I was just following directions on samba.org, and when one runs 'getent passwd' or 'getent group' a '+' is used as a separator. However 'testparrm -s' does warn: 'winbind separator = +' might cause probles with group membership. So I'm lost too.
On Thu, 2004-12-02 at 08:04 -0500, Edward Wissner wrote: > I have been following this thread. I have a similar configuration to John > with the same problem. I am running Mandrake 10.1 Community. I have > installed the latest krb5-1.3.X package from MIT. I am trying to authorize > users using a w2k AD server. > One question (possibly silly), why does every example smb.conf file use '+' > as the winbind separator? If the defualt is '\' , why not leave it at that? > I am able to authenticate to the serve, see the shared directories, but > cannot authenticate to the directory. If I create a Unix/Samba user, that > user can use the shared directories. > > ed > -----Original Message----- > From: John Stile [mailto:[EMAIL PROTECTED] > Sent: Wednesday, December 01, 2004 4:41 PM > To: [EMAIL PROTECTED] > Subject: Re: [Samba] AD Domain member not authenticating > > > On Wed, 2004-12-01 at 11:17 -0800, John Stile wrote: > > On Wed, 2004-12-01 at 11:06 -0800, John Stile wrote: > > > I had samba working, then I tried (unsuccessfully) to setup ssh pam > auth. > > > Now users are prompted for a password when accessing shares, but no > password > > > works. I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3. > > > I forgot to backup pam file system-auth before modifying things, so I'm > not sure if that is the problem. > > > ------------------------------- > > > These commands succeed: > > > wbinfo -u, > > > wbinfo -g > > > getent passwd > > > getent group > > > net ads info > > > Time is within 2 seconds between 'net time' and 'date' > > > ------------------------------- > > > Running winbind in interactive mode while trying to connect, > > > winbindd -S -i -F -d 8 -Y > > > The end of the output (as there is a lot) looks like this: > > > ... > > > remove_duplicate_gids: Enter 5 gids > > > remove_duplicate_gids: Exit 5 gids > > > [ 6411]: gid to sid 10001 > > > [ 6411]: gid to sid 10066 > > > [ 6411]: gid to sid 10067 > > > [ 6411]: gid to sid 10265 > > > [ 6411]: gid to sid 10274 > > > read failed on sock 20, pid 6411: EOF > > > read failed on sock 19, pid 6411: EOF > > > ------------------------------- > > > /etc/samba/smb.conf > > > [global] > > > server string = Samba Server > > > workgroup = MYREALM > > > realm = MYREALM.MY.DOMAIN.COM > > > security = ADS > > > username map = /etc/samba/smbusers > > > map to guest = Bad User > > > password server = * > > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > > preferred master = no > > > local master = no > > > domain master = no > > > os level = 33 > > > wins server = 128.32.68.75 128.32.67.118 > > > ldap ssl = no > > > idmap uid = 10000-20000 > > > idmap gid = 10000-20000 > > > winbind enum users = yes > > > winbind enum groups = yes > > > winbind separator = + > > > winbind use default domain = Yes > > > template primary group = "Domain Users" > > > template homedir = /home/%U > > > template shell = /bin/bash > > > load printers = no > > > log level = 1 > > > syslog = 0 > > > log file = /var/log/samba/%m.log > > > max log size = 0 > > > ------------------------------- > > > /etc/pam.d/system-auth > > > #%PAM-1.0 > > > # This file is auto-generated. > > > # User changes will be destroyed the next time authconfig is run. > > > auth required /lib/security/$ISA/pam_env.so > > > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > > > auth sufficient /lib/security/$ISA/pam_smb_auth.so > use_first_pass nolocal > > > auth required /lib/security/$ISA/pam_deny.so > > > > > > account required /lib/security/$ISA/pam_unix.so > > > > > > password required /lib/security/$ISA/pam_cracklib.so retry=3 > type= > > > password sufficient /lib/security/$ISA/pam_unix.so nullok > use_authtok md5 shadow > > > password required /lib/security/$ISA/pam_deny.so > > > > > > session required /lib/security/$ISA/pam_limits.so > > > session required /lib/security/$ISA/pam_unix.so > > > ------------------------------ > > I'm also seeing errors in /var/log/samba/winbindd.log > > [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390) > > ads_krb5_mk_req: krb5_get_credentials failed for > [EMAIL PROTECTED] (Cannot find KDC for requested realm) > > [2004/12/01 11:14:40, 1] > nsswitch/winbindd_ads.c:ads_cached_connection(81) > > ads_connect for domain CAMPUS failed: Cannot find KDC for requested > realm > > [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390) > > ads_krb5_mk_req: krb5_get_credentials failed for > [EMAIL PROTECTED] (Cannot find KDC for requested realm) > > [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390) > > ads_krb5_mk_req: krb5_get_credentials failed for > [EMAIL PROTECTED] (Cannot find KDC for requested realm) > > [2004/12/01 11:14:40, 1] > nsswitch/winbindd_ads.c:ads_cached_connection(81) > > ads_connect for domain CAMPUS failed: Cannot find KDC for requested > realm > I'm still searching for a solution. > /var/log/messages shows > Dec 1 13:38:54 myhost smbd[7915]: [2004/12/01 13:38:54, 0] > lib/util_sock.c:get_peer_addr(1000) > Dec 1 13:38:54 myhost smbd[7915]: getpeername failed. Error was Transport > endpoint is not connected > Dec 1 13:38:54 myhost smbd[7915]: [2004/12/01 13:38:54, 0] > lib/util_sock.c:get_peer_addr(1000) > Dec 1 13:38:54 myhost smbd[7915]: getpeername failed. Error was Transport > endpoint is not connected > Dec 1 13:38:54 myhost smbd[7915]: [2004/12/01 13:38:54, 0] > lib/util_sock.c:write_socket_data(430) > Dec 1 13:38:54 myhost smbd[7915]: write_socket_data: write failure. Error > = Connection reset by peer > Dec 1 13:38:54 myhost smbd[7915]: [2004/12/01 13:38:54, 0] > lib/util_sock.c:write_socket(455) > Dec 1 13:38:54 myhost smbd[7915]: write_socket: Error writing 4 bytes to > socket 22: ERRNO = Connection reset by peer > Dec 1 13:38:54 myhost smbd[7915]: [2004/12/01 13:38:54, 0] > lib/util_sock.c:send_smb(647) > Dec 1 13:38:54 myhost smbd[7915]: Error writing 4 bytes to client. -1. > (Connection reset by peer) > > -- > ._____________________. > | \0/ John Stile | > | UniX Administration | > | / \ 510-305-3800 | > | [EMAIL PROTECTED] | > .---------------------. > > -- ._____________________. | \0/ John Stile | | UniX Administration | | / \ 510-305-3800 | | [EMAIL PROTECTED] | .---------------------.
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
