Getting pam working with samba (with active directory authentication)

kcorupe · 05-01-2008, 12:40 PM

hey, I'm having a problem getting smb with AD auth. working with pam. this is the error msg I get. I think it has something to do with pam not knowing what the domain prefix means...

If I set smb.conf to ignore pam restrictions everything works fine, but I am under the impression that I need pam for dynamically creating users home directories for windows smb clients. ... please correct me if I'm wrong.

Code:

[2008/05/01 10:26:50, 3] auth/auth.c:check_ntlm_password(270)
  check_ntlm_password: winbind authentication for user [kcorupe] succeeded
[2008/05/01 10:26:50, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2008/05/01 10:26:50, 3] smbd/uid.c:push_conn_ctx(358)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2008/05/01 10:26:50, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2008/05/01 10:26:50, 0] auth/pampass.c:smb_pam_account(566)
  smb_pam_account: PAM: User "WINIX+" is NOT known to account management
[2008/05/01 10:26:50, 2] auth/pampass.c:smb_pam_error_handler(73)
  smb_pam_error_handler: PAM: Account Check Failed : User not known to the underlying authentication module
[2008/05/01 10:26:50, 0] auth/pampass.c:smb_pam_accountcheck(780)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User WINIX+!
[2008/05/01 10:26:50, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/05/01 10:26:50, 3] auth/auth.c:check_ntlm_password(299)
  check_ntlm_password:  PAM Account for user [WINIX+] FAILED with error NT_STATUS_NO_SUCH_USER
[2008/05/01 10:26:50, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/sesssetup.c(105) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2008/05/01 10:26:50, 3] smbd/process.c:timeout_processing(1328)
  timeout_processing: End of file from client (client has disconnected).
[2008/05/01 10:26:50, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/05/01 10:26:50, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to 
[2008/05/01 10:26:50, 3] smbd/server.c:exit_server_common(768)
  Server exit (normal exit)

/etc/pam.d/samba

Code:

#%PAM-1.0
auth       required     pam_nologin.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth
password   include      system-auth
auth       required     pam_env.so
auth       sufficient   pam_winbind.so
auth       sufficient   pam_unix.so likeauth nullok use_first_pass
auth       required     pam_deny.so
account    required     pam_unix.so
password   required     pam_cracklib.so retry=3 type=
password   sufficient   pam_unix.so nullok use_authtok md5 shadow
password   required     pam_deny.so
session    required     pam_mkhomedir.so skel=/etc/skel umask=0022
session    required     pam_limits.so
session    required     pam_unix.so

/etc/smb.conf

Code:

[global]
   workgroup = WINIX
   realm = ********.**********
   preferred master = no
   server string = File Server
   security = ADS
   encrypt passwords = yes
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
   printcap name = cups
   printing = cups
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = true
   winbind nested groups = Yes
   winbind separator = +
   idmap uid = 600-20000
   idmap gid = 600-20000
   #template primary group = "Domain Users"
   template shell = /bin/bash
#   obey pam restrictions = no
#   winbind use default domain = yes

obey pam restrictions = yes
pam password change = yes

lukost · 05-01-2008, 05:12 PM

Hi
you get NT_STATUS_NO_SUCH_USER... and this means just what this means. Your system tries to authenticate user named 'WINIX+' which is wrong. If you do not have anything against using 'standard' M$ login string (aka DOMAIN\user instead of DOMAIN+user) comment out this line:
winbind separator = +

and restart samba/winbind.

Check if the domain works:
wbinfo -u

You should get all the users, both from the domain and your machine (/etc/passwd).

You already have the pam module for creating userdirs:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel/

Remember to create the base dir in /home (WINIX in your case).

cheers,
lukost

kcorupe · 05-01-2008, 05:30 PM

Thank you very much for the help, it works like a charm now!

I have another issue, I'm trying to allow the domain users access to their old home folders from a previous file server.

the error msg I receive is:

Code:

[2008/05/01 15:22:14, 3] smbd/password.c:register_vuid(280)
  User name: WINIX\kcorupe      Real name: 
[2008/05/01 15:22:14, 3] smbd/password.c:register_vuid(301)
  UNIX uid 10030 is UNIX user WINIX\kcorupe, and will be vuid 101
[2008/05/01 15:22:14, 3] smbd/password.c:register_vuid(332)
  Adding homes service for user 'WINIX\kcorupe' using home directory: '/home/WINIX/kcorupe'
[2008/05/01 15:22:14, 3] param/loadparm.c:lp_add_home(2663)
  adding home's share [kcorupe] for user 'WINIX\kcorupe' at '/d2/file_store/ce-files/users/%U'

[2008/05/01 15:22:14, 3] smbd/msdfs.c:get_referred_path(624)
  get_referred_path: |kcorupe| in dfs path \10.0.0.218\kcorupe is not a dfs root.
[2008/05/01 15:22:14, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/trans2.c(6205) cmd=50 (SMBtrans2) NT_STATUS_NOT_FOUND


[2008/05/01 15:22:14, 2] smbd/service.c:make_connection_snum(616)
  user 'WINIX\kcorupe' (from session setup) not permitted to access this share (kcorupe)
[2008/05/01 15:22:14, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED

smb config is:

Code:

[global]
   workgroup = WINIX
   realm = CORPEDIA.INTERNAL
   preferred master = no
   server string = File Server
   security = ADS
   encrypt passwords = yes
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
#   printcap name = cups
#   printing = cups
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = true
   winbind nested groups = Yes
#   winbind separator = +
   idmap uid = 600-20000
   idmap gid = 600-20000
   #template primary group = "Domain Users"
   template shell = /bin/bash
#   obey pam restrictions = no
#   winbind use default domain = yes

obey pam restrictions = yes
#pam password change = yes

#root preexec = /usr/local/sbin/mkhomedir.sh %U
#template homedir = /home/WINIX+%U

[homes]
   comment = Home Direcotries
   path = /d2/file_store/ce-files/users/%U
   valid users = WINIX\"Domain Users"
   public = yes
   writeable = yes
   read only = No
   browseable = yes

lukost · 05-02-2008, 10:04 AM

Hi.

This is because samba does match AD users to their linux UIDs in funny way by default (it gives a new one when needed). So what you have to do is to chown all the user dirs to match their new UID's (you can get the new uids using wbinfo command).

There is a method to ensure that the ad-user-to-uid mapping is the same no matter where you configure winbind, but this won't help in your situation. Anyway if you haven't chowned all the dirs already i suggest putting this lines into your smb.conf:

idmap domains = WINIX
idmap config WINIX:backend = rid #enable remote AD-SID based uid mapping
idmap config WINIX:base_rid = 0 #start with 0
idmap config WINIX:range = 20000 - 49999 #AD uid mapping will result in uids between 20000 and 49999

The users will get the same uids from now on, no matter which machine you run winbind on. Even after re-installation.

I mean if user "maryann" has got uid 20000 this would be the same after reinstalling your machine and putting the same lines into the new smb.conf. This is because the uids are mapped based on AD user SID (or GUID) and not created dynamically on your machine.

cheers,
lukost