Samba - how to put into domain and authenticate (once again)
Mauri Sahlberg
Mauri.Sahlberg at claymountain.com
Thu Dec 11 12:25:04 UTC 2003
Hop,
to, 2003-12-11 kello 11:33, Grosswiler Roger kirjoitti:
> Ho Mauri,
>
> That's what i got from Nalin from Redhat:
>
> To finish up, you'll need to make sure that the user has a home
> directory for gdm, kdm, and the like, but logging in at the console
> should work at this point, even if the user doesn't have a home
> directory.
>
Actually this wasn't the reason. I did several things but the most
important was to restart X and GDM. GDM now lets ntdomain-users to log
in but gnome chokes completely (or orbit or gconfd or whatever). As the
KDE works with ntdomain-users I'll let it be.
> and that's how i tried to resolve this problem (but still not so far, as i
> still cannot authenticate) so i hope this will work:
> winbind separator = -
> idmap uid = 20000-30000 -> do they have to match linux-users?
> winbind gid = 20000-30000 -> do they have to match linux-groups?
No, they don't have to match Linux-users or groups.
> winbind enum users = yes
> winbind enum groups = yes
> winbind cache time = 10
> template homedir = /user/%U -> the homedir
> template shell = /bin/bash -> and a shell
>
> Do you know, have the idmap uid and winbind gid numbers to match the
> linux-group numbers??
>
No.
> i feel like the first rookie on this planet, as i still do not understand,
> why winbind has tu run on clients to, if i tell fedora to authenticate at
> MYDOMAIN at SERVER. if have activated this using
> redhat-config-authentication and just checked Samba-Auth and entered
> DOMAIN and SERVER.
>
What are you actually trying to do? Trying to make Linux-clients to
authenticate from DOMAIN (that is what I'm trying to do)? Or trying to
use smb shares from Linux clients on server that authenticates from
DOMAIN or is a domain controller? In the later case you do not need
smb_auth or winbind. In the first case you need winbindd to fetch user
data from the DOMAIN.
> btw, if i just enter the winbind.so after the pam-unix.so in system-auth
> and just add use_first_pass on pam-unix.so i get funny messages in the
> log:
> Dec 11 10:24:22 morpheus sshd(pam_unix)[26344]: check pass; user unknown
> Dec 11 10:24:22 morpheus pam_winbind[26344]: request failed: Unexpected
> information received, PAM error was 4, NT error was
> NT_STATUS_INVALID_PARAMETER
> Dec 11 10:24:22 morpheus pam_winbind[26344]: internal module error (retval
> = 4, user = `NOUSER'
Somehow what winbindd tried to use as a user became null or garbled so
no username was sent.
> Dec 11 10:24:26 morpheus sshd(pam_unix)[26344]: check pass; user unknown
Your Linux client doesn't know that user so it fails..
> Dec 11 10:24:26 morpheus pam_winbind[26344]: request failed: Unexpected
> information received, PAM error was 4, NT error was
> NT_STATUS_INVALID_PARAMETER
> Dec 11 10:24:26 morpheus pam_winbind[26344]: internal module error (retval
> = 4, user = `NOUSER'
> Dec 11 10:24:28 morpheus sshd(pam_unix)[26344]: 2 more authentication
> failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=trinity
>
> if there is NOUSER i tried to authenticate with GWCH-roger (via ssh....)
>
> and here if i login without indication of the domain...
>
> Dec 11 10:25:03 morpheus su(pam_unix)[26393]: authentication failure;
> logname=roger uid=500 euid=0 tty= ruser=roger rhost= user=root
> Dec 11 10:25:06 morpheus pam_winbind[26393]: request failed: Unexpected
> information received, PAM error was 4, NT error was
> NT_STATUS_INVALID_PARAMETER
What I now have in System-Auth:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_winbind.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
use_first_pass
auth required /lib/security/$ISA/pam_deny.so
#account required /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_winbind.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5
shadow use_first_pass
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
And in smb.conf concerning winbindd:
workgroup = NTDOMAIN1
security = DOMAIN
update encrypted = Yes
obey pam restrictions = Yes
password server = NALLE
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind separator = +
Other relevant options are as defaults.
I'm rather sure that this is not the right way to do it especially
concerning the pam configuration but this seems to work somehow except
the gnome.
--
Mauri "mos" Sahlberg Pretax Systems Oy +358 207 44 2228
Technology Evangelist Pääskylänrinne 8 +358 207 44 2201
Bsc Computer Science FIN-00500 Helsinki www.pretax.net
Development Manager Finland
More information about the users
mailing list