Getting pam working with samba (with active directory authentication)
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Getting pam working with samba (with active directory authentication)
hey, I'm having a problem getting smb with AD auth. working with pam. this is the error msg I get. I think it has something to do with pam not knowing what the domain prefix means...
If I set smb.conf to ignore pam restrictions everything works fine, but I am under the impression that I need pam for dynamically creating users home directories for windows smb clients. ... please correct me if I'm wrong.
Code:
[2008/05/01 10:26:50, 3] auth/auth.c:check_ntlm_password(270)
check_ntlm_password: winbind authentication for user [kcorupe] succeeded
[2008/05/01 10:26:50, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2008/05/01 10:26:50, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2008/05/01 10:26:50, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2008/05/01 10:26:50, 0] auth/pampass.c:smb_pam_account(566)
smb_pam_account: PAM: User "WINIX+" is NOT known to account management
[2008/05/01 10:26:50, 2] auth/pampass.c:smb_pam_error_handler(73)
smb_pam_error_handler: PAM: Account Check Failed : User not known to the underlying authentication module
[2008/05/01 10:26:50, 0] auth/pampass.c:smb_pam_accountcheck(780)
smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User WINIX+!
[2008/05/01 10:26:50, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/05/01 10:26:50, 3] auth/auth.c:check_ntlm_password(299)
check_ntlm_password: PAM Account for user [WINIX+] FAILED with error NT_STATUS_NO_SUCH_USER
[2008/05/01 10:26:50, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/sesssetup.c(105) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2008/05/01 10:26:50, 3] smbd/process.c:timeout_processing(1328)
timeout_processing: End of file from client (client has disconnected).
[2008/05/01 10:26:50, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/05/01 10:26:50, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2008/05/01 10:26:50, 3] smbd/server.c:exit_server_common(768)
Server exit (normal exit)
Hi
you get NT_STATUS_NO_SUCH_USER... and this means just what this means. Your system tries to authenticate user named 'WINIX+' which is wrong. If you do not have anything against using 'standard' M$ login string (aka DOMAIN\user instead of DOMAIN+user) comment out this line:
winbind separator = +
and restart samba/winbind.
Check if the domain works:
wbinfo -u
You should get all the users, both from the domain and your machine (/etc/passwd).
You already have the pam module for creating userdirs:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel/
Remember to create the base dir in /home (WINIX in your case).
Thank you very much for the help, it works like a charm now!
I have another issue, I'm trying to allow the domain users access to their old home folders from a previous file server.
the error msg I receive is:
Code:
[2008/05/01 15:22:14, 3] smbd/password.c:register_vuid(280)
User name: WINIX\kcorupe Real name:
[2008/05/01 15:22:14, 3] smbd/password.c:register_vuid(301)
UNIX uid 10030 is UNIX user WINIX\kcorupe, and will be vuid 101
[2008/05/01 15:22:14, 3] smbd/password.c:register_vuid(332)
Adding homes service for user 'WINIX\kcorupe' using home directory: '/home/WINIX/kcorupe'
[2008/05/01 15:22:14, 3] param/loadparm.c:lp_add_home(2663)
adding home's share [kcorupe] for user 'WINIX\kcorupe' at '/d2/file_store/ce-files/users/%U'
[2008/05/01 15:22:14, 3] smbd/msdfs.c:get_referred_path(624)
get_referred_path: |kcorupe| in dfs path \10.0.0.218\kcorupe is not a dfs root.
[2008/05/01 15:22:14, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/trans2.c(6205) cmd=50 (SMBtrans2) NT_STATUS_NOT_FOUND
[2008/05/01 15:22:14, 2] smbd/service.c:make_connection_snum(616)
user 'WINIX\kcorupe' (from session setup) not permitted to access this share (kcorupe)
[2008/05/01 15:22:14, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
smb config is:
Code:
[global]
workgroup = WINIX
realm = CORPEDIA.INTERNAL
preferred master = no
server string = File Server
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
# printcap name = cups
# printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = true
winbind nested groups = Yes
# winbind separator = +
idmap uid = 600-20000
idmap gid = 600-20000
#template primary group = "Domain Users"
template shell = /bin/bash
# obey pam restrictions = no
# winbind use default domain = yes
obey pam restrictions = yes
#pam password change = yes
#root preexec = /usr/local/sbin/mkhomedir.sh %U
#template homedir = /home/WINIX+%U
[homes]
comment = Home Direcotries
path = /d2/file_store/ce-files/users/%U
valid users = WINIX\"Domain Users"
public = yes
writeable = yes
read only = No
browseable = yes
This is because samba does match AD users to their linux UIDs in funny way by default (it gives a new one when needed). So what you have to do is to chown all the user dirs to match their new UID's (you can get the new uids using wbinfo command).
There is a method to ensure that the ad-user-to-uid mapping is the same no matter where you configure winbind, but this won't help in your situation. Anyway if you haven't chowned all the dirs already i suggest putting this lines into your smb.conf:
idmap domains = WINIX
idmap config WINIX:backend = rid #enable remote AD-SID based uid mapping
idmap config WINIX:base_rid = 0 #start with 0
idmap config WINIX:range = 20000 - 49999 #AD uid mapping will result in uids between 20000 and 49999
The users will get the same uids from now on, no matter which machine you run winbind on. Even after re-installation.
I mean if user "maryann" has got uid 20000 this would be the same after reinstalling your machine and putting the same lines into the new smb.conf. This is because the uids are mapped based on AD user SID (or GUID) and not created dynamically on your machine.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.