LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 07-16-2003, 04:56 PM   #1
acb67
Member
 
Registered: Jun 2002
Posts: 50

Rep: Reputation: 15
Kerberos, Samba, Winbind


I am trying to get authentication against AD using Winbind and Samba 3. We use Kerberos 5 as well. I know that winbind is running properly because when I run wbinfo -a, I get success messages. The problem seems to be when I try to play with the pam modules. For kicks, here is the pam module for sshd:

#%PAM-1.0
auth sufficient pam_winbind.so debug
auth sufficient pam_unix2.so # set_secrpc
auth required pam_nologin.so
auth required pam_env.so
account sufficient pam_winbind.so debug
account required pam_unix2.so
account required pam_nologin.so
password required pam_pwcheck.so
password required pam_unix2.so use_first_pass use_authtok
session required pam_unix2.so none # trace or debug
session required pam_limits.so

The frustrating thing is that nothing shows up in the logs. SInce the auth is set to sufficient above, I can still use the service using my local credentials. This shows up in the logfiles...it shows the pam_winbind failing while the pam_unix2 succeeding. But when I try to use the service with DOMAIN+username, nothing shows up in the logs. All I get is a permission denied when I try to use the service.

I don't know if this problem could be related to the fact that we are using Krb and the PDC might not be configured for that???? I am not familiar with the specifics of everything yet. Any ideas?? Any help is much appreciated.

Thank in Advance,
Aaron
 
Old 07-18-2003, 08:01 PM   #2
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Rep: Reputation: 30
Im not familiar with the setup your discussing as such, but as nobody has replied to you I'll try to oofer some help (if I can).

You say your using Kerberos to authenticate is Kerberos set-up allready and if so do you have problems authenticating other machines on the network????

If so then maybe the KDC (Key Distribution Centre) hasnt been setup correctly, know I am grasping slightly but as you mentioned that your PDC may not be set up for kerberos I just thought that Id point out that you would need to set a machine up to deal with this in order to integrate correctly with AD as Kerberos and AD on win 2k are tightly integrated and as such any AD authentication via Kerberos would require the use of a Key distribution Centre to access the AD database to check the details and obviouly to allow authentication and TGT (Ticket to Get Ticket) generation.
 
Old 07-21-2003, 08:44 AM   #3
acb67
Member
 
Registered: Jun 2002
Posts: 50

Original Poster
Rep: Reputation: 15
Thanks for the help. I actually dug a little deeper and it turns out that Kerberos is not yet in production, just testing. So I am not actually using Kerberos when trying to use winbind and AD. Your comment helped, though, as I was able to probe and find out that our AD servers are not setup to handle Kerberos. It will be something that we will be adding though.

I have found that I am having a problem with my pam modules. pam_winbind.so to be specific. It seems to be failing on me when I try to use the login pam:

Jul 18 16:29:24 pam_winbind[20827]: Verify user
`xxxx+xxxx'
Jul 18 16:29:25 pam_winbind[20827]: user 'xxxx+xxxx'
granted acces
Jul 18 16:15:36 pam_winbind[20781]: user `xxxx+xxxx'
not found
Jul 18 16:29:25 login[20827]: pam_unix2:
pam_sm_acct_mgmt() called
Jul 18 16:29:27 login[20827]: pam_unix2: pam_ldap
returned 10
Jul 18 16:29:27 login[20827]: User not known to the
underlying authentication module

Here is the PAM config for login:

auth required pam_securetty.so debug
auth required pam_winbind.so debug
auth requisite pam_unix2.so debug,nullok #set_secrpc
auth required pam_nologin.so debug
auth required pam_homecheck.so debug
auth required pam_env.so debug
auth required pam_mail.so debug
account sufficient pam_winbind.so debug
account required pam_unix2.so debug
password required pam_pwcheck.so debug,nullok
password required pam_unix2.so debug,nullok use_first_pass use_authtok
session required pam_unix2.so debug,none # debug or trace
session required pam_limits.so debug

It looks like it is failing in when it hits the account sufficient pam_winbind.so section...if I comment this out, it disappears from the logs.

Any ideas?
 
Old 07-21-2003, 11:21 AM   #4
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Rep: Reputation: 30
Ive noy used Pam at all or win bind. But what it looks like is that the user that is trying to be authenticated doesent exist.

You could check the user exists and is configured correctly, again I wouldnt be able to help a great deal with specific problems as Ive not used either. But try using a differrent user account to test it.

Other than this Im not to sure but if the problmens continue post back, Im sure somebody will be able to help you.

Dai
 
Old 07-21-2003, 11:36 AM   #5
acb67
Member
 
Registered: Jun 2002
Posts: 50

Original Poster
Rep: Reputation: 15
Yes, that is the error that it is giving. The user exists in the AD. You can see that winbind acknowledges this since it says 'user granted access.' The problem looks like it is coming at a different spot. That error about 'user not found' is attributed to "account sufficient pam_winbind.so" in the pam module. I can't figure out exactly why this is failing.
 
Old 07-21-2003, 11:58 AM   #6
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Rep: Reputation: 30
Again as I've not used PAM im only guessing. But is it possible that you need to re-egister the user with PAM.


Could just be an issue with the registered user in PAM, try re-registering it in PAM and possibly re-create the account in AD/Winbind

Last edited by dai; 07-21-2003 at 12:02 PM.
 
Old 07-22-2003, 06:30 PM   #7
acb67
Member
 
Registered: Jun 2002
Posts: 50

Original Poster
Rep: Reputation: 15
I think I've gotten a step closer. The entry in pam
'account sufficient pam_winbind.so' performs a
getpwnam() on the username. For some reason, it
doesn't seem to be going out the PDC to do this.

Is there a way to change this or get it to recognize
the PDC?
 
Old 08-21-2003, 07:41 AM   #8
unalgu
LQ Newbie
 
Registered: Aug 2003
Posts: 1

Rep: Reputation: 0
Exclamation join SAMBA 3.0 to AD by using Kerberos

hi;
I am also trying to use Samba 3.0 as a ADS member.
i have "encrypt passwords=yes" in smb.conf

my krb5.conf is OK because kinit works well.

but i cannot reach any shares on Samba
both with smbclient and from a windows machine.

any opinion?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba + Winbind + AD Thakowbbery Linux - Networking 6 06-28-2007 02:49 AM
Samba Kerberos Ticket sindri Linux - Software 0 11-24-2004 02:10 AM
Samba and Winbind bkesting Linux - Networking 0 11-18-2004 04:12 PM
Samba Kerberos Authentication SNunweiler Linux - Networking 7 08-25-2004 11:27 AM
tutorial on samba + ldap + kerberos coolamit78 Linux - Networking 1 06-10-2004 02:00 PM


All times are GMT -5. The time now is 06:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration