Samba, Pam, winbind and ADS
Greetings all - I have a frustrating issue which has stumped me. I'd appreciate a few wise suggestions!
I am running Debian (2.4.18-386) with Samba 3.0.2-1, winbind (3.0.2-1) and using PAM authentication against an ADS Win2003 domain. I'm only really using that authentication with Apache (1.3.29.0.1-5) so the users (we're a Windows shop) can use their normal network login to authenticate against my web-server. So, all is sweetness and light and it works well. Trouble is, this morning I run my normal update/upgrade command (apt-get update ; apt-get dist-upgrade) and it updates Samba and winbind. And now the authentication is bust. The smb.conf file is unchanged. But something else must have happened. But not completely broken. I can still mount Windows shares (and see my machine in the Windows network neighbourhood, although not access any of its shares from a Windows box). I can still authenticate using Kerberos (kinit user succeeds, although winbind -a user fails). I can join the realm ok (net ads join). But wbinfo -u (or -g) returns Error looking up domain users. A similar issue happened a few weeks ago, with similar footprints. After three days of tweaking it suddenly worked for no obvious reason. (The tweaks seemed to have no effect - I'd left the tweaking for an hour or so and someone reported a successful login attempt.) So I'm wondering if it's not my machine, it's perhaps something on the ADS server which doesn't like the fact that my Samba/Winbind has been updated and needs to be told. Perhaps it does update itself every once in a while (which is why, before, it 'suddenly' started working out of the blue) but I'd like to be able to tell it explicitly to do it. Any ideas or suggestions? I'm happy to post logs and conf files as necessary! |
Try deleting the computer account in AD and rejoin the domain.
|
Thanks.
Yes, I did that. Both the sys admin deleting it from the Windows side and I ran net ads leave. Interestingly net ads user -U user%password succeeds in giving back a list of valid network users, but wbinfo -u, which should do the same, fails with Error looking up domain users Can I configure Apache to use the ADS rather than winbind? Or I am totally confused? cheers! |
There is some info on Apache authentication with ads at this like that might be useful...
http://www.wlug.org.nz/ActiveDirecto...nticationNotes Let me know if this helps. good luck! Kyle |
And, all of its own accord, it suddenly started working again.
I'm not sure if it was connected, but I'd just run wbinfo -D workground_name which seemed to hang, but I went to do something else, forgetting that is was hanging. Only it wasn't. Eventually it came back with correct answers, at which point, wbinfo -u|g worked and the authentication was back, too. I don't know if that was all coincidence, that the wbinfo -D was a cause of the fix or just the first thing to happen once it fixed itself. I am still suspicious that the apt-get upgrade changed something which, eventually, got reset. So, any easy ways of getting apt-get to update everything apart from a specific list of exceptions? cheers! |
Quote:
Magic. |
All times are GMT -5. The time now is 02:50 AM. |