|
Winbind - Redhat 9 LTSP
Hi
I'm having a problem getting winbind to auth on my NT server. I Think i've got the right lines in my /etc /pam.d/system-auth file, but it gives me the following error (in /var/log/messages) ----------------------------------------- Jul 14 15:01:13 homer pam_winbind[5621]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jul 14 15:01:13 homer pam_winbind[5621]: internal module error (retval = 4, user = `98bucklj' Jul 14 15:01:16 homer gdm(pam_unix)[5621]: authentication failure; logname= uid=0 euid=0 tty=ws021.ltsp:0 ruser=gdm rhost=ws021.ltsp user=98bucklj Jul 14 15:01:18 homer gdm-binary[5621]: Couldn't authenticate user ------------------------------------------ any ideas? Thanks Sam |
that exact error is in the faqs for samba/winbind look it up
|
Thanks, ive sorted that problem now, but now i have a different problem, which i'm very sure has somthing to do with my /etc/pam.d/ configurations.
the error in the logs is: ----------------- Jul 14 20:21:56 Homer pam_winbind[6292]: user 'testupper' granted acces Jul 14 20:21:56 Homer gdm(pam_unix)[6292]: could not identify user (from getpwnam(testupper)) Jul 14 20:21:56 Homer gdm-binary[6292]: Couldn't set acct. mgmt for testupper --------- And my system-auth file looks like this: --------- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/$ISA/pam_unix.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account sufficient /lib/security/pam_winbind.so account required /lib/security/$ISA/pam_unix.so password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so ------- |
I am having a similar error I think, though I am using the login pam instead of gdm. Winbind grants the user access, but fails somewhere else. If you look in your pam, you have added pam_winbind.so to both the auth section and account section. The auth section seems to be working, but it looks like it is failing at the account section. Comment account pam_winbind.so out and see what happens.
I have been trying to figure out why it is failing for the past week, but no one seems to know. Here is my stuff: Jul 18 16:16:55 pam_winbind[20821]: Verify user `xxxx+xxxx' Jul 18 16:16:55 pam_winbind[20821]: user 'xxxx+xxxx' granted acces Jul 18 16:16:55 pam_winbind[20821]: user `xxxx+xxxx' not found Jul 18 16:16:55 login[20821]: pam_unix2: pam_sm_acct_mgmt() called Jul 18 16:16:58 login[20821]: pam_unix2: pam_ldap returned 10 Jul 18 16:16:58 login[20821]: User not known to the underlying authentication module _________________________________ It is obviously authenticating, but then it dies and says user not found. Here is my login pam: ____________________________________ auth required pam_securetty.so debug auth sufficient pam_winbind.so debug auth required pam_unix2.so debug nullok set_secrpc auth required pam_nologin.so debug auth required pam_homecheck.so debug auth required pam_env.so debug auth required pam_mail.so debug account sufficient pam_winbind.so debug account required pam_unix2.so debug password required pam_pwcheck.so debug,nullok password required pam_unix2.so debug,nullok use_first_pass use_authtok session required pam_unix2.so debug,none # debug or trace session required pam_limits.so debug _____________________________________ Any ideas??? |
What distro are you using?
|
SuSE 8.1
Samba 3.0 |
Oh right.
I'm using Redhat 9 LTSP, which comes with samba with winbind pre compiled... i think your problem may be somthing to do with the NT server, have a go at adding a new test user, then logging onto the new test account using a windows pc (afaik user accounts on NT have to be activated by logging in once using a windows box). |
Done. I still get the same problem. I don't see what that is supposed to do though. I feel like the problem is on my side. Something must be misconfigured.
As you see in the log, access gets granted. Tracing it through, it fails when it hits account sufficient pam_winbind.so. It doesn't seem to be doing what it is supposed to. Does pam_winbind.so look to the PDC to find the user or locally? You would think the PDC, but thats not what seems to be happening. |
This is going to sound pretty dumb, but try reading the winbindd man file (man winbindd) it tells you exacticaly how to set it up. I didnt actually think winbindd would have a man file, but it does, so have a read :)
|
hmm...it seems like the function getpwnam() is looking in the wrong place...it is looking at my local authentication instead of the PDC.
How do I change this? |
have a play with /etc/pam.d/local
|
Some things for you to try:
Did you edit your /etc/nsswitch.conf to read: passwd: files winbind Did you edit your /etc/samba/smb.conf to contain winbind uid = 10000-20000 winbind gid = 10000-20000 (or some other range of numerals outside of the ones already in use by /etc/passwd) Did you join your domain? smbpasswd -j DOMAIN -U Administrator Also, the single most greatest way to test winbind is with: 'getent passwd' If winbind is broken, you will only see the accounts from your local /etc/passwd file. If winbind is working, you will get a full enumeration of all the accounts from the domain controller. You've got to have a valid machine account to enumerate all the accounts (i.e. joined to the domain) and you've got to allocate free uids and gids in smb.conf for them to be assigned. |
Yes, I have done all that. Winbind is working perfectly. getent shows every user in the domain and all that good stuff is fine. I get success when I do a wbinfo -a, -t, -p.
I will take a look at pam.d/local and see if that helps at all. I'll keep you posted. |
How about 'authconfig' (redhat) to enable SMB support? Or editing the /etc/pam_smb.conf.
I've had this working before myself, so I can't imagine what could be wrong at this point. |
I'm using SuSE, and I can't find authconfig. I do however have /etc/pam_smb.conf, but there seems to be 3 lines of bogus information in there. Is pam_smb.conf supposed to have something specific in it?
|
| All times are GMT -5. The time now is 01:58 AM. |