I'm not sure where you've gotten some of your configuration, but it doesn't look right to me... I am, however, only comparing it to my setup, which does work. I'll make notes on what differences I see, although I wouldn't consider myself an expert on samba, winbind, or pam.
First, I never changed my /etc/pam.d/samba from the original. Mine looks like: #%PAM-1.0 auth required pam_nologin.so auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth password required pam_stack.so service=system-auth The other files in /etc/pam.d which I want to use the PDC for authentication look like: #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_winbind.so auth sufficient pam_unix.so service=system-auth auth required pam_stack.so service=system-auth auth required pam_nologin.so account sufficient pam_winbind.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_mkhomedir.so skel=/etc/skel umask=0222 session required pam_stack.so service=system-auth session optional pam_console.so Your smb.conf file looks like it's lacking something, mostly concerning winbind, although since I'm using an Active Directory domain, rather than NT4, I'm not sure if the differences between yours and mine would cause the problems you're seeing. I would assume you could cut out the AD stuff from mine and substitute the non-AD settings for yours... but I'm not sure. My smb.conf file (which I wrote out by hand, rather than using samba's default template) looks like: # General Options workgroup = TEST netbios name = linux-machine-name # Winbind Configuration winbind separator = _ idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /users/%U template shell = /bin/bash # following option automatically prepends the domain name # to the username when a user tries to login winbind use default domain = yes # Active Directory Config security = ads encrypt passwords = yes password server = 192.168.1.5 # IP of the AD server realm = TEST.DOMAIN.COM I've probably managed to confuse more than I've helped... but I hope not. Shannon ____________________________ Shannon Johnson Network Support Specialist / Systems Administrator Dept. of Mechanical and Nuclear Engineering 224 Reber Building University Park, PA 16802 Phone: (814) 865-8267 ____________________________ > -----Original Message----- > From: Arno Hahma [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 03, 2004 4:31 AM > To: [EMAIL PROTECTED] > Subject: [Samba] getent does not get remote users > > I have a samba 3.0.2a -server running Linux, which I try to set up to > authenticate users from a NT4 PDC using winbindd. Now, everything works > to the point, where I try to list users with "getent passwd". Getent > only gets the local unix-users and has no clue about the NT4 -users. > Also, home directories for the NT4 -users are not created and no logs > whatsoever are left behind by the > PAM module pam_mkhomedir, although I added the debug -switch to it. > > Otherwise, the system works: the shared secret is ok, wbinfo -u shows > all NT4 -users correctly, > and the NT4 -users can even create a samba -mount, provided the mounted > directory has > world rwx -permissions (such as the /tmp below in the smb.conf). This > means the authentication works ok, but the unix box is just not aware > of any winbindd users, even though samba is. > > Any clues, where to look for the problem? And yes, I did search through > winbindd how-tos and > this mailing list archives and tried all the tricks there. I also do > not have any local users > by the same names as the NT4 has them, thus, no conflicts here. Samba > has been compiled > with all necessary support (PAM, winbind etc. ) to support this scheme. > /etc/nsswitch.conf > has been edited to include winbind. ldconfig has been run to include > the winbind shared modules. No nscd or any other NSS services are > running. What can still be wrong? > > PAM configuration file "samba": > > #%PAM-1.0 > # pam_smbpass.so authenticates against the smbpasswd file > auth required pam_smbpass.so nodelay > account required /lib/security/pam_stack.so > service=system-auth-winbind > session required /lib/security/pam_stack.so > service=system-auth-winbind > password required pam_smbpass.so nodelay > smbconf=/etc/samba/smb.conf > > The service -lines were edited according to the instructions in > smb.conf comments > to include system-auth-winbind: > > #%PAM-1.0 > # $Header: > /home/cvsroot/gentoo-x86/net-fs/samba/files/system-auth-winbind,v 1.1 > 2002/05/06 19:57:08 woodchip Exp $ > > auth required /lib/security/pam_env.so > auth sufficient /lib/security/pam_unix.so likeauth nullok > use_first_pass > auth sufficient /lib/security/pam_winbind.so > auth required /lib/security/pam_deny.so > > account sufficient /lib/security/pam_winbind.so > account required /lib/security/pam_unix.so > > password required /lib/security/pam_cracklib.so retry=3 > password sufficient /lib/security/pam_unix.so nullok use_authtok > md5 shadow > password required /lib/security/pam_deny.so > > session required /lib/security/pam_mkhomedir.so > skel=/etc/skel/ umask=0022 debug > session required /lib/security/pam_limits.so > session required /lib/security/pam_unix.so > > > My smb.conf looks like: > > # Global parameters > [global] > dos charset = 850 > unix charset = UTF8 > workgroup = TESTWG > server string = %h Samba Server %v > interfaces = 192.168.1.1/23 192.168.3.1/23 > security = DOMAIN > map to guest = Bad User > log level = 2 > log file = /var/log/samba3/log.%m > max log size = 500 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > printcap name = cups > local master = No > dns proxy = No > remote announce = 192.168.2.255 192.168.3.255 > remote browse sync = 192.168.2.255 192.168.3.255 > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind separator = _ > printer admin = '@Domain Admins' > hosts allow = 192.168.1., 192.168.2., 192.168.3., 127. > hosts deny = ALL > map acl inherit = Yes > printing = cups > > [homes] > comment = Home dirs > read only = No > browseable = No > > [printers] > comment = Printers > path = /var/spool/samba > create mask = 0700 > guest ok = Yes > printable = Yes > print command = lpr-cups -P %p %s # using cups own drivers (use > generic PostScript on clients). > browseable = No > > [print$] > path = /var/lib/samba/printers > write list = @adm, root > guest ok = Yes > > [tmp] > comment = temporary files > path = /tmp > guest ok = Yes > > > -- > ArNO > 2 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
