After reading the related chapter in the Samba-3 HOWTO document I've tried to put the AD authentication in place in our network on two systems and I got stuck in exactly the same place. Here are the software configs I was using :
Sys 1 FreeBSD 4.11 release sshd version OpenSSH_3.5p1 FreeBSD-20030924 Samba Version 3.0.10 Sys 2 FreeBSD 5.4-RELEASE FreeBSD amd64 OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e 25 Oct 2004 Samba Version 3.0.12 I will detail what I did on sys1 (as this one is more urgent and anyway I did the same things on sys2 with exactly the same outcome) My /etc/smb.conf [global] workgroup = OURDOMAIN # strangely, it doesn't like the realm setting #realm = MISSIONCRITICALIT.COM password server = PASSSWD_SERV_IP security = ADS encrypt passwords = yes server string = My Samba Server # separate domain and username with '\', like DOMAIN\username winbind separator = \\ # use uids from 10000 to 20000 for domain users idmap uid = 10000-20000 # use gids from 10000 to 20000 for domain groups idmap gid = 10000-20000 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes # give winbind users a real shell (only needed if they have telnet access) template homedir = /home/winnt/%D%U template shell = /usr/local/bin/bash Then I did sudo net join -UAdministrator After providing the right password the answer was : Joined domain OURDOMAIN. Then I modified the /usr/compat/linux/etc/nsswitch.conf file to look like the following : passwd: files winbind shadow: files group: files winbind After starting winbindd with(-d 3 -i) I can now querry the user and groups with : wbinfo -u wbinfo -g Both lists seem to be in concordance with what we got on our W2K PDC. However if I do /usr/compat/linux/usr/bin/getent passwd I get only the local password file content, nothing related to the domain... Accordint to the Samba3 HOWTO this should return me info's for users in the domain... What am I doing wrong ? Furthermore I went through this ordeal to allow domain users to authenticate with ssh. So I've modified the the /etc/pam.conf file like this (settings for ssh) : sshd auth sufficient pam_skey.so sshd auth sufficient pam_opie.so no_fake_prompts #this line is added by me sshd auth sufficient /usr/local/lib/pam_winbind.so #sshd auth requisite pam_opieaccess.so #sshd auth sufficient pam_kerberosIV.so try_first_pass #sshd auth sufficient pam_krb5.so try_first_pass sshd auth required pam_unix.so try_first_pass sshd account required pam_unix.so #this line is added by me sshd account sufficient /usr/local/lib/pam_winbind.so sshd password required pam_permit.so sshd session required pam_permit.so Now when I try to log in as a domain user via ssh the access is refused and I got this in /var/log/auth.log sshd[1972]: Illegal user usr1 from 10.10.10.201 sshd[1972]: Failed unknown for illegal user usr1 from 10.10.10.201 port 55268 ssh2 And I get no outup at all from winbindd, like the sshd wouldn't even bother to try to authenticate via winbindd... Can anybody help ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
