LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 05-01-2008, 12:40 PM   #1
kcorupe
Member
 
Registered: Nov 2004
Location: Arizona
Distribution: Arch
Posts: 107

Rep: Reputation: 15
Getting pam working with samba (with active directory authentication)


hey, I'm having a problem getting smb with AD auth. working with pam. this is the error msg I get. I think it has something to do with pam not knowing what the domain prefix means...

If I set smb.conf to ignore pam restrictions everything works fine, but I am under the impression that I need pam for dynamically creating users home directories for windows smb clients. ... please correct me if I'm wrong.

Code:
[2008/05/01 10:26:50, 3] auth/auth.c:check_ntlm_password(270)
  check_ntlm_password: winbind authentication for user [kcorupe] succeeded
[2008/05/01 10:26:50, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2008/05/01 10:26:50, 3] smbd/uid.c:push_conn_ctx(358)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2008/05/01 10:26:50, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2008/05/01 10:26:50, 0] auth/pampass.c:smb_pam_account(566)
  smb_pam_account: PAM: User "WINIX+" is NOT known to account management
[2008/05/01 10:26:50, 2] auth/pampass.c:smb_pam_error_handler(73)
  smb_pam_error_handler: PAM: Account Check Failed : User not known to the underlying authentication module
[2008/05/01 10:26:50, 0] auth/pampass.c:smb_pam_accountcheck(780)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User WINIX+!
[2008/05/01 10:26:50, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/05/01 10:26:50, 3] auth/auth.c:check_ntlm_password(299)
  check_ntlm_password:  PAM Account for user [WINIX+] FAILED with error NT_STATUS_NO_SUCH_USER
[2008/05/01 10:26:50, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/sesssetup.c(105) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2008/05/01 10:26:50, 3] smbd/process.c:timeout_processing(1328)
  timeout_processing: End of file from client (client has disconnected).
[2008/05/01 10:26:50, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/05/01 10:26:50, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to 
[2008/05/01 10:26:50, 3] smbd/server.c:exit_server_common(768)
  Server exit (normal exit)

/etc/pam.d/samba

Code:
#%PAM-1.0
auth       required     pam_nologin.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth
password   include      system-auth
auth       required     pam_env.so
auth       sufficient   pam_winbind.so
auth       sufficient   pam_unix.so likeauth nullok use_first_pass
auth       required     pam_deny.so
account    required     pam_unix.so
password   required     pam_cracklib.so retry=3 type=
password   sufficient   pam_unix.so nullok use_authtok md5 shadow
password   required     pam_deny.so
session    required     pam_mkhomedir.so skel=/etc/skel umask=0022
session    required     pam_limits.so
session    required     pam_unix.so

/etc/smb.conf

Code:
[global]
   workgroup = WINIX
   realm = ********.**********
   preferred master = no
   server string = File Server
   security = ADS
   encrypt passwords = yes
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
   printcap name = cups
   printing = cups
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = true
   winbind nested groups = Yes
   winbind separator = +
   idmap uid = 600-20000
   idmap gid = 600-20000
   #template primary group = "Domain Users"
   template shell = /bin/bash
#   obey pam restrictions = no
#   winbind use default domain = yes

obey pam restrictions = yes
pam password change = yes
 
Old 05-01-2008, 05:12 PM   #2
lukost
Member
 
Registered: Apr 2008
Location: Gliwice, Poland
Distribution: Any. BSD most often ;-)
Posts: 31

Rep: Reputation: 15
Hi
you get NT_STATUS_NO_SUCH_USER... and this means just what this means. Your system tries to authenticate user named 'WINIX+' which is wrong. If you do not have anything against using 'standard' M$ login string (aka DOMAIN\user instead of DOMAIN+user) comment out this line:
winbind separator = +

and restart samba/winbind.

Check if the domain works:
wbinfo -u

You should get all the users, both from the domain and your machine (/etc/passwd).

You already have the pam module for creating userdirs:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel/

Remember to create the base dir in /home (WINIX in your case).

cheers,
lukost
 
Old 05-01-2008, 05:30 PM   #3
kcorupe
Member
 
Registered: Nov 2004
Location: Arizona
Distribution: Arch
Posts: 107

Original Poster
Rep: Reputation: 15
Smile

Thank you very much for the help, it works like a charm now!


I have another issue, I'm trying to allow the domain users access to their old home folders from a previous file server.



the error msg I receive is:
Code:
[2008/05/01 15:22:14, 3] smbd/password.c:register_vuid(280)
  User name: WINIX\kcorupe      Real name: 
[2008/05/01 15:22:14, 3] smbd/password.c:register_vuid(301)
  UNIX uid 10030 is UNIX user WINIX\kcorupe, and will be vuid 101
[2008/05/01 15:22:14, 3] smbd/password.c:register_vuid(332)
  Adding homes service for user 'WINIX\kcorupe' using home directory: '/home/WINIX/kcorupe'
[2008/05/01 15:22:14, 3] param/loadparm.c:lp_add_home(2663)
  adding home's share [kcorupe] for user 'WINIX\kcorupe' at '/d2/file_store/ce-files/users/%U'

[2008/05/01 15:22:14, 3] smbd/msdfs.c:get_referred_path(624)
  get_referred_path: |kcorupe| in dfs path \10.0.0.218\kcorupe is not a dfs root.
[2008/05/01 15:22:14, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/trans2.c(6205) cmd=50 (SMBtrans2) NT_STATUS_NOT_FOUND


[2008/05/01 15:22:14, 2] smbd/service.c:make_connection_snum(616)
  user 'WINIX\kcorupe' (from session setup) not permitted to access this share (kcorupe)
[2008/05/01 15:22:14, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED


smb config is:


Code:
[global]
   workgroup = WINIX
   realm = CORPEDIA.INTERNAL
   preferred master = no
   server string = File Server
   security = ADS
   encrypt passwords = yes
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
#   printcap name = cups
#   printing = cups
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = true
   winbind nested groups = Yes
#   winbind separator = +
   idmap uid = 600-20000
   idmap gid = 600-20000
   #template primary group = "Domain Users"
   template shell = /bin/bash
#   obey pam restrictions = no
#   winbind use default domain = yes

obey pam restrictions = yes
#pam password change = yes

#root preexec = /usr/local/sbin/mkhomedir.sh %U
#template homedir = /home/WINIX+%U

[homes]
   comment = Home Direcotries
   path = /d2/file_store/ce-files/users/%U
   valid users = WINIX\"Domain Users"
   public = yes
   writeable = yes
   read only = No
   browseable = yes
 
Old 05-02-2008, 10:04 AM   #4
lukost
Member
 
Registered: Apr 2008
Location: Gliwice, Poland
Distribution: Any. BSD most often ;-)
Posts: 31

Rep: Reputation: 15
Hi.

This is because samba does match AD users to their linux UIDs in funny way by default (it gives a new one when needed). So what you have to do is to chown all the user dirs to match their new UID's (you can get the new uids using wbinfo command).

There is a method to ensure that the ad-user-to-uid mapping is the same no matter where you configure winbind, but this won't help in your situation. Anyway if you haven't chowned all the dirs already i suggest putting this lines into your smb.conf:

idmap domains = WINIX
idmap config WINIX:backend = rid #enable remote AD-SID based uid mapping
idmap config WINIX:base_rid = 0 #start with 0
idmap config WINIX:range = 20000 - 49999 #AD uid mapping will result in uids between 20000 and 49999

The users will get the same uids from now on, no matter which machine you run winbind on. Even after re-installation.

I mean if user "maryann" has got uid 20000 this would be the same after reinstalling your machine and putting the same lines into the new smb.conf. This is because the uids are mapped based on AD user SID (or GUID) and not created dynamically on your machine.


cheers,
lukost
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
importing users from active directory into openldap and get working with samba kcorupe Linux - Server 2 11-18-2009 10:26 AM
Active Directory authentication was working, but not anymore cdavidson Suse/Novell 0 06-26-2007 01:18 PM
Samba with Active Directory authentication Ziggie Linux - Enterprise 5 02-02-2006 07:43 AM
Samba Active Directory Authentication zenix Linux - Networking 1 09-17-2005 04:26 AM
samba-authentication with Active Directory sanjeevsagoo Linux - Networking 2 05-07-2004 03:09 AM


All times are GMT -5. The time now is 07:55 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration