LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-10-2003, 03:15 PM   #1
Linuxpenguin
LQ Newbie
 
Registered: Jul 2003
Posts: 28

Rep: Reputation: 15
Unhappy winbind Mandrake 9.1


I am a newbie with Linux and I have been trying for several days to use winbind to authenticate my Mandrake 9.1 box to a Windows Domain. I have been researching and researching and I can't seem to get this right. I followed the directions in the manual file and it just locked me out. I followed the instructions at mandrakeuser.org/docs/connect/csamba5.html but when I restart samba and winbind and check it with wbinfo -t (-m) it returns "could not check secret" (could not check trusted domains).

PLEASE HELP!! THANKS in advance.
 
Old 07-10-2003, 03:50 PM   #2
xscousr
Member
 
Registered: Jul 2003
Location: Toronto
Distribution: Redhat
Posts: 89

Rep: Reputation: 15
what are the steps (exactly) that you have done
what is your smb.conf file like?
what happens when you tried to add yourself to the domain?

details, details, details..... :-)
 
Old 07-11-2003, 08:54 AM   #3
Linuxpenguin
LQ Newbie
 
Registered: Jul 2003
Posts: 28

Original Poster
Rep: Reputation: 15
Post Details

Ok, details. This is going to take up some space.

I've tried a couple of things so I will tell you each.
First I followed the instructions in man winbindd.
This is what I put in the /etc/nsswitch.conf file:

passwd: files nisplus nis winbind
shadow: files nisplus nis
group: files nisplus nis winbind
hosts: files nisplus nis dns

These were the active lines in my smb.conf file:

[global]

workgroup = "MY DOMAIN's NAME"

netbios name = <name_of_this_server>

server string = Samba Server %v

printcap name = cups
load printers = yes

printing = cups

printer admin = @"Domain Admins"

log file = /var/log/samba/log.%m

max log size = 50

map to guest = bad user

security = domain

password server = *

encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd

winbind uid = 10000-20000

winbind gid = 10000-20000

winbind separator = +

template homedir = /home/%D/%U


template shell = /bin/bash

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

[homes]
comment = Home Directories
browseable = no
writable = yes


[printers]
comment = All Printers
path = /var/spool/samba
browseable = no

guest ok = yes
writable = no
printable = yes
create mode = 0700

[print$]
path = /var/lib/samba/printers
browseable = yes
read only = yes
write list = @adm root
guest ok = yes


[pdf-generator]
path = /var/tmp
guest ok = No
printable = Yes
comment = PDF Generator (only valid users)
#print command = /usr/share/samba/scripts/print-pdf file path win_path recipient IP doc_name &
print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I "%J" &

Then I replaced the auth and account lines in all of the files in /etc/pam.d with the following lines:

auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
account required /lib/security/pam_winbind.so

Then I joined the domain using the following command:

smbpasswd -j DOMAIN -r PDC -U Administrator
(This part at least worked because I found the Linux box in the PDC.)

Then it locked me out! So, I reinstalled Mandrake 9.1.

I don't want to take up anymore room on the post, so please see the instructions at http://www.mandrakeuser.org/docs/connect/csamba5.html . I followed the instructions to the letter. I got the computer on the domain but could not get any domain info with the wbinfo command.
 
Old 07-11-2003, 10:09 AM   #4
xscousr
Member
 
Registered: Jul 2003
Location: Toronto
Distribution: Redhat
Posts: 89

Rep: Reputation: 15
looks ok except for:
Then it locked me out! So, I reinstalled Mandrake 9.1.

what do you mean by "locked me out!" ? Your system locked up?
No need to re-install - waste of time
 
Old 07-11-2003, 10:37 AM   #5
Linuxpenguin
LQ Newbie
 
Registered: Jul 2003
Posts: 28

Original Poster
Rep: Reputation: 15
No, the system did not lockup. Changing the lines in the pam.d file apparently changed something so that the root password was no longer recognized. When I tried to log back in as root it would not allow me to.

I found another way to set this up this morning. During install of Mandrake 9.1 when the system asks you for a root password you can go to advanced. In the advanced options it allows you to select logon to a Windows NT Domain. After I finished setup I checked the smb.conf file. Everything appeared to be correct. It found the name of my Domain and seemed to set everything correctly. But again, when I try to check its operation with the wbinfo command or try to login as a domain user it's not working.

Thanks for your help xscousr!

Here is the smb.conf file it set up automatically this morning minus my domain name:

[global]
workgroup = DOMAIN
server string = Samba Server %v
security = domain
encrypt passwords = Yes
password server = *
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
character set = ISO8859-15
os level = 18
local master = No
dns proxy = No
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = +
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = yes
 
Old 07-11-2003, 10:51 AM   #6
xscousr
Member
 
Registered: Jul 2003
Location: Toronto
Distribution: Redhat
Posts: 89

Rep: Reputation: 15
what's with the asterix next to the login server?
what is the windows version running the pdc?

ok. lets see what you have installed

rpm -qa |grep samba

copy and paste the output of the following commands..

smbpasswd -j DOMAIN or
smbpasswd -j DOMAIN -U DOMAIN_ADMIN
(if you don't have a machine account on the pdc)
wbinfo -t
 
Old 07-11-2003, 01:25 PM   #7
Linuxpenguin
LQ Newbie
 
Registered: Jul 2003
Posts: 28

Original Poster
Rep: Reputation: 15
Thanks for the last post xscousr. For some reason I assumed the asterisk meant it would auto-detect the PDC. I entered in the PDC's name and viola, it works!! I guess assuming made a real a** out of me!

Now I have another problem though. When I logon with my domain user and lock the screen it won't let me unlock it. It says "Failed" when I enter my password.

Also, when I open the browser and type smb://server/share it still asks me for a username and password. Then it opens but shows 0 files 0 folders.

Thanks!!!
 
Old 07-11-2003, 02:25 PM   #8
xscousr
Member
 
Registered: Jul 2003
Location: Toronto
Distribution: Redhat
Posts: 89

Rep: Reputation: 15
no problem - it's the little things that usually get us - at least it was caught early in the game - try going a couple of weeks pulling your hair out to find out you missed a }
<g>

when you lock the screen - linux or windows client?
if linux check your caps lock (seriously) the smb access should not have any effect on local authentication.

what happens if you try to mount a share manually?

mount -t smbfs -o username=user,uid=user //server/share /mount/point
 
Old 07-11-2003, 04:34 PM   #9
Linuxpenguin
LQ Newbie
 
Registered: Jul 2003
Posts: 28

Original Poster
Rep: Reputation: 15
It is Linux that is doing this. It only does this when I have logged on to the domain with a domain user using winbind. Local users (root, etc.) don't have this problem. I double\triple checked that I was typing my password correctly and that caps lock wasn't on.

I tried to mount the share using the command you showed me substituting the correct info. It gives me the error "Could not resolve mount point".

I probably won't be back in the forum until Monday. I really appreciate all of the help!

LP
 
Old 07-11-2003, 04:44 PM   #10
jchristman
Member
 
Registered: Mar 2003
Distribution: Fedora Core 3
Posts: 125

Rep: Reputation: 15
xscousr,

I am doing just the opposite, I am setting up a samba server as windows domain controller. Think you can help. If so here is the link



http://www.linuxquestions.org/questi...9&goto=newpost
 
Old 07-22-2003, 11:34 AM   #11
acb67
Member
 
Registered: Jun 2002
Posts: 50

Rep: Reputation: 15
I see that you guys have been working with winbind, and I have run into an issue that no one seems to know about. I thought I'd run it by you just in case it triggers something...

I'm playing with the login pam module and I've made a little progress. The problem is now, though, when someone tries to login, the screen just resets itself. Nothing happens. Prompts for username and password and then it blinks back to the beginning. I looked in the logs and this is what I got:
________________________________
Jul 18 16:16:55 pam_winbind[20821]: Verify user `xxxx+xxxx'
Jul 18 16:16:55 pam_winbind[20821]: user 'xxxx+xxxx' granted acces
Jul 18 16:16:55 pam_winbind[20821]: user `xxxx+xxxx' not found
Jul 18 16:16:55 login[20821]: pam_unix2: pam_sm_acct_mgmt() called
Jul 18 16:16:58 login[20821]: pam_unix2: pam_ldap returned 10
Jul 18 16:16:58 login[20821]: User not known to the underlying authentication module
_________________________________

It is obviously authenticating, but then it dies and says user not found. Here is my login pam:
____________________________________
auth required pam_securetty.so debug
auth sufficient pam_winbind.so debug
auth requisite pam_unix2.so debug,nullok set_secrpc
auth required pam_nologin.so debug
auth required pam_homecheck.so debug
auth required pam_env.so debug
auth required pam_mail.so debug
account sufficient pam_winbind.so debug
account required pam_unix2.so debug
password required pam_pwcheck.so debug,nullok
password required pam_unix2.so debug,nullok use_first_pass use\
_authtok
session required pam_unix2.so debug,none # debug or trace
session required pam_limits.so debug
_____________________________________

NOTE: I think that the account module here is failing for pam_winbind...if I comment out the account pam_winbind above, the entries in the log for pam_winbind disappears. So for some reason winbind is failing here, but I don't know why. Is login tied to something else that I need to change?

Thanks.
 
Old 07-22-2003, 03:24 PM   #12
Linuxpenguin
LQ Newbie
 
Registered: Jul 2003
Posts: 28

Original Poster
Rep: Reputation: 15
acb67

Did you change your smb.conf file appropriately?

LP
 
Old 07-22-2003, 04:31 PM   #13
acb67
Member
 
Registered: Jun 2002
Posts: 50

Rep: Reputation: 15
I think so. I've been looking at it for so long, it's all looking the same. Have a look:

[global]
# separate domain and username with '+', like DOMAIN+username
winbind separator = +
# use uids from 10000 to 20000 for domain users
idmap uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell
template homedir = /home/winnt/%D/%U
template shell = /bin/bash
netbios name = mycomputer
workgroup = MYDOMAIN
os level = 2
security = domain
password server = MYPASSWORDSERVER
time server = yes
unix extensions = yes
encrypt passwords = yes
log level = 1
syslog = 0
printing = CUPS
printcap name = CUPS
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
wins support = no
wins server = xxx.xxx.xxx.xxx;xxx.xxx.xxx.xxx
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
realm = my.domain.com
[homes]
comment = Home Directories
valid users = %S
browseable = no
writeable = yes
directory mask = 0750
[printers]
comment = All Printers
path = /var/tmp
printable = yes
create mask = 0600
browseable = no
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
create mask = 0640
 
Old 07-22-2003, 04:43 PM   #14
acb67
Member
 
Registered: Jun 2002
Posts: 50

Rep: Reputation: 15
I think I've gotten a step closer. The entry in pam 'account sufficient pam_winbind.so' performs a getpwnam() on the username. For some reason, it doesn't seem to be going out the PDC to do this. Is there a way to change this?
 
Old 07-23-2003, 08:39 AM   #15
Linuxpenguin
LQ Newbie
 
Registered: Jul 2003
Posts: 28

Original Poster
Rep: Reputation: 15
Try changing your UID and GID entries in your smb.conf files to winbind uid = 10000-20000, winbind gid = 10000-20000.
Also make sure you have a range large enough to accomodate all of your domain users.

I did not change the range when I set mine up so it did not allow all users to logon. You can check to see if winbind is working and if you are setting up all of your users by running the command "wbinfo -u". If that does not give you the list of users try "getent passwd".
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Winbind and AD Trainlogan Linux - Networking 2 10-04-2005 10:23 AM
winbind --with-winbind-auth-challenge paul_mat Linux - Networking 0 09-27-2005 02:19 AM
winbind paul_mat Linux - Networking 0 05-08-2005 08:21 PM
NT users login choices disappeared on Mandrake with winbind activated smiler Mandriva 1 06-24-2004 02:26 PM
winbind Mandrake 9.1 Linuxpenguin Linux - Newbie 0 07-10-2003 03:19 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration