Re: [Samba] Authenticating against a Windows 2000 DC?
At 5.01.2003 on 4:29 CET +0100, wrote Chris Palmer: From: Daniel Wittenberg [mailto:[EMAIL PROTECTED]] I don't have a url handy at the moment, but you want to look at using winbind, it'll do what you're looking for. Thanks for the clue. :) I found documentation for it at http://myserver:901/swat/help/winbindd.8.html. I followed the directions there to the letter, although I only changed /etc/pam.d/samba, none of the others. (Should I change any of the others?) Samba-HOWTO-Collection Page 73. However, getent passwd and getent group show only the contents of my /etc/passwd and /etc/group, and not the stuff from my Windows domain. Also, I cannot log into SWAT anymore (!) -- although I can mount Samba shares on my Windows workstation using my Linux username and password (but not my Windows username/password). So clearly I'm missing some critical step. winbindd, smbd and nmbd are all running. My /etc/nsswitch.conf is as follows: [...] Seems to be correct. Here is /etc/pam.d/samba: [...] Seems to be correct. And the [global] section of /etc/samba/smb.conf: [...] Seems to be correct. Does anyone have any idea what I'm missing? Thanks in advance, again. Does your samba server DEV hav a machineaccount in domain? You have joined samba to the domain? For special user you have setup a usetr mapping windows names - unix names? man smb.conf: username map (G) This option allows you to specify a file containing a mapping of usernames from the clients to the server. This can be used for [...] You can map Windows usernames that have spaces in them by using double quotes around the name. For example: tridge = Andrew Tridgell would map the windows username Andrew Tridgell to the unix username tridge. [...] With regards Frank Matthieß. -- Frank Matthieß[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Authenticating against a Windows 2000 DC?
On Sun, 2003-01-05 at 14:38, Chris Palmer wrote: Here is some additional information from my /var/log/messages: === Jan 4 19:04:07 dev winbind: winbindd startup succeeded Jan 4 19:04:08 dev smb: smbd startup succeeded Jan 4 19:04:09 dev smb: nmbd startup succeeded Jan 4 19:08:22 dev sshd(pam_unix)[935]: session opened for user chris by (uid=0) Jan 4 19:08:41 dev pam_winbind[978]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:08:41 dev pam_winbind[978]: internal module error (retval = 4, user = `root' Jan 4 19:09:05 dev pam_winbind[980]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:09:05 dev pam_winbind[980]: internal module error (retval = 4, user = `root' Jan 4 19:09:21 dev pam_winbind[983]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:09:21 dev pam_winbind[983]: internal module error (retval = 4, user = ` bibble' Jan 4 19:09:21 dev PAM_pwdb[983]: check pass; user unknown Jan 4 19:09:42 dev su(pam_unix)[984]: session opened for user root by chris(uid=500) Jan 4 19:10:08 dev pam_winbind[1038]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:10:08 dev pam_winbind[1038]: internal module error (retval = 4, user = ` bibble' Jan 4 19:10:08 dev PAM_pwdb[1038]: check pass; user unknown Jan 4 19:10:11 dev pam_winbind[1040]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:10:11 dev pam_winbind[1040]: internal module error (retval = 4, user = ` bibble' Jan 4 19:10:11 dev PAM_pwdb[1040]: check pass; user unknown Jan 4 19:10:22 dev smb: smbd shutdown succeeded Jan 4 19:10:22 dev smb: nmbd shutdown succeeded Jan 4 19:10:22 dev smb: smbd startup succeeded Jan 4 19:10:22 dev smb: nmbd startup succeeded Jan 4 19:10:26 dev winbind: winbindd shutdown succeeded Jan 4 19:10:26 dev winbind: winbindd startup succeeded Jan 4 19:10:42 dev pam_winbind[1098]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:10:42 dev pam_winbind[1098]: internal module error (retval = 4, user = ` bibble' Jan 4 19:10:42 dev PAM_pwdb[1098]: check pass; user unknown Jan 4 19:10:55 dev pam_winbind[1100]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:10:55 dev pam_winbind[1100]: internal module error (retval = 4, user = `root' Jan 4 19:14:51 dev pam_winbind[1124]: user 'chris' granted acces Jan 4 19:14:51 dev samba(pam_unix)[1124]: session opened for user chris by (uid=0) Jan 4 19:27:18 dev pam_winbind[1182]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:27:18 dev pam_winbind[1182]: internal module error (retval = 4, user = `root' === I did not enter bibble as my user name, and yet that's what the log shows. internal module error sure sounds bad, but I don't know what it means. Both are features of Samba 2.2. The first is a hack to avoid some nasty 'remote username guessing' attacks against SWAT. Don't worry about them. The 'internal module error' is just because the old pam_winbind code was very simple. It's not relevent here, as long as your configuration still allows the 'old' PAM modules to authorize the login. Look at what you changed in the PAM file, and make sure you only add new 'sufficient' entries, instead of removing other lines. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: [Samba] Authenticating against a Windows 2000 DC?
I don't have a url handy at the moment, but you want to look at using winbind, it'll do what you're looking for. Dan On Sat, 2003-01-04 at 20:17, Chris Palmer wrote: I apologize in advance if this is a FAQ, but I couldn't find the FAQ document for this list. I also could not find anything relevant in other Samba documentation sources like http://hr.uoregon.edu/davidrl/samba.html. There seems to be plenty of information about using Samba *as* a DC, but I want to know if I can use Samba *with* a Windows 2000 DC. We have two DCs running Windows 2000, a W2K file server and a Linux/Samba file server (in standalone mode). We have to manage users and groups separately on the Linux and Windows systems, and that's no fun. We are running Samba 2.2.7 on Red Hat 7.3 (although sometimes RH's version numbers are not quite in synch with the original developer's): === $ rpm -qa | grep samba samba-common-2.2.7-1.7.3 samba-2.2.7-1.7.3 samba-swat-2.2.7-1.7.3 samba-client-2.2.7-1.7.3 === Is the feature I want in this version? Or, is the feature I want in development? Or, is there some other setup I can use to get authentication out of the DCs via LDAP (Windows 2000 uses a moderately bastardized LDAP for authentication), and then have Samba use that? Thanks in advance, -- Chris PalmerSystems ProgrammerGeneEd -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Authenticating against a Windows 2000 DC?
From: Daniel Wittenberg [mailto:[EMAIL PROTECTED]] I don't have a url handy at the moment, but you want to look at using winbind, it'll do what you're looking for. Thanks for the clue. :) I found documentation for it at http://myserver:901/swat/help/winbindd.8.html. I followed the directions there to the letter, although I only changed /etc/pam.d/samba, none of the others. (Should I change any of the others?) However, getent passwd and getent group show only the contents of my /etc/passwd and /etc/group, and not the stuff from my Windows domain. Also, I cannot log into SWAT anymore (!) -- although I can mount Samba shares on my Windows workstation using my Linux username and password (but not my Windows username/password). So clearly I'm missing some critical step. winbindd, smbd and nmbd are all running. My /etc/nsswitch.conf is as follows: === passwd: files winbind shadow: files nisplus group: files winbind hosts: files nisplus dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files nisplus rpc:files services: files nisplus netgroup: files nisplus publickey: nisplus automount: files nisplus aliases:files nisplus === (I am not using nisplus, btw.) Here is /etc/pam.d/samba: === #%PAM-1.0 account required /lib/security/pam_winbind.so sessionrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok === And the [global] section of /etc/samba/smb.conf: === [global] security = domain winbind separator = + winbind cache time = 10 template shell = /bin/bash template homedir = /home/%D/%U winbind uid = 1-2 winbind gid = 1-2 password server = * workgroup = GENEEDINC netbios name = DEV server string = Dev Samba Server encrypt passwords = Yes obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*al l*authentication*tokens*updated*successfully* unix password sync = Yes log file = /var/log/samba/%m.log max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No guest account = printing = lprng === Does anyone have any idea what I'm missing? Thanks in advance, again. -- Chris PalmerSystems ProgrammerGeneEd -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Authenticating against a Windows 2000 DC?
Here is some additional information from my /var/log/messages: === Jan 4 19:04:07 dev winbind: winbindd startup succeeded Jan 4 19:04:08 dev smb: smbd startup succeeded Jan 4 19:04:09 dev smb: nmbd startup succeeded Jan 4 19:08:22 dev sshd(pam_unix)[935]: session opened for user chris by (uid=0) Jan 4 19:08:41 dev pam_winbind[978]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:08:41 dev pam_winbind[978]: internal module error (retval = 4, user = `root' Jan 4 19:09:05 dev pam_winbind[980]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:09:05 dev pam_winbind[980]: internal module error (retval = 4, user = `root' Jan 4 19:09:21 dev pam_winbind[983]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:09:21 dev pam_winbind[983]: internal module error (retval = 4, user = ` bibble' Jan 4 19:09:21 dev PAM_pwdb[983]: check pass; user unknown Jan 4 19:09:42 dev su(pam_unix)[984]: session opened for user root by chris(uid=500) Jan 4 19:10:08 dev pam_winbind[1038]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:10:08 dev pam_winbind[1038]: internal module error (retval = 4, user = ` bibble' Jan 4 19:10:08 dev PAM_pwdb[1038]: check pass; user unknown Jan 4 19:10:11 dev pam_winbind[1040]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:10:11 dev pam_winbind[1040]: internal module error (retval = 4, user = ` bibble' Jan 4 19:10:11 dev PAM_pwdb[1040]: check pass; user unknown Jan 4 19:10:22 dev smb: smbd shutdown succeeded Jan 4 19:10:22 dev smb: nmbd shutdown succeeded Jan 4 19:10:22 dev smb: smbd startup succeeded Jan 4 19:10:22 dev smb: nmbd startup succeeded Jan 4 19:10:26 dev winbind: winbindd shutdown succeeded Jan 4 19:10:26 dev winbind: winbindd startup succeeded Jan 4 19:10:42 dev pam_winbind[1098]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:10:42 dev pam_winbind[1098]: internal module error (retval = 4, user = ` bibble' Jan 4 19:10:42 dev PAM_pwdb[1098]: check pass; user unknown Jan 4 19:10:55 dev pam_winbind[1100]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:10:55 dev pam_winbind[1100]: internal module error (retval = 4, user = `root' Jan 4 19:14:51 dev pam_winbind[1124]: user 'chris' granted acces Jan 4 19:14:51 dev samba(pam_unix)[1124]: session opened for user chris by (uid=0) Jan 4 19:27:18 dev pam_winbind[1182]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 4 19:27:18 dev pam_winbind[1182]: internal module error (retval = 4, user = `root' === I did not enter bibble as my user name, and yet that's what the log shows. internal module error sure sounds bad, but I don't know what it means. -- Chris PalmerSystems ProgrammerGeneEd -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
