Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi I'm trying to authenticate a linux machine with a windows 2003 server.
I work in a college and want to teach students how to use linux and at times show them how much better it is.
Primerily all I want is for students to be able to type in theur usernames and passwords that they use on the windows network and log into a linux workstation. Something that has proven harder than I thought it would.
I'm currently experimenting with a suse machine (it has bosted some of the best hardware support for the box from the CD as the suse 9 disk came with the computers). I'd rather use Debian but at this point (after several months of tears) I'm happy to use any distro if there is a better one for setting this up.
I'm able to add the computer to the domain using:
net ads join -U administrator
I can get user names and groups with
wbinfo -u
wbinfo -g
I can list groups with
getent group
In desperation I have added the following line to all my pam.d files:
Code:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 #added by david
These are the files:
Code:
linux:/etc/pam.d # ls
. .. chage chfn chsh cups gdm gdm-autologin login other passwd ppp rpasswd shadow sshd su sudo useradd xdm xscreensaver
linux:/etc/pam.d #
but for some reason i can't logon. I've tried using
<user>
<domain>\<user>
and many other combinations without success.
1: where do I go from here? I'm at a loss and feeling very down with this?
2: Is there annother/better method of doing this? I'd rather not have to make changes to the server and risk causing upset to the college system.
linux:~ # kinit inst@internal.my-college.org
Password for inst@internal.my-college.org:password
Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-authentication information was invalid
KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(DashoA6275:67)
at sun.security.krb5.KrbAsReq.getReply(DashoA6275:315)
at sun.security.krb5.KrbAsReq.getReply(DashoA6275:276)
at sun.security.krb5.internal.tools.Kinit.<init>(DashoA6275:271)
at sun.security.krb5.internal.tools.Kinit.main(DashoA6275:109)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.af.a(DashoA6275:134)
at sun.security.krb5.internal.at.a(DashoA6275:63)
at sun.security.krb5.internal.at.<init>(DashoA6275:58)
at sun.security.krb5.KrbAsRep.<init>(DashoA6275:53)
... 4 more
Here is my smb.conf
Code:
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE
# Date: 2004-10-05
[global]
workgroup = RIC
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
printer admin = @ntadmin, root, administrator
username map = /etc/samba/smbusers
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
# security = domain
security = ads
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd # added from
unix password sync = no # http://lists.samba.org/archive/samba/2005-August/109198.html
passwd program = /etc/bin/passwd %u # also
pam password change = yes # and this
obey pam restrictions = yes # and this
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # and this
case sensitive = no # and this
dns proxy = no # and this
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
password server = ricsvr01.internal.my-college.org
realm = internal.my-college.org
winbind use default domain = yes # and this
winbind separator = + # and this
winbind enum users = yes # and this
winbind enum groups = yes # and this
wins server = ricsvr01.internal.my-college.org # and this
unix extensions = yes # and this
[homes]
comment = Home Directories
valid users = %S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[pdf]
comment = PDF creator
path = /var/tmp
printable = Yes
print command = /usr/bin/smbprngenpdf -J '%J' -c %c -s %s -u '%u' -z %z
create mask = 0600
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
OK, that means yes you are using the AD DNS server and it can see all the stuff it needs to in the Active Directory Domain.
Googling for the error you receive turned up some list threads that point towards a bad or "fake" kinit/kerberos install (from some other package overwriting kerberos files.) The solution to this would probably be to use the package manager to update, or reinstall the kerberos package.
OK so now my kinit seems to work. if i type in the correct password it takes me back to the command line. if i type in the wrong password It throws up an error.
I can:
Code:
wbinfo -u
wbinfo -g
wbinfo -n <username>
But i can't log in with anything (my main want is for GDM)
here is my /etc/pam.d/gdm
Your PAM stuff looks a bit odd if you just want to use windbind.
I have this working very nicely for ssh clients on Mandriva 10.1 with Samba (3.10??? - not sure) and PAM 0.77
I do not see why you want Kerebos if you only AD since winbind will do this.
You probably want to put the winbind first since if winbind gives auth the OK, you do not want to require pam_unix
auth sufficient pam_winbind.so #if winbind ok, you are in
auth required pam_unix2.so #else check passwd
Try this, if it works you may want to add use_first_pass on the unix.so to stop it prompting again when winbind does not give ok.
You may want to test with something like sshd so that you do not lock yourself out while testing. I managed to do that once by being a bit too clever on a test.
Once I got the winbind working, I modified the system-auth script to make winbind work for all PAM-enabled applications without having to touch each file in pam.d
PAM is pretty powerful and a good tool for lots of tasks.
I added some checks to prevent all but a few users from logging in remotely(they must be in the office on the LAN to get in).
I also added some stuff to the "session" to set up custom environments to automatically start an application for some users and to start them up in the right menu depending on files of usernames(shipping users can only run one application and they start in teh shipping menu)
I have to modify pam_access and pam_filelist to support all the PAM controls but it was trivial even for someonewho is not a C programmer.
I hope that this gets you up and running. You are very close now.
Ron
Look in your auth.log (or equivalent) to see what failed.
Once you get through auth, you still have to get through account, password and session.
You will need to use the same logic in those sections as well to make sure that winbind get called first (if you want any more checking at all) Read the PAM documentation about the "controls" to see what is being done at each of these steps.
I am not sure why you need pam_unix (or winbind) in session - you are already through auth, account and password by then so you really only need to do any post-login setups or prior-to-logout tear-downs that you need. I have my menu customization in session but no reference to pam_winbind or pam_unix.
I could use .profile, .bashrc, etc for what I am doing in "session" but I like some of the pam modules that are available to identify users and to set up environment variables based on the tests. Saves writing a lot of shell code.
You will get an error from ssh if any of the "controls" fail, so make sure that if "auth" succeeds everything that your subsequent controls do, also returns "success".
The logs can be a bit hard to read but you will be able to track the execution of ssh as it calls PAM at each stage.
Beware that success messages may not be logged so you have to be a bit careful reading the logs.
This problem has hung over me in some shape for 2 years. A big thank you to all here and arround the world.
i found part of my problems were in my gdm configuration (It didn't like me putting comments on the same line as i had options).
My nexst problwem was a permissions one. I had set a sub dir for domain users in my homer and made it with root and didn't give evereyone read/enter permission so it bombed out when people logged in., I'm going to tidy things up a little then write it all up for others.
I was pointed in the direction when i checked /var/log/samba/log.winbindd
and found the error messages.
It gave me annother error that I was able to google for and fix after i'd loged in and then it wouldn't let me log in again.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.