So I have installed MS SFU on the local domain controller, but we have a primary DC over at a data center - does MS SFU have to be installed on the PDC as well to get this all to work? I'm a little unclear on this. [EMAIL PROTECTED] ~]# wbinfo --getdcname=DNAME PDCDOM01
which is the PDC over at the data centre, not the local DC. Is this an issue? Also: I can wbinfo -u and -g fine. I can use -a and -K to check authentication of my account on the domain (both work). I can get SIDs [EMAIL PROTECTED] ~]# wbinfo -n UNAME S-1-5-21-3188596277-436205732-2179202570-1295 User (1) but not resolve them into UIDs. [EMAIL PROTECTED] ~]# wbinfo -S S-1-5-21-3188596277-436205732-2179202570-1295 Could not convert sid S-1-5-21-3188596277-436205732-2179202570-1295 to uid [EMAIL PROTECTED] ~]# wbinfo -Y S-1-5-21-3188596277-436205732-2179202570-1295 Could not convert sid S-1-5-21-3188596277-436205732-2179202570-1295 to gid /var/log/samba/log.winbindd-idmap spits out the following lines after I restart nmbd, smbd and winbindd: [2008/07/25 18:13:42, 1] nsswitch/idmap.c:idmap_init(377) Initializing idmap domains [2008/07/25 18:13:42, 1] nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(613) Could not get unix ID which seems consistent with not being able to map SIDs above You can find a level 10 debug log here: http://www.mediafire.com/?2h00d92gf19 Great mailing list you have here. -=Andrew ________________________________ From: Jason Gerfen [mailto:[EMAIL PROTECTED] Sent: Wed 7/23/2008 1:18 PM To: Andrew Masterson Cc: [email protected] Subject: Re: [Samba] Trouble authenticating to Samba shares with Win 2k3 ADS Turn up the debugging and take a look at the following schema attributes for the user you are attempting to authenticate. It looks like some POSIX account data may be missing. uidNumber gidNumber sfuHomeDirectory loginShell Also turn up the debugging to 20, restart your samba server and required services (winbind etc.) and try again. You might want to also look into using the wbinfo --help under the SID to GID, and SID to UID mapping functions. If those are not working then the schema attributes or values are missing in the AD account schema. Andrew Masterson wrote: > I added those lines (and changed the range to 10000-20000), and still > smbclient returns the same error. > > "session setup failed: NT_STATUS_LOGON_FAILURE" > > I also updated the krb5.conf file as I noticed some errors (Improper > format of Kerberos configuration file) in some of the logs. Those > errors are now gone, and the only idmap log file I see is > log.winbindd-idmap and it gives: > > [EMAIL PROTECTED] etc]# more /var/log/samba/log.winbindd-idmap > [2008/07/23 11:03:44, 1] nsswitch/idmap.c:idmap_init(377) > Initializing idmap domains > [2008/07/23 11:03:44, 1] > nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(613) > Could not get unix ID > > And the second message (error) wasn't happening before. Am I missing a > module to provide the AD idmap backend? (although it looks like it is > trying to do it and failing) > > New krb5.conf file > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = DNAME.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > DNAME.LOCAL = { > kdc = DCONTR.DNAME.local:88 > admin_server = DCONTR.DNAME.local:749 > default_domain = DNAME.local > } > > [domain_realm] > .DNAME.local = DNAME.LOCAL > DNAME.local = DNAME.LOCAL > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > > > -----Original Message----- > From: Jason Gerfen [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 23, 2008 10:58 AM > To: Andrew Masterson > Cc: [email protected] > Subject: Re: [Samba] Trouble authenticating to Samba shares with Win 2k3 > ADS > > Try using the following in your smb.conf > > client signing = yes > client schannel = no > client use spnego = yes > client lanman auth = no > client NTLMv2 auth = yes > client plaintext auth = no > > idmap domains = DOMAIN > idmap config DOMAIN:backend = ad > idmap config DOMAIN:default = yes > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 1000 - 300000000 > > And for troubleshooting try taking a look at the > /var/log/samba/log.idmap* logs for UID/GID to SID mapping > > Or you can use > %> wbinfo -i <USER> > %> wbinfo -n <USER> > %> wbinfo -s <USER> > > Hope that helps some. > > Andrew Masterson wrote: >> I may have a deficiency in understanding the procedure for ADS >> authentication with samba, but most of the server setup works so far. > I >> have bound a Red Hat Enterprise 5 server to our windows domain, it > shows >> up in DNS and ADS, I can ping it, but I can't get samba shares to be >> accessible to users, or even get the smbclient to return shares >> properly. >> >> >> >> wbinfo -g returns the domain groups properly >> >> wbinfo -u return the domain users properly >> >> >> >> [EMAIL PROTECTED] samba]# wbinfo -a 'DNAME\uname'%secret >> >> plaintext password authentication succeeded >> >> challenge/response password authentication succeeded >> >> >> >> [EMAIL PROTECTED] samba]# wbinfo -K 'DNAME\uname'%secret >> >> plaintext kerberos password authentication for [DNAME\uname%secret] >> succeeded (requesting cctype: FILE) >> >> credentials were put in: FILE:/tmp/krb5cc_0 >> >> >> >> [EMAIL PROTECTED] samba]# wbinfo -t >> >> checking the trust secret via RPC calls succeeded >> >> >> >> So that all works fine. smbclient chokes though: >> >> >> >> [EMAIL PROTECTED] samba]# smbclient -L solar -U 'DNAME\uname' >> >> Password: >> >> session setup failed: NT_STATUS_LOGON_FAILURE >> >> >> >> [EMAIL PROTECTED] samba]# smbclient -L solar -U uname >> >> Password: >> >> session setup failed: NT_STATUS_LOGON_FAILURE >> >> >> >> or if I even use a samba user that I have setup with smbpasswd >> >> >> >> [EMAIL PROTECTED] samba]# smbclient -L solar -U sambaname >> >> Password: >> >> session setup failed: NT_STATUS_LOGON_FAILURE >> >> >> >> The only log file in /var/log/samba that shows any changes is log.nmbd >> >> >> >> [2008/07/23 08:18:47, 0] > nmbd/nmbd_namequery.c:query_name_response(109) >> query_name_response: Multiple (2) responses received for a query on >> subnet 192.168.77.244 for name DNAME<1d>. >> >> This response was from IP 192.168.77.216, reporting an IP address of >> 192.168.77.216. >> >> >> >> Here is my smb.conf >> >> >> >> # Samba config file created using SWAT >> >> # from 127.0.0.1 (127.0.0.1) >> >> # Date: 2008/07/17 09:25:15 >> >> >> >> [global] >> >> workgroup = DNAME >> >> realm = DNAME.LOCAL >> >> netbios aliases = solar.dname.local, solar.dname.com >> >> server string = Samba %v %h >> >> interfaces = 192.168.77.244 >> >> security = ADS >> >> # security = user >> >> auth methods = winbind >> >> use kerberos keytab = Yes >> >> encrypt passwords = yes >> >> winbind enum users = Yes >> >> winbind enum groups = Yes >> >> preferred master = No >> >> local master = No >> >> domain master = No >> >> ldap ssl = no >> >> idmap domains = DNAME >> >> idmap uid = 10000-20000 >> >> idmap gid = 10000-20000 >> >> >> >> [T_drive] >> >> writeable = yes >> >> valid users = sambaname,'DNAME\uname' >> >> public = yes >> >> path = /data/T_drive >> >> >> >> Here is krb5.conf >> >> >> >> [logging] >> >> default = FILE:/var/log/krb5libs.log >> >> kdc = FILE:/var/log/krb5kdc.log >> >> admin_server = FILE:/var/log/kadmind.log >> >> >> >> [libdefaults] >> >> default_realm = DNAME.LOCAL >> >> >> >> [realms] >> >> DNAME.LOCAL = { >> >> default_domain = >> >> kdc = nvautil01.DNAME.local: >> >> admin_server = nvadom01: >> >> } >> >> >> >> [domain_realm] >> >> dname.local = DNAME.LOCAL >> >> >> >> pam.d directory samba file >> >> >> >> [EMAIL PROTECTED] samba]# more /etc/pam.d/samba >> >> #%PAM-1.0 >> >> auth sufficient pam_krb5afs.so >> >> account sufficient pam_krb5afs.so >> >> auth sufficient pam_winbind.so >> >> account sufficient pam_winbind.so >> >> session sufficient pam_krb5afs.so >> >> password sufficient pam_krb5afs.so >> >> auth required pam_unix.so >> >> account required pam_unix.so >> >> session sufficient pam_winbind.so >> >> password sufficient pam_winbind.so >> > > -- Jason Gerfen Systems Administration/Web application development [EMAIL PROTECTED] Marriott Library Lab Systems PC 295 South 1500 East Salt Lake City, Utah 84112-0806 Ext 5-9810 "Tomorrow isn't promised so we live for today" -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
