Samba - how to put into domain and authenticate (once again)
Grosswiler Roger
roger at gwch.net
Thu Dec 11 14:20:33 UTC 2003
hei,
seems as sitting in the same boat....
> Hop,
>
> to, 2003-12-11 kello 11:33, Grosswiler Roger kirjoitti:
>> Ho Mauri,
>>
>> That's what i got from Nalin from Redhat:
>>
>> To finish up, you'll need to make sure that the user has a home
>> directory for gdm, kdm, and the like, but logging in at the console
>> should work at this point, even if the user doesn't have a home
>> directory.
>>
>
> Actually this wasn't the reason. I did several things but the most
> important was to restart X and GDM. GDM now lets ntdomain-users to log
> in but gnome chokes completely (or orbit or gconfd or whatever). As the
> KDE works with ntdomain-users I'll let it be.
>
>> and that's how i tried to resolve this problem (but still not so far, as
>> i
>> still cannot authenticate) so i hope this will work:
>> winbind separator = -
>> idmap uid = 20000-30000 -> do they have to match
>> linux-users?
>> winbind gid = 20000-30000 -> do they have to match
>> linux-groups?
>
> No, they don't have to match Linux-users or groups.
thx!
>
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind cache time = 10
>> template homedir = /user/%U -> the homedir
>> template shell = /bin/bash -> and a shell
>>
>> Do you know, have the idmap uid and winbind gid numbers to match the
>> linux-group numbers??
>>
>
> No.
thx!
>
>> i feel like the first rookie on this planet, as i still do not
>> understand,
>> why winbind has tu run on clients to, if i tell fedora to authenticate
>> at
>> MYDOMAIN at SERVER. if have activated this using
>> redhat-config-authentication and just checked Samba-Auth and entered
>> DOMAIN and SERVER.
>>
>
> What are you actually trying to do? Trying to make Linux-clients to
> authenticate from DOMAIN (that is what I'm trying to do)? Or trying to
> use smb shares from Linux clients on server that authenticates from
> DOMAIN or is a domain controller? In the later case you do not need
> smb_auth or winbind. In the first case you need winbindd to fetch user
> data from the DOMAIN.
>
i am trying to a) authenticate against the DOMAIN, and search a method not
tu use FSTAB to mount the smb-shares. I don't like having user- and
password-data in this file, even not with smblient-credentials...
>
>> btw, if i just enter the winbind.so after the pam-unix.so in system-auth
>> and just add use_first_pass on pam-unix.so i get funny messages in the
>> log:
>> Dec 11 10:24:22 morpheus sshd(pam_unix)[26344]: check pass; user unknown
>> Dec 11 10:24:22 morpheus pam_winbind[26344]: request failed: Unexpected
>> information received, PAM error was 4, NT error was
>> NT_STATUS_INVALID_PARAMETER
>> Dec 11 10:24:22 morpheus pam_winbind[26344]: internal module error
>> (retval
>> = 4, user = `NOUSER'
> Somehow what winbindd tried to use as a user became null or garbled so
> no username was sent.
>
>> Dec 11 10:24:26 morpheus sshd(pam_unix)[26344]: check pass; user unknown
>
> Your Linux client doesn't know that user so it fails..
>
>> Dec 11 10:24:26 morpheus pam_winbind[26344]: request failed: Unexpected
>> information received, PAM error was 4, NT error was
>> NT_STATUS_INVALID_PARAMETER
>> Dec 11 10:24:26 morpheus pam_winbind[26344]: internal module error
>> (retval
>> = 4, user = `NOUSER'
>> Dec 11 10:24:28 morpheus sshd(pam_unix)[26344]: 2 more authentication
>> failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=trinity
>>
>> if there is NOUSER i tried to authenticate with GWCH-roger (via ssh....)
>>
>> and here if i login without indication of the domain...
>>
>> Dec 11 10:25:03 morpheus su(pam_unix)[26393]: authentication failure;
>> logname=roger uid=500 euid=0 tty= ruser=roger rhost= user=root
>> Dec 11 10:25:06 morpheus pam_winbind[26393]: request failed: Unexpected
>> information received, PAM error was 4, NT error was
>> NT_STATUS_INVALID_PARAMETER
>
> What I now have in System-Auth:
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_winbind.so
this is also alright for me!
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
> #account
>
>
>
>
> required
>
>
>
>
>
> /lib/security/$ISA/pam_unix.so
> account required /lib/security/$ISA/pam_winbind.so
i haven't entered this! what is it for?? he's looking for an existing
account??
> password
>
>
>
> required
>
>
>
>
>
> /lib/security/$ISA/pam_cracklib.so
> retry=3
> type=
> password sufficient /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5
> shadow use_first_pass
> password required /lib/security/$ISA/pam_deny.so
> session
>
>
>
>
> required
>
>
>
>
>
> /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
>
> And in smb.conf concerning winbindd:
>
> workgroup = NTDOMAIN1
> security = DOMAIN
> update encrypted = Yes
> obey pam restrictions = Yes
> password server = NALLE
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template shell = /bin/bash
> winbind separator = +
>
> Other relevant options are as defaults.
>
> I'm rather sure that this is not the right way to do it especially
> concerning the pam configuration but this seems to work somehow except
> the gnome.
> --
> Mauri "mos" Sahlberg Pretax Systems Oy +358 207 44 2228
> Technology Evangelist Pääskylänrinne 8 +358 207 44 2201
> Bsc Computer Science FIN-00500 Helsinki www.pretax.net
> Development Manager Finland
>
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
More information about the users
mailing list