Samba - how to put into domain and authenticate (once again)

Grosswiler Roger roger at gwch.net
Thu Dec 11 14:20:33 UTC 2003


hei,
seems as sitting in the same boat....

> Hop,
>
> to, 2003-12-11 kello 11:33, Grosswiler Roger kirjoitti:
>> Ho Mauri,
>>
>> That's what i got from Nalin from Redhat:
>>
>> To finish up, you'll need to make sure that the user has a home
>> directory for gdm, kdm, and the like, but logging in at the console
>> should work at this point, even if the user doesn't have a home
>> directory.
>>
>
> Actually this wasn't the reason. I did several things but the most
> important was to restart X and GDM. GDM now lets ntdomain-users to log
> in but gnome chokes completely (or orbit or gconfd or whatever). As the
> KDE works with ntdomain-users I'll let it be.
>
>> and that's how i tried to resolve this problem (but still not so far, as
>> i
>> still cannot authenticate) so i hope this will work:
>>         winbind separator = -
>>         idmap uid = 20000-30000     -> do they have to match
>> linux-users?
>>         winbind gid = 20000-30000   -> do they have to match
>> linux-groups?
>
> No, they don't have to match Linux-users or groups.
thx!
>
>>         winbind enum users = yes
>>         winbind enum groups = yes
>>         winbind cache time = 10
>>         template homedir = /user/%U -> the homedir
>>         template shell = /bin/bash -> and a shell
>>
>> Do you know, have the idmap uid and winbind gid numbers to match the
>> linux-group numbers??
>>
>
> No.
thx!
>
>> i feel like the first rookie on this planet, as i still do not
>> understand,
>> why winbind has tu run on clients to, if i tell fedora to authenticate
>> at
>> MYDOMAIN at SERVER. if have activated this using
>> redhat-config-authentication and just checked Samba-Auth and entered
>> DOMAIN and SERVER.
>>
>
> What are you actually trying to do? Trying to make Linux-clients to
> authenticate from DOMAIN (that is what I'm trying to do)? Or trying to
> use smb shares from Linux clients on server that authenticates from
> DOMAIN or is a domain controller? In the later case you do not need
> smb_auth or winbind. In the first case you need winbindd to fetch user
> data from the DOMAIN.
>
i am trying to a) authenticate against the DOMAIN, and search a method not
tu use FSTAB to mount the smb-shares. I don't like having user- and
password-data in this file, even not with smblient-credentials...
>
>> btw, if i just enter the winbind.so after the pam-unix.so in system-auth
>> and just add use_first_pass on pam-unix.so i get funny messages in the
>> log:
>> Dec 11 10:24:22 morpheus sshd(pam_unix)[26344]: check pass; user unknown
>> Dec 11 10:24:22 morpheus pam_winbind[26344]: request failed: Unexpected
>> information received, PAM error was 4, NT error was
>> NT_STATUS_INVALID_PARAMETER
>> Dec 11 10:24:22 morpheus pam_winbind[26344]: internal module error
>> (retval
>> = 4, user = `NOUSER'
> Somehow what winbindd tried to use as a user became null or garbled so
> no username was sent.
>
>> Dec 11 10:24:26 morpheus sshd(pam_unix)[26344]: check pass; user unknown
>
> Your Linux client doesn't know that user so it fails..
>
>> Dec 11 10:24:26 morpheus pam_winbind[26344]: request failed: Unexpected
>> information received, PAM error was 4, NT error was
>> NT_STATUS_INVALID_PARAMETER
>> Dec 11 10:24:26 morpheus pam_winbind[26344]: internal module error
>> (retval
>> = 4, user = `NOUSER'
>> Dec 11 10:24:28 morpheus sshd(pam_unix)[26344]: 2 more authentication
>> failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=trinity
>>
>> if there is NOUSER i tried to authenticate with GWCH-roger (via ssh....)
>>
>> and here if i login without indication of the domain...
>>
>> Dec 11 10:25:03 morpheus su(pam_unix)[26393]: authentication failure;
>> logname=roger uid=500 euid=0 tty= ruser=roger rhost=  user=root
>> Dec 11 10:25:06 morpheus pam_winbind[26393]: request failed: Unexpected
>> information received, PAM error was 4, NT error was
>> NT_STATUS_INVALID_PARAMETER
>
> What I now have in System-Auth:
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_winbind.so

this is also alright for me!

> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> use_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so
>                                                                                 #account
>
>
>
>
> required
>
>
>
>
>
> /lib/security/$ISA/pam_unix.so
> account     required      /lib/security/$ISA/pam_winbind.so
i haven't entered this! what is it for?? he's looking for an existing
account??
>                                                                                 password
>
>
>
> required
>
>
>
>
>
> /lib/security/$ISA/pam_cracklib.so
> retry=3
> type=
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5
> shadow use_first_pass
> password    required      /lib/security/$ISA/pam_deny.so
>                                                                                 session
>
>
>
>
> required
>
>
>
>
>
> /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
>
> And in smb.conf concerning winbindd:
>
>     workgroup = NTDOMAIN1
>     security = DOMAIN
>     update encrypted = Yes
>     obey pam restrictions = Yes
>     password server = NALLE
>     idmap uid = 10000-20000
>     idmap gid = 10000-20000
>     template shell = /bin/bash
>     winbind separator = +
>
> Other relevant options are as defaults.
>
> I'm rather sure that this is not the right way to do it especially
> concerning the pam configuration but this seems to work somehow except
> the gnome.
> --
> Mauri "mos" Sahlberg	Pretax Systems Oy	+358 207 44 2228
> Technology Evangelist	Pääskylänrinne 8	+358 207 44 2201
> Bsc Computer Science	FIN-00500 Helsinki	www.pretax.net
> Development Manager	Finland
>
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>





More information about the users mailing list