Hey all,

I have got a problem with getting samba to work right for me. I am not a complete newbie, however files concerning security (like the pam files and nsswitch.conf) is not my strongest point

What i done so far is edit the smb.conf to my likings and i added the linux server to my PDC. That part went fine, however i wanted to use the group names from the NT domain for secutiry within the smb.conf (Valid used @groupname). So i read in some documents i found on the internet that i had to use winbind. I followed all steps according to document : de.samba.org/samba/docs/man/winbindd.8.html
I edited the /etc/nsswitch.conf file and the /etc/pam.d/samba file with the changes mentioned in the document mentioned above.

When i start the winbindd (from /etc/rc.d/init.d/winbindd start) i see in the /etc/log/samba/log.winbindd the following :

[2004/01/19 10:23:14, 0] param/loadparm.c:map_parameter(2065)
Unknown parameter encountered: "idmap uid"
[2004/01/19 10:23:14, 0] param/loadparm.c:lp_do_parameter(2740)
Ignoring unknown parameter "idmap uid"
[2004/01/19 10:23:14, 0] param/loadparm.c:map_parameter(2065)
Unknown parameter encountered: "idmap gid"
[2004/01/19 10:23:14, 0] param/loadparm.c:lp_do_parameter(2740)
Ignoring unknown parameter "idmap gid"
[2004/01/19 10:23:15, 0] nsswitch/winbindd_util.c:winbindd_param_init(326)
winbind uid range missing or invalid

When i try the wbinfo -u command i get : Error looking up domain users.

My /etc/pam.d/samba looks like this atm :

#%PAM-1.0
#auth required pam_nologin.so
#auth required pam_stack.so service=system-auth
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok

#account required pam_stack.so service=system-auth
account required /lib/security/pam_winbind.so
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth

My /etc/nsswitch.conf looks like this atm :
passwd: files winbind
shadow: files
group: files winbind

hosts: files nisplus dns

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files nisplus
rpc: files
services: files nisplus

netgroup: files nisplus

publickey: nisplus

automount: files nisplus
aliases: files nisplus

Anymore info i got has to do with the winbindd .. it doesnt seem to start oke, i can constandly start it and start it ..when i try to stop the service i get an error .. so there is something wrong in there .. i just cant fingure out what it is.

The erros i mentioned above from the log.winbindd with the unknown parameter he probably gets from my smb.conf file. According to the document i mentioned above you had to add a few lines to the smb.conf :
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind seperator = +
winbind enum users = yes
winbind enum groups = yes

Thats all the info i can think off right now to give you all .. i really would appriciate some help since im stuck atm.

Thanx in advance for replying, If the smb.conf file is needed in this thread then pls let me know.

With best regards,
rizza

I was just thinking, it might have been unclear, but i dont think the winbindd is running, when i check with netstat or ps aux i dont see the process running. (that would explain why i can start it and start it etc).

Small addon :

When i check the status of winbindd ( /etc/rc.d/init.d/winbind status) i get :
winbindd dead but subsys locked

So i guess winbind is not running at all .. this error is not much seen also .. according to google.

I solved the winbind problem; The problem was in the smb.conf file. According to the document i added in the 1st post i had to use : idmap uid = <id's> and idmap gid = <id's>. However reading the winbind manual i found out that it had to be winbind uid and winbind gid. After changing these settings i was able to start winbindd just fine.

He still doesnt want to do lookups on users and groups, but this is a problem i will work on now. When i fuond a solution i will post it here again. But if someone else has an idea, pls drop it here

Oke, I read trough all the docs etc i cuold find, and i coulnd find anything i had wrong, ... last result .. i know its corny .. but i tried a reboot .. but ... somehow i think something bad was started or not restarted correcly.

After reboot all seemed to work just fine, incl the wbinfo -u etc.

what version of samba do you use? what distro? i use redhat9 and samba 3.0.1, this samba use diffrenet configurations, i use this for accept logins in my linux box from users in my PDC win2k, i hope this help you, remember that this conf works with samba 3:

.......

1.- stops the samaba services

/etc/init.d/smb stop
/etc/init.d/winbind stop

2.- important points in you smb.conf:

workgroup = MYDOMAIN
security = DOMAIN
password server = MYDOMAINNAME <- netbiosname of you pdc or ip
encrypt passwords = yes
obey pam restrictions = yes
winbind uid = 10000-20000
winbind gid = 10000+20000
winbind separator = +
winbind enum users = yes
winbind enum grups = yes
template shell = /bin/bash <- only if you want you can change to /sbin/nologin
template homedir = /home/MYDOMAIN+%U<- home directories like mydomain+username

3.- join your domain for samba:

net rpc join -S PDC_NETBIOSNAME -U administrator

4.- like join for winbind, is must assign a user for winbind

wbinfo --set-auth-user=administrator

5.- modify /etc/nsswitch.conf

passwd: files winbind
shadow: files
group: files winbind

6.- modify /etc/pam.d/samba

#%PAM-1.0
auth sufficient pam_winbind.so
auth required pam_pwdb.so
auth required pam_nologin.so
auth required pam_stack.so service=system-auth
account sufficient pam_winbind.so
account required pam_pwdb.so
account required pam_stack.so service=system-auth
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth

7.- modify /etc/pam.d/system-auth

#%PAM-1.0
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so

8.- start the samba services

/etc/init.d/smb start
/etc/init.d/winbind start

9.- test the system

wbinfo -u
wbinfo -g
getent passwd
getent group

good look !!

if you need help with samba 2.x.x post it and i tell you the differences

Heya Aigartua,

First of all, thank you for replying.

For info, i use RH 8.0 (didnt use 9.0 since my server controller wasnt supported by HP/Compaq and 8.0 was). The same version i use is 2.2 (the standard edition with RH 8.0).

I had a good look at your post, and i saw a few things i didnt edit yet.

Point 1 and 2 i have (well something simular, atm i am at home and cant paste my current smb.conf file but i will tomorrow morning).

Point 3 i did with smbpasswd (the net command isnt with samba 2.2 yet).

Point 4 i didnt do yet (is this a 1 time action? after the reboot of my server as i mentioned above i got a password prompt from winbind .. i entered my administrator password and it continued, so i guess thats the one he wanted to have .. will he keep asking me for this password after each reboot?)

Point 5 and 6 i have done.

Point 7 i havent done this one so i gotta adjust it tomorrow also.

Point 8 i did and wbinfo -u and -g worked nicely. (however i did get some other errors in the log files which i will post tomorrow cause the authentication didnt go well yet, this could be because of Point 7.

I can explain better what goes wrong atm still with the log files i got at work, so tomorrow i will make an addon to this post.

With best regards,
rizza

ok, for join the domain in samba 2.x.x you must do it with:

smbpasswd -j MYDOMAIN -r PDC_NETBIOSNAME -U administrator

and for assign user to winbind you must use:

wbinfo -A administrador

OKe, those 2 things i have done.

i think is your pam configuration, or try to login to you box using:

login: MYDOMAIN+user
passwd: ******

I made the changes i mentioned above from your post, now when i try : wbinfo -A administrator%password i get :

could not obtain winbind separator!
could not obtain winbind domain name!

After putting a ; infront of line obay pam restrictions line in the smb.conf i am able to do wbinfo -A and -g etc again.

However, when i see the login prompt infront of me and i use for login DOMAIN+Test (Test is an account on the domain) and try to login with that he allways gives me a login incorrect. So for some reason the authentication isnt going well yet ...

from my messages file:
Jan 20 08:56:39 linux02 login[946]: FAILED LOGIN 1 FROM (null) FOR DOMAIN+Test, Authentication failure
Jan 20 08:59:04 linux02 pam_winbind[949]: request failed, PAM error was 7, NT error was NT_STATUS_LOGON_FAILURE
Jan 20 08:59:04 linux02 pam_winbind[949]: user `DOMAIN+test' denied access (incorrect password)
Jan 20 08:59:04 linux02 login(pam_unix)[949]: check pass; user unknown
Jan 20 08:59:04 linux02 login(pam_unix)[949]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=

Replying on myself .. hows that

I solved the above problem by not uncommenting the line "obay pam restrictions' line but by putting there a 'no' instead of 'yes'.

Problem that i keep having (which i was hoping for would be solved as soon i solved the above problem) is that i limit a share with 'valid users = &NT-GROUP' but when i try to connect to that share (whether or not i am added to that NT-GROUP) i allways get a login / password prompt infront of me.

In the <servername>.log file (in /var/log/samba/) i see :

[2004/01/20 15:23:14, 0] smbd/password.c:authorise_login(863)
authorise_login: rejected invalid user nobody
<this messaeg gets repeated 4 times>.

logins fail because the pam modules are turned off in samba, try add this lines to smb.conf in the global section:

obey pam restrictions = yes
pam password change = yes

after check the config file with: testparm and restart samba