Forget my pam stack data
auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_krb5.so ignore_root
account sufficient pam_winbind.so
password optional pam_krb5.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2
ocredit=2 try_first_pass retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok
md5 shadow
password required pam_deny.so
session required pam_mkhomedir.so umask=0000 skel=/etc/skel/ silent
session required pam_limits.so
session required pam_unix.so
session optional pam_krb5.so
Linux Addict wrote:
On Thu, May 22, 2008 at 2:03 PM, Jason Gerfen <[EMAIL PROTECTED]> wrote:
UPDATE
Jason Gerfen wrote:
I have been ready everything I can regarding this setup but am having a
problem that I am unsure of.
I am unable to authenticate any user despite the following commands
working:
%> getent passwd <username>
%> wbinfo -u
%> wbinfo -g
With the getent passwd I am able to see all of my UID/GID being mapped via
winbdind to the rid of the domain user account.
This command fails:
%> wbinfo -i <username>
This command works
%> wbinfo --krb5auth=smb%password
From a windows machine this fails
%> net use x: \\server.domain.com\share /user:smb
And in the log files when attempting to authenticate against this machine
by mapping a share the following is seen in the log files:
check_ntlm_password: Checking password for unmapped user
[EMAIL PROTECTED] with the new password interface
This is inacurate as with a krb5 tgt the correct line should look like:
check_ntlm_password: Checking password for unmapped user
[EMAIL PROTECTED] with the new password interface
Unless I am missing something I believe my configuration shown below is
accurate and as of yet I have not received any real answer to this problem.
Any help is appreciated.
Here is my smb.conf
[global]
workgroup = scl
realm = SCL.DOMAIN.EDU
server string = valhalla.scl.domain.edu
netbios name = valhalla
password server = *
encrypt passwords = true
security = ads
os level = 20
allow trusted domains = no
ldap ssl = no
idmap uid = 5000-2000000
idmap gid = 5000-2000000
idmap domains = SCL
interfaces = eth0, lo
bind interfaces only = yes
log level = 20
log file = /var/log/samba3/log.%m
max log size = 50
client signing = yes
client schannel = no
client use spnego = yes
preferred master = no
local master = no
domain master = no
wins proxy = no
dns proxy = No
template shell = /bin/bash
nt acl support = yes
create mask = 0775
template homedir = /home/%U
winbind uid = 500-2000000
winbind gid = 500-2000000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind offline logon = true
printcap name = cups
printing = cups
load printers = yes
cups options = raw
print command =
lpq command = %p
lprm command =
[test]
comment = testing
browsable = yes
read only = yes
create mode = 0644
path = /home/jason
Here is my krb5.conf
[libdefaults]
default_realm = UTAH.EDU
[realms]
UTAH.EDU = {
kdc = 155.99.1.95
}
[domain_realm]
.utah.edu = DOMAIN.EDU
DOMAIN.EDU = DOMAIN.EDU
scl.DOMAIN.EDU = DOMAIN.EDU
[loggin]
default = FILE:/var/log/krb5.log
[appdefaults]
pam = {
ticket_lifetime = 365d
renew_lifetime = 365d
forwardable = true
proxiable = false
retain_after_close = true
minimum_uid = 0
}
The nsswitch.com file:
passwd: compat winbind
shadow: compat
group: compat winbind
# passwd: db files nis
# shadow: db files nis
# group: db files nis
hosts: files dns wins
networks: files
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
--
Jas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Have you checked your PAM configuration? What do you see on /var/log/secure?
--
Jas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
