Ok, been trying to get this working for a couple days so far. Basically what I am doing is trying to get a linux box to allow domain users to login, using domain authentication, etc off of a windows 2000 domain.
Here is what works:
Krb5 authentication works
Machine is registered with Active Dircetory correctly as member of domain (net ads testjoin is "Good")
Samba has all the settings for Winbind (I think)
wbinfo works
ldapsearch works
getent works
authentication works
What doesn't work is the PAM call to pam_winbind.so.
In the syslog any time I try to login (doing a console login for testing) it authenticates the user fine (see log below) but then runs into an error that I can't get enough information for. I scattered pam_warns through the login and system-auth files, tried removing stack calls to system-auth, etc. I'm assuming that correctly passing the pam_winbind.so call in the auth section should mean that it is done with the auth stack and ready to move onto the next one (?) so I am not absolutely sure that the error is in pam_winbind since it could be in the next things that gets called. In any case, been searching for a solution for this one since mid-day yesterday and figured I would see if anyone had any ideas.
Files:
Syslog Entry:
---
Obviously I have changed the realm name, short domain name, server name, DC Server name, etc.
---
If anyone has any ideas for finding further information or for even a possible answer I would appreciate it.
-T
Here is what works:
Krb5 authentication works
Machine is registered with Active Dircetory correctly as member of domain (net ads testjoin is "Good")
Samba has all the settings for Winbind (I think)
wbinfo works
ldapsearch works
getent works
authentication works
What doesn't work is the PAM call to pam_winbind.so.
In the syslog any time I try to login (doing a console login for testing) it authenticates the user fine (see log below) but then runs into an error that I can't get enough information for. I scattered pam_warns through the login and system-auth files, tried removing stack calls to system-auth, etc. I'm assuming that correctly passing the pam_winbind.so call in the auth section should mean that it is done with the auth stack and ready to move onto the next one (?) so I am not absolutely sure that the error is in pam_winbind since it could be in the next things that gets called. In any case, been searching for a solution for this one since mid-day yesterday and figured I would see if anyone had any ideas.
Files:
Code:
[b]/etc/pam.d/login[/b]
#%PAM-1.0
auth required pam_warn.so
auth sufficient pam_winbind.so debug
auth required pam_warn.so
auth required pam_securetty.so debug
auth required pam_stack.so service=system-auth debug
auth required pam_warn.so
auth required pam_nologin.so debug
account sufficient pam_winbind.so debug
account required pam_stack.so service=system-auth debug
password required pam_warn.so
password sufficient pam_winbind.so use_authtok debug
password required pam_stack.so service=system-auth debug
session required pam_selinux.so close
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session required pam_stack.so service=system-auth debug
session optional pam_console.so debug
session required pam_selinux.so multiple open debug
Code:
[b]/etc/pam.d/system-auth[/b]
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_warn.so
auth sufficient pam_winbind.so debug
auth required pam_warn.so
auth required pam_env.so debug
auth sufficient pam_unix.so likeauth nullok use_first_pass debug audit
auth required pam_deny.so debug
account sufficient pam_winbind.so debug
account required pam_unix.so debug audit
#password required pam_crack_lib.so retry=3 type=
password sufficient pam_unix.so nullok md5 shadow debug audit
password required pam_deny.so debug
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session required pam_limits.so debug
session required pam_unix.so debug
Code:
[b]smb.conf[/b] (checked with testparm of course)
[global]
#server information
netbios name = MYSERVER
realm = MYDOMAIN.COM
workgroup = MYSHORTDOMAIN
server string = %h Server (Samba %v)
#log files
log file = /var/log/samba/%m.log
max log size = 50
#printers
printcap name = /etc/printcap
load printers = yes
cups options = raw
#Security and Password settings
security = ads
encrypt passwords = yes
#Winbind settings
idmap uid = 500-100000000
idmap gid = 500-100000000
winbind use default domain = yes
winbind nested groups = yes
#winbind separator = +
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%G/%U
template shell = /bin/bash
password server = MY_DC_SERVER
#admin users = "Domain Admins"
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
[homes]
comment = Home Directories
browseable = no
writeable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
printable = yes
[public]
path = /public
writeable = yes
browseable = yes
guest ok = yesSyslog Entry:
Code:
Apr 28 12:24:21 MYSERVER PAM-warn[6042]: function=[pam_sm_authenticate] service=[login] terminal=[pts/4] user=[myusername] ruser=[<unknown>] rhost=[<unknown>]
Apr 28 12:24:22 MYSERVER pam_winbind[6042]: Verify user `myusername'
Apr 28 12:24:23 MYSERVER pam_winbind[6042]: user `myusername' granted access
Apr 28 12:24:23 MYSERVER pam_winbind[6042]: user `myusername' granted access
Apr 28 12:24:23 MYSERVER login[6042]: initgroups: Operation not permitted---
Obviously I have changed the realm name, short domain name, server name, DC Server name, etc.
---
If anyone has any ideas for finding further information or for even a possible answer I would appreciate it.
-T
