[SOLVED] Pam + krb5 + samba

ivandi · 09-20-2016, 11:41 AM

Quote:

Originally Posted by kjhambrick

One Q ... does it hurt to have the pam_krb5 Package installed on an AD DC Client ?

No.

mfoley · 09-20-2016, 02:33 PM

So far, not working. I've installed the 4 new PAM-packages you (kjhambrick) recommended. I've also installed the smb.conf and pam.d/system-auth from Ivandi's SlackMATE/extra/setup/SAMBA_AD_DC/setup.ADS-client.sh. I've tried using that system-auth and also renaming the system-auth.ads to system-auth.

None of this lets me `su - mark` from a local user to domain user (mark). I can do this as root. Almost no matter what combination of pam.d and smb.conf configurations I use, I get the same basic errors in /var/log/secure:

Code:

Sep 20 15:20:47 labrat su[4712]: pam_winbind(su:auth): getting password (0x00000380)
Sep 20 15:20:51 labrat su[4712]: pam_winbind(su:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error message was: The transport connection is now disconnected.
Sep 20 15:20:51 labrat su[4712]: pam_winbind(su:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'mark')
Sep 20 15:20:51 labrat su[4712]: pam_unix(su:auth): authentication failure; logname=mfoley uid=1000 euid=0 tty=/dev/pts/1 ruser=mfoley rhost=  user=mark
Sep 20 15:20:54 labrat su[4712]: pam_authenticate: Authentication failure
Sep 20 15:20:54 labrat su[4712]: FAILED su for mark by mfoley
Sep 20 15:20:54 labrat su[4712]: - /dev/pts/1 mfoley:mark

At one point, before adding these latest packages, and using the pam.d configs adapted from Ubuntu, I seemed closer:

Code:

Sep 20 05:49:26 labrat su[2794]: pam_unix(su:auth): authentication failure; logname=mfoley uid=1000 euid=0 tty=
/dev/pts/1 ruser=mfoley rhost=  user=mark
Sep 20 05:49:26 labrat su[2794]: pam_winbind(su:auth): getting password (0x00000210)
Sep 20 05:49:26 labrat su[2794]: pam_winbind(su:auth): pam_get_item returned a password
Sep 20 05:49:26 labrat su[2794]: pam_winbind(su:auth): user 'mark' granted access

That seems to have at least returned the password.

I think this is *very* close. There must be some PAM config issue to get right. I'm not sure what's wrong. I believe I have everything exactly as described by kjhambrick and Ivandi.

kjhambrick · 09-20-2016, 03:28 PM

mfoley --

Yes, it is VERY Close !

And until I install an AD DC, you've left me in the dust

In addition to installing /etc/pam.d/system-auth.ads, ivandi also said you need to install his /etc/nsswitch.conf.ads and /etc/samba/smb.conf.ads

Since you already installed etc/pam.d/system-auth.ads ...

Code:

cat /etc/samba/smb.conf.ads > /etc/samba/smb.conf
cat /etc/nsswitch.conf.ads > /etc/nsswitch.conf

Since you've already configured /etc/samba/smb.conf for your Domain and Realm, maybe compare the 'good stuff'

OTOH, /etc/nsswitch.conf DOES need the 'winbind' and 'wins' entries that you'll find in ivandi's /etc/nsswitch.conf.ads.
#
# cat /etc/nsswitch.conf.ads
#

Code:

passwd:         compat winbind
group:          compat winbind

hosts:          files dns wins
networks:       files

services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files
bootparams:     files

automount:      files
aliases:        files

Maybe, if it's not installed, this will fix it ???

Also, ivandi pointed at his README this morning http://www.bisdesign.ca/ivandi/slack...TE/pam/_README

Maybe a clue in there ?

-- kjh

mfoley · 09-20-2016, 04:21 PM

kjhambrick: I've got the nsswitch.conf stuff in there.

in looking at that README, I don't have:

Download setup.LDAP.
The setup.LDAP script will create the initial databases and configs.
The script by itself is a how-to.

I'm very unclear on the instructions here. Is he talking about configuring a domain member or AD server? I didn't have to run LDAP setup on the AD server to get domain members to connect or domain users to login. IN fact, these look like instructions for a "traditional" LDAP/Kerberos single-sign-on, not Active Directory.

I'll keep playing.

kjhambrick · 09-20-2016, 05:28 PM

mfoley --

Silly Q but something that's bitten me before.

Is there a firewall in the way ?

And another thing that gets us from time to time is the Clocks on the Windows AD DC ...

What do you see if you:

Code:

grep '^server' /etc/ntp.conf

Is the AD DC the first ( and only unpounded server line ?

And is ntp running ?

And are your Clocks sync'd ?

Code:

ntpq -p

Another thing, have you rejoined the Domain and tested it ?

Code:

net ads testjoin

Beyond these dumb Qs that I'll bet you've checked I am at a loss.

I need to get the SAMBA AD DC Set Up so I can Keep Up

-- kjh

P.S. I don't believe we need LDAP what with running PAM + KRB5 + SAMBA ... but maybe I am wrong ...

kjhambrick · 09-20-2016, 05:34 PM

mfoley --

I just now Googled your WBC_ERR_AUTH_ERROR

And there are a 'brazillion' hits.

Maybe ???

-- kjh

ivandi · 09-20-2016, 07:27 PM

I just finished my workout, but while resting between the sets I installed three VMs. An AD DC and two clients. Joined cl1 and cl2 to dc. Logged in as administrator(AD administrator) on each client. Then from cl1 did ssh to cl2 w/o password and vice versa:

Code:

root@dc:~# net ads info
LDAP server: 192.168.0.2
LDAP server name: dc.example.net
Realm: EXAMPLE.NET
Bind Path: dc=EXAMPLE,dc=NET
LDAP port: 389
Server time: Tue, 20 Sep 2016 20:03:30 EDT
KDC server: 192.168.0.2
Server time offset: 0
Last machine account password change: Tue, 20 Sep 2016 18:55:47 EDT

Code:

Welcome to Linux 4.4.19 (tty2)

cl1 login: administrator
Password:
Linux 4.4.19.
Creating directory '/home/EXAMPLE/administrator'.
administrator@cl1:~$ id
uid=70501(administrator) gid=70514(domain users) groups=70514(domain users),70501(administrator),70513(domain admins),70519(schema admins),70520(enterprise admins),70521(group policy creator owners),70573(denied rodc password replication group)
administrator@cl1:~$ host cl2
cl2.example.net has address 192.168.0.4
administrator@cl1:~$ ssh cl2
The authenticity of host 'cl2 (192.168.0.4)' can't be established.
ECDSA key fingerprint is SHA256:8TAb8r8ShLt2jdgDU0ykBURKJfBqdm6f4mUkSkXzMS8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'cl2,192.168.0.4' (ECDSA) to the list of known hosts.
Last login: Tue Sep 20 19:46:39 EDT 2016 on tty2
Linux 4.4.19.
administrator@cl2:~$

Code:

Welcome to Linux 4.4.19 (tty2)

cl2 login: administrator
Password:
Linux 4.4.19.
Creating directory '/home/EXAMPLE/administrator'.
administrator@cl2:~$ id
uid=70501(administrator) gid=70514(domain users) groups=70514(domain users),70501(administrator),70513(domain admins),70519(schema admins),70520(enterprise admins),70521(group policy creator owners),70573(denied rodc password replication group)
administrator@cl2:~$ ssh cl1
The authenticity of host 'cl1 (192.168.0.3)' can't be established.
ECDSA key fingerprint is SHA256:OGh65milbyRqdeGcDXs4V8vKUdmTv3DiMPaSFk9UgeQ.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'cl1,192.168.0.3' (ECDSA) to the list of known hosts.
Last login: Tue Sep 20 19:23:34 EDT 2016 on tty2
Linux 4.4.19.
administrator@cl1:~$

PAM makes you stronger ... if she doesn't kill you first

Cheers.

mfoley · 09-21-2016, 01:09 AM

kjhambrick: Yes, I have ntp running correctly, no firewall, testjoin OK. As I mentioned, I do have all this running on Ubuntu.

ivandi: here's my `net ads info` (note that host labrat is my Slackware domain member and urat is my Ubuntu domain member):

Code:

1 01:43:06 root@labrat:~
# net ads info
LDAP server: 192.168.0.2
LDAP server name: mail.hprs.local
Realm: HPRS.LOCAL
Bind Path: dc=HPRS,dc=LOCAL
LDAP port: 389
Server time: Wed, 21 Sep 2016 01:43:44 EDT
KDC server: 192.168.0.2
Server time offset: 0
Last machine account password change: Sun, 18 Sep 2016 20:56:57 EDT

I'm doing all this remotely, so I don't have an actual login prompt. I have to use either ssh (remote) or su (local).

How about if you post the contents of your actual, working /etc/pam.d/su and /etc/pam.d/system-auth? I'll compare with what I have line-by-line. If I have the same as you it *has* to work!

Inching forward though ...

That WBC_ERR_AUTH_ERROR error happened when I used the pam.d/system-auth from .../SlackMATE/extra/setup/SAMBA_AD_DC/setup.ADS-client.sh.

My latest test uses the as-installed /etc/pam.d configs from the `upgradepkg --install-new Linux-PAM-1.3.0-x86_64-1_pam.txz` from yesterday (or earlier today, I lose track). Since I'm trying `su` locally, the only change I made was to the /etc/pam.d/su file to add the 3 suggested lines from https://wiki.samba.org/index.php/Set..._users_via_PAM as follows:

Code:

auth            sufficient      pam_rootok.so
#auth           sufficient      pam_wheel.so trust use_uid
#auth           required        pam_wheel.so use_uid
auth            required        pam_env.so
auth            include         system-auth

account         required        pam_nologin.so
account         required        pam_time.so
account         include         system-auth

session         required        pam_limits.so
session         optional        pam_umask.so
session         optional        pam_xauth.so
session         include         system-auth

password        include         system-auth

auth        sufficient    pam_winbind.so use_first_pass
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
password    sufficient    pam_winbind.so use_authtok

Except for the last 3 lines from the samba wiki, the rest of the file is as-installed from Invandi's Linux-PAM-1.3.0-x86_64-1_pam.txz. Then, running `su - mark` from local user mfoley I get:

Code:

Sep 21 01:35:45 labrat su[5339]: pam_unix(su:auth): authentication failure; logname=mfoley uid=1000 euid=0 tty=/dev/pts/1 ruser=mfoley rhost=  user=mark
Sep 21 01:35:45 labrat su[5339]: pam_winbind(su:auth): getting password (0x00000210)
Sep 21 01:35:45 labrat su[5339]: pam_winbind(su:auth): pam_get_item returned a password
Sep 21 01:35:45 labrat su[5339]: pam_winbind(su:auth): user 'mark' granted access
Sep 21 01:35:47 labrat su[5339]: pam_authenticate: Authentication failure
Sep 21 01:35:47 labrat su[5339]: FAILED su for mark by mfoley
Sep 21 01:35:47 labrat su[5339]: - /dev/pts/1 mfoley:mark

Running this same `su - mark` on the Ubuntu workstation gives:

Code:

Sep 21 01:55:30 urat su[14497]: pam_krb5(su:auth): authentication failure; logname=mark uid=1001 euid=0 tty=/dev/pts/9 ruser=mfoley rhost=
Sep 21 01:55:30 urat su[14497]: pam_unix(su:auth): authentication failure; logname=mfoley uid=1001 euid=0 tty=/dev/pts/9 ruser=mfoley rhost=  user=mark
Sep 21 01:55:30 urat su[14497]: pam_winbind(su:auth): getting password (0x00000388)
Sep 21 01:55:30 urat su[14497]: pam_winbind(su:auth): pam_get_item returned a password
Sep 21 01:55:30 urat su[14497]: pam_winbind(su:auth): user 'mark' granted access
Sep 21 01:55:30 urat su[14497]: Successful su for mark by mfoley
Sep 21 01:55:30 urat su[14497]: + /dev/pts/9 mfoley:mark
Sep 21 01:55:30 urat su[14497]: pam_unix(su:session): session opened for user mark by mfoley(uid=1001)
Sep 21 01:55:30 urat su[14497]: pam_systemd(su:session): Cannot create session: Already running in a session

Notice that the log messages are pretty much the same for both, including the "user 'mark' granted access" which indicates to me that the domain user/password was authenticated. The difference is that the Ubuntu machine next gives "Successful su for mark by mfoley" whereas the Slackware machine gives "pam_authenticate: Authentication failure".

So, there is some next-step after granting access that is missing on the Slackware host.

My Slackware /etc/samba/smb.conf (same as Ubuntu, which works) is:

Code:

[global]
  netbios name = labrat
  workgroup = HPRS
  security = ADS
  realm = HPRS.LOCAL
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

  idmap config *:backend = tdb
  idmap config *:range = 2000-9999
  idmap config HPRS:backend = ad
  idmap config HPRS:schema_mode = rfc2307
  idmap config HPRS:range = 10000-10099

  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users  = yes
  winbind enum groups = yes
  winbind refresh tickets = Yes

[demoshare]
  path = /srv/samba/test
  read only = no

Note that I did try the one from .../SlackMATE/extra/setup/SAMBA_AD_DC/setup.ADS-client.sh with no luck.

My /etc/krb5.conf (same as on Ubuntu) is:

Code:

[libdefaults]
        default_realm = HPRS
        dns_lookup_realm = false
        dns_lookup_kdc = true

[logging]
    default = FILE:/var/log/krb5.log

Note that the log file is empty.

/etc/nsswitch.conf is:

Code:

passwd:         compat winbind
group:          compat winbind

hosts:          files dns
networks:       files

services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files
bootparams:     files

automount:      files
aliases:        files

Note that the Ubuntu /etc/pam.d/su includes the following 3 config definitions which have apparent successive types of re-tries. Does any of this give us a hint as to what's missing?

common-auth:

Code:

auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so

common-account:

Code:

account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore]        pam_winbind.so
# here's the fallback if no module succeeds
account requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
account required                        pam_krb5.so minimum_uid=10000
# end of pam-auth-update config
session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0002

common-password:

Code:

password        [success=3 default=ignore]      pam_krb5.so minimum_uid=10000
password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
password        [success=1 default=ignore]      pam_winbind.so use_authtok try_first_pass
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password        required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
password        optional        pam_gnome_keyring.so

kjhambrick · 09-21-2016, 03:28 AM

mfoley --

I am lost until I get an AD DC going.

Have you tried the wbinfo commands on your Client Machine ?

Code:

wbinfo -u

wbinfo -g

Maybe a clue there ...

ivandi --

Yikes !

Three VMs, including the additional Packages in just a few minutes.

I've got to get another Virtual machine going as a SAMBA AD DC !

-- kjh

kjhambrick · 09-21-2016, 05:00 AM

Quote:

Originally Posted by mfoley

How about if you post the contents of your actual, working /etc/pam.d/su and /etc/pam.d/system-auth? I'll compare with what I have line-by-line. If I have the same as you it *has* to work!

mfoley --

Not sure you were addressing me or ivandi since I am not yet testing AD Logins only locals.

But if you wanted to see my files, they are below.

-- kjh
#
# cat /etc/pam.d/su
#

Code:

auth            sufficient      pam_rootok.so
#auth           sufficient      pam_wheel.so trust use_uid
#auth           required        pam_wheel.so use_uid
auth            required        pam_env.so
auth            include         system-auth

account         required        pam_nologin.so
account         required        pam_time.so
account         include         system-auth

session         required        pam_limits.so
session         optional        pam_umask.so
session         optional        pam_xauth.so
session         include         system-auth

password        include         system-auth

#
# note1: shouldn't matter but I did a RHELish thing and installed system-auth.ads as a symlink so I can see what's what ...
# note2: I installed ivandi's sudo last night so I could test with local users ( works great )
# note3: there is an extra symlink in my /etc/pam.d/ directory for VMWare's vmtools
#

Code:

# cp -p  system-auth.ads system-auth.ads-ivandi-orig  # back up so I can edit the file, leaving the original as provided by ivandi
# ln -sf system-auth.ads system-auth                  # install system-auth.ads as system-auth
# ls -l                                               # content of /etc/pam.d

Code:

total 112
-rw-r--r-- 1 root root  95 May  5 21:23 chage
-rw-r--r-- 1 root root  95 May  5 21:23 chfn
-rw-r--r-- 1 root root  95 May  5 21:23 chgpasswd
-rw-r--r-- 1 root root  95 May  5 21:23 chpasswd
-rw-r--r-- 1 root root  95 May  5 21:23 chsh
-rw-r--r-- 1 root root 150 Jun 18 08:08 cups
-rw-r--r-- 1 root root  95 May  5 21:23 groupadd
-rw-r--r-- 1 root root  95 May  5 21:23 groupdel
-rw-r--r-- 1 root root  95 May  5 21:23 groupmems
-rw-r--r-- 1 root root  95 May  5 21:23 groupmod
-rw-r--r-- 1 root root 498 May  5 21:23 login
-rw-r--r-- 1 root root  95 May  5 21:23 newusers
-rw-r--r-- 1 root root 237 May  5 21:23 other
-rw-r--r-- 1 root root  89 May  5 21:23 passwd
-rw-r--r-- 1 root root 247 May  5 21:31 polkit-1
-rw-r--r-- 1 root root 156 May  5 21:25 runuser
-rw-r--r-- 1 root root  50 May  5 21:25 runuser-l
-rw-r--r-- 1 root root 457 Aug  7 10:45 sshd
-rw-r--r-- 1 root root 417 May  5 21:23 su
-rw-r--r-- 1 root root 417 May  5 21:25 sudo
lrwxrwxrwx 1 root root  15 Sep 21 03:55 system-auth -> system-auth.ads
-rw-r--r-- 1 root root 382 Jul  8 06:57 system-auth.ads
-rw-r--r-- 1 root root 382 Jul  8 06:57 system-auth.ads-ivandi-orig
-rw-r--r-- 1 root root 417 May  5 21:24 system-auth.krb5
-rw-r--r-- 1 root root 207 Jul  8 06:57 system-auth.samba
-rw-r--r-- 1 root root 137 May  5 21:23 system-auth.unix
-rw-r--r-- 1 root root  95 May  5 21:23 useradd
-rw-r--r-- 1 root root  95 May  5 21:23 userdel
-rw-r--r-- 1 root root  95 May  5 21:23 usermod
lrwxrwxrwx 1 root root  49 Sep 19 11:02 vmtoolsd -> /usr/lib/vmware-tools/configurator/pam.d/vmtoolsd

#
# cat /etc/pam.d/system-auth
#

Code:

auth            optional        pam_group.so
auth            sufficient      pam_winbind.so          krb5_auth krb5_ccache_type=FILE
auth            required        pam_unix.so                     use_first_pass

account         sufficient      pam_winbind.so
account         required        pam_unix.so

session         optional        pam_mkhomedir.so        umask=0066
session         sufficient      pam_winbind.so
session         required        pam_unix.so

password        sufficient      pam_winbind.so
password        required        pam_unix.so

kjhambrick · 09-21-2016, 06:48 AM

mfoley --

This is killing me.

I'll set up a SAMBA DC ASAP.

In the meantime, I configured and installed /etc/samba/smb.conf.ads.

I started SAMBA on the machine ( seems to work fine for local users ).

I also attempted to start winbindd via /etc/rc.d/rc.winbind start

It failed of course because I've got no DC and I am not joined to any domain.

What I did find that might be useful for you is /var/log/samba/log.winbindd

Mine includes several angry messages because I've never joined an AD Domain

Maybe yours has a hint-or-two ?

In addition, there is also /var/log/samba/cores/

Code:

# ls -lad `pwd`/*

drwx------ 2 root root 4096 Sep 21 04:05 /var/log/samba/cores/nmbd/
drwx------ 2 root root 4096 Sep 21 04:05 /var/log/samba/cores/smbd/
drwx------ 2 root root 4096 Sep 21 06:00 /var/log/samba/cores/winbindd/

Mine is empty, but do you have any core dump files in there ???

-- kjh

ivandi · 09-21-2016, 07:21 AM

Quote:

Originally Posted by mfoley

How about if you post the contents of your actual, working /etc/pam.d/su and /etc/pam.d/system-auth? I'll compare with what I have line-by-line. If I have the same as you it *has* to work!

/etc/samba/smb.conf

Code:

[global]
   workgroup = EXAMPLE
   realm = EXAMPLE.NET
   security = ADS
   encrypt passwords = yes

#   idmap config *:backend = tdb
   idmap config *:backend = rid
   idmap config *:base_rid = 0
   idmap config *:range = 70001-80000

   template shell = /bin/bash

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users = yes
   winbind enum groups = yes
   winbind nested groups = yes
   winbind refresh tickets = yes
   winbind offline logon = yes

   client use spnego = yes
   client ntlmv2 auth = yes

   usershare path = /var/lib/samba/usershares
   usershare max shares = 10
   usershare allow guests = yes

[homes]
   comment = Home Directories
   browseable = no
   writable = yes

[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes

/etc/nsswitch.conf

Code:

passwd:		compat winbind
group:		compat winbind

hosts:		files dns wins
networks:	files

services:	files
protocols:	files
rpc:		files
ethers:		files
netmasks:	files
netgroup:	files
bootparams:	files

automount:	files
aliases:	files

/etc/pam.d/system-auth

Code:

auth		optional	pam_group.so
auth		sufficient	pam_winbind.so		krb5_auth krb5_ccache_type=FILE
auth		required	pam_unix.so		use_first_pass

account		sufficient	pam_winbind.so
account		required	pam_unix.so

session		optional	pam_mkhomedir.so	umask=0066
session		sufficient	pam_winbind.so
session		required	pam_unix.so

password	sufficient	pam_winbind.so
password	required	pam_unix.so

/etc/pam.d/login

Code:

auth		required	pam_securetty.so
auth		required	pam_shells.so
auth		required	pam_env.so
auth		include		system-auth

account		required	pam_nologin.so
account		required	pam_time.so
account		include		system-auth

session		required	pam_loginuid.so
session		required	pam_limits.so
session		required	pam_lastlog.so
session		optional	pam_umask.so
session		optional	pam_motd.so
session		optional	pam_mail.so
-session	optional	pam_ck_connector.so
session		include		system-auth

password	include		system-auth

/etc/pam.d/su

Code:

auth		sufficient	pam_rootok.so
#auth		sufficient	pam_wheel.so trust use_uid
#auth		required	pam_wheel.so use_uid
auth		required	pam_env.so
auth		include		system-auth

account		required	pam_nologin.so
account		required	pam_time.so
account		include		system-auth

session		required	pam_limits.so
session		optional	pam_umask.so
session		optional	pam_xauth.so
session		include		system-auth

password	include		system-auth

kjhambrick · 09-21-2016, 07:56 AM

Q for ivandi --

I've got another Virtual Machine running and can install SAMBA in DC Mode but before I do that ...

Do you have any specific recommendations for setting up SAMBA as an AD DC on Slackware64 14.2 ?

Thanks !

-- kjh

ivandi · 09-21-2016, 08:55 AM

Make sure /etc/rc.d/rc.samba_dc is executable and runs on boot.

Code:

#!/bin/sh

sambadc_start() {
  if [ -x /usr/sbin/samba -a -r /etc/samba/smb.conf ]; then
    echo "Starting Samba AD DC:  /usr/sbin/samba -D"
    /usr/sbin/samba -D
  fi
}

sambadc_stop() {
  killall samba
}

sambadc_restart() {
  sambadc_stop
  sleep 2
  sambadc_start
}

case "$1" in
'start')
  sambadc_start
  ;;
'stop')
  sambadc_stop
  ;;
'restart')
  sambadc_restart
  ;;
*)
  sambadc_start
esac

Cheers

kjhambrick · 09-21-2016, 09:21 AM

Holy cow !

That was too easy ...

I followed the Setup_a_Samba_Active_Directory_Domain_Controller using the official SlackWare64-14.2 samba package.

Woo Hoo !

-- kjh

On the DC side ( slackware64 14.2 full install ):

Code:

1. Ran:  samba-tool domain provision --use-rfc2307 --interactive
2. Started:   samba ( instead of rc.samba )
x. EDIT:      # DID NOT START winbind ( started winbind on the client-side )
3. adduser:   ad1

On ivandi's AD Client side:

Code:

4. Ran:  /etc/rc.d/rc.winbindd start
5. Ran:  net ads join -U administrator
6. Ran:  net ads testjoin 
7. Ran:  su - administrator    # worked !
8. Ran:  su - ad1              # worked !

Logs and such ... after logging in as administrator then ad1:

Code:

# ls -la /home

total 28
drwxr-xr-x  7 root root         4096 Sep 21 08:49 .
drwxr-xr-x 22 root root         4096 Sep 20 11:24 ..
drwxr-xr-x  4 root domain users 4096 Sep 21 08:52 KJH
drwxr-xr-x  2 root root         4096 Sep 19 11:23 dld
drwxr-xr-x  2 root root         4096 Jun 12 23:50 ftp
drwx--x--x 11 kjh  users        4096 Sep 21 05:56 kjh
drwxr-xr-x  6 root root         4096 Oct  7  2012 local

# ls -la /home/KJH

total 16
drwxr-xr-x 4 root          domain users 4096 Sep 21 08:52 .
drwxr-xr-x 7 root          root         4096 Sep 21 08:49 ..
drwx--x--x 2 ad1           domain users 4096 Sep 21 08:52 ad1
drwx--x--x 2 administrator domain users 4096 Sep 21 08:51 administrator

# these are the entries in /var/log/secure

Code:

Sep 21 08:48:55 slack142 su[1568]: No passwd entry for user 'administrator'
Sep 21 08:48:55 slack142 su[1568]: FAILED su for administrator by root
Sep 21 08:48:55 slack142 su[1568]: - /dev/pts/0 root:administrator
Sep 21 08:49:57 slack142 su[1590]: pam_winbind(su:account): user 'administrator' granted access
Sep 21 08:49:57 slack142 su[1590]: Successful su for administrator by root
Sep 21 08:49:57 slack142 su[1590]: + /dev/pts/0 root:administrator
Sep 21 08:52:00 slack142 su[1611]: pam_winbind(su:account): user 'ad1' granted access
Sep 21 08:52:00 slack142 su[1611]: Successful su for ad1 by root
Sep 21 08:52:00 slack142 su[1611]: + /dev/pts/0 root:ad1
Sep 21 09:17:03 slack142 sshd[1642]: pam_winbind(sshd:auth): getting password (0x00000380)
Sep 21 09:17:03 slack142 sshd[1642]: pam_winbind(sshd:auth): user 'ad1' granted access
Sep 21 09:17:03 slack142 sshd[1642]: pam_winbind(sshd:account): user 'ad1' granted access
Sep 21 09:17:13 slack142 sshd[1642]: pam_winbind(sshd:setcred): user 'ad1' OK
Sep 21 09:17:26 slack142 sshd[1657]: pam_winbind(sshd:auth): getting password (0x00000380)
Sep 21 09:17:26 slack142 sshd[1657]: pam_winbind(sshd:auth): user 'administrator' granted access
Sep 21 09:17:26 slack142 sshd[1657]: pam_winbind(sshd:account): user 'administrator' granted access