Getting pam working with samba (with active directory authentication)
hey, I'm having a problem getting smb with AD auth. working with pam. this is the error msg I get. I think it has something to do with pam not knowing what the domain prefix means...
If I set smb.conf to ignore pam restrictions everything works fine, but I am under the impression that I need pam for dynamically creating users home directories for windows smb clients. ... please correct me if I'm wrong. Code:
[2008/05/01 10:26:50, 3] auth/auth.c:check_ntlm_password(270) /etc/pam.d/samba Code:
#%PAM-1.0 /etc/smb.conf Code:
[global] |
Hi
you get NT_STATUS_NO_SUCH_USER... and this means just what this means. Your system tries to authenticate user named 'WINIX+' which is wrong. If you do not have anything against using 'standard' M$ login string (aka DOMAIN\user instead of DOMAIN+user) comment out this line: winbind separator = + and restart samba/winbind. Check if the domain works: wbinfo -u You should get all the users, both from the domain and your machine (/etc/passwd). You already have the pam module for creating userdirs: session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ Remember to create the base dir in /home (WINIX in your case). cheers, lukost |
Thank you very much for the help, it works like a charm now!
I have another issue, I'm trying to allow the domain users access to their old home folders from a previous file server. the error msg I receive is: Code:
[2008/05/01 15:22:14, 3] smbd/password.c:register_vuid(280) smb config is: Code:
[global] |
Hi.
This is because samba does match AD users to their linux UIDs in funny way by default (it gives a new one when needed). So what you have to do is to chown all the user dirs to match their new UID's (you can get the new uids using wbinfo command). There is a method to ensure that the ad-user-to-uid mapping is the same no matter where you configure winbind, but this won't help in your situation. Anyway if you haven't chowned all the dirs already i suggest putting this lines into your smb.conf: idmap domains = WINIX idmap config WINIX:backend = rid #enable remote AD-SID based uid mapping idmap config WINIX:base_rid = 0 #start with 0 idmap config WINIX:range = 20000 - 49999 #AD uid mapping will result in uids between 20000 and 49999 The users will get the same uids from now on, no matter which machine you run winbind on. Even after re-installation. I mean if user "maryann" has got uid 20000 this would be the same after reinstalling your machine and putting the same lines into the new smb.conf. This is because the uids are mapped based on AD user SID (or GUID) and not created dynamically on your machine. cheers, lukost |
All times are GMT -5. The time now is 12:56 PM. |