On Thu, May 22, 2008 at 2:25 PM, Jason Gerfen <[EMAIL PROTECTED]> wrote:
> Forget my pam stack data
>
> auth required pam_env.so
> auth sufficient pam_winbind.so
> auth sufficient pam_unix.so try_first_pass likeauth nullok
> auth sufficient pam_krb5.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so
> account sufficient pam_krb5.so ignore_root
> account sufficient pam_winbind.so
>
> password optional pam_krb5.so
> password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2
> try_first_pass retry=3
> password sufficient pam_unix.so try_first_pass use_authtok nullok md5
> shadow
> password required pam_deny.so
>
> session required pam_mkhomedir.so umask=0000 skel=/etc/skel/ silent
> session required pam_limits.so
> session required pam_unix.so
> session optional pam_krb5.so
>
>
> Linux Addict wrote:
>>
>> On Thu, May 22, 2008 at 2:03 PM, Jason Gerfen <[EMAIL PROTECTED]>
>> wrote:
>>>
>>> UPDATE
>>> Jason Gerfen wrote:
>>>>
>>>> I have been ready everything I can regarding this setup but am having a
>>>> problem that I am unsure of.
>>>>
>>>> I am unable to authenticate any user despite the following commands
>>>> working:
>>>> %> getent passwd <username>
>>>> %> wbinfo -u
>>>> %> wbinfo -g
>>>>
>>>> With the getent passwd I am able to see all of my UID/GID being mapped
>>>> via
>>>> winbdind to the rid of the domain user account.
>>>>
>>>> This command fails:
>>>> %> wbinfo -i <username>
>>>
>>> This command works
>>> %> wbinfo --krb5auth=smb%password
>>>
>>> From a windows machine this fails
>>> %> net use x: \\server.domain.com\share /user:smb
>>>
>>>> And in the log files when attempting to authenticate against this
>>>> machine
>>>> by mapping a share the following is seen in the log files:
>>>> check_ntlm_password: Checking password for unmapped user
>>>> [EMAIL PROTECTED] with the new password interface
>>>>
>>>> This is inacurate as with a krb5 tgt the correct line should look like:
>>>> check_ntlm_password: Checking password for unmapped user
>>>> [EMAIL PROTECTED] with the new password
>>>> interface
>>>>
>>>> Unless I am missing something I believe my configuration shown below is
>>>> accurate and as of yet I have not received any real answer to this
>>>> problem.
>>>>
>>>> Any help is appreciated.
>>>>
>>>> Here is my smb.conf
>>>> [global]
>>>> workgroup = scl
>>>> realm = SCL.DOMAIN.EDU
>>>> server string = valhalla.scl.domain.edu
>>>> netbios name = valhalla
>>>>
>>>> password server = *
>>>> encrypt passwords = true
>>>> security = ads
>>>>
>>>> os level = 20
>>>>
>>>> allow trusted domains = no
>>>>
>>>> ldap ssl = no
>>>>
>>>> idmap uid = 5000-2000000
>>>> idmap gid = 5000-2000000
>>>> idmap domains = SCL
>>>>
>>>> interfaces = eth0, lo
>>>> bind interfaces only = yes
>>>>
>>>> log level = 20
>>>> log file = /var/log/samba3/log.%m
>>>> max log size = 50
>>>>
>>>> client signing = yes
>>>> client schannel = no
>>>> client use spnego = yes
>>>>
>>>> preferred master = no
>>>> local master = no
>>>> domain master = no
>>>> wins proxy = no
>>>> dns proxy = No
>>>>
>>>> template shell = /bin/bash
>>>> nt acl support = yes
>>>> create mask = 0775
>>>> template homedir = /home/%U
>>>>
>>>> winbind uid = 500-2000000
>>>> winbind gid = 500-2000000
>>>> winbind separator = +
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>> winbind nested groups = yes
>>>> winbind use default domain = yes
>>>> winbind offline logon = true
>>>>
>>>> printcap name = cups
>>>> printing = cups
>>>> load printers = yes
>>>> cups options = raw
>>>> print command =
>>>> lpq command = %p
>>>> lprm command =
>>>>
>>>> [test]
>>>> comment = testing
>>>> browsable = yes
>>>> read only = yes
>>>> create mode = 0644
>>>> path = /home/jason
>>>>
>>>> Here is my krb5.conf
>>>> [libdefaults]
>>>> default_realm = UTAH.EDU
>>>>
>>>> [realms]
>>>> UTAH.EDU = {
>>>> kdc = 155.99.1.95
>>>> }
>>>>
>>>> [domain_realm]
>>>> .utah.edu = DOMAIN.EDU
>>>> DOMAIN.EDU = DOMAIN.EDU
>>>> scl.DOMAIN.EDU = DOMAIN.EDU
>>>>
>>>> [loggin]
>>>> default = FILE:/var/log/krb5.log
>>>>
>>>> [appdefaults]
>>>> pam = {
>>>> ticket_lifetime = 365d
>>>> renew_lifetime = 365d
>>>> forwardable = true
>>>> proxiable = false
>>>> retain_after_close = true
>>>> minimum_uid = 0
>>>> }
>>>>
>>>> The nsswitch.com file:
>>>> passwd: compat winbind
>>>> shadow: compat
>>>> group: compat winbind
>>>>
>>>> # passwd: db files nis
>>>> # shadow: db files nis
>>>> # group: db files nis
>>>>
>>>> hosts: files dns wins
>>>> networks: files
>>>>
>>>> services: db files
>>>> protocols: db files
>>>> rpc: db files
>>>> ethers: db files
>>>> netmasks: files
>>>> netgroup: files
>>>> bootparams: files
>>>>
>>>> automount: files
>>>> aliases: files
>>>>
>>>>
>>>
>>> --
>>> Jas
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/listinfo/samba
>>>
>>
>> Have you checked your PAM configuration? What do you see on
>> /var/log/secure?
>
>
> --
> Jas
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
1. Did you tried su and ssh? What is the result?
2. Remove the *.tdb files on /var/lib/samba and restart the winbind.
There may be corruption.
3. Does the kinit gets ticket?
I suggest you make su or ssh work first, then start with smb. Also
check the /var/log/secure as it shud log anything related to
authentication.
Your pam configuration looks good. If you krb is configured correctly,
then winbind.so entries are not really required.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
