in the Samba log, and
a
slightly different set of errors in /var/log/messages:
Jun 27 10:06:44 servername login[1707]: pam_tally2(login:auth):
pam_get_uid; no such user
Jun 27 10:06:47 servername login[1707]: pam_unix(login:auth): check
pass; user unknown Jun 27 10:06:47 servername login[1707]:
pam_unix(login:auth):
authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty2
ruser=
rhost=
Jun 27 10:06:47 servername login[1707]: pam_winbind(login:auth):
getting
password (0x00000090)
Jun 27 10:06:47 servername login[1707]: pam_winbind(login:auth):
pam_get_item returned a password
Jun 27 10:06:51 servername login[1707]: FAILED LOGIN (3) on
'/dev/tty2'
FOR 'UNKNOWN', Authentication failure
Does this add any useful info?
John H. Moe
Network Support - Hatch IT
What options have you set in pam? Either in /etc/pam.d/sshd or
/etc/pam.d/common-*, you can place something like the following
(assuming Gentoo directory structure is like Debian):
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
If you have already done so, then does getent passwd, getent group or
wbinfo -u, wbinfo -g return all of your AD users?
If not, what do your winbind config options in smb.conf look like?
Dale
In Gentoo it's slightly different, but the lines you are looking for
are in my /etc/pam.d/system-auth file, which is 'include'd in my sshd
and login files. And in the logs above, you can see the lines from
pam_winbind saying they're getting the password, but nothing after
that.
I assumed that's because of the errors in the Samba logs (also above)?
But the point is that PAM does seem to be using winbind.
Anyway, 'getent passwd'& 'getent group' both return the local files&
domain info, and 'wbinfo -u' and 'wbinfo -g' both return, if not all,
then quite a few of my domain users. We've got a few thousand users,
so it'd be hard to check for them all. FWIW, it's also returning users
in some of our trusted domains, not part of the same forest, as well;
I'm not sure if that's normal?
Also, 'wbinfo --check-trust' returns OK and 'net ads testjoin' returns
OK, and there is a computer account for this server in my AD as well.
My smb.conf is attached. Thanks for your assistance.
John H. Moe
Network Support - Hatch IT
HATCH
Tel: +61 (7) 3166 7777
Direct: +61 (7) 3166 7684
Fax: +61 (7) 3368 3754
Mobile: +61 438 772 425
61 Petrie Terrace, Brisbane, Queensland Australia 4011
*****************************
NOTICE - This message from Hatch is intended only for the use of the
individual or entity to which it is addressed and may contain
information which is privileged, confidential or proprietary.
Internet communications cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, arrive late or
contain viruses. By communicating with us via e-mail, you accept such
risks. When addressed to our clients, any information, drawings,
opinions or advice (collectively, "information") contained in this e-
mail is subject to the terms and conditions expressed in the governing
agreements. Where no such agreement exists, the recipient shall
neither rely upon nor disclose to others, such information without our
written consent. Unless otherwise agreed, we do not assume any
liability with respect to the accuracy or completeness of the
information set out in this e-mail. If you have received this message
in error, please notify us immediately by return e-mail and destroy and
delete the message from your computer.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
