Samba - how to put into domain and authenticate (once again)

Mauri Sahlberg Mauri.Sahlberg at claymountain.com
Thu Dec 11 12:25:04 UTC 2003 

Hop,

to, 2003-12-11 kello 11:33, Grosswiler Roger kirjoitti:
> Ho Mauri,
> 
> That's what i got from Nalin from Redhat:
> 
> To finish up, you'll need to make sure that the user has a home
> directory for gdm, kdm, and the like, but logging in at the console
> should work at this point, even if the user doesn't have a home
> directory.
> 

Actually this wasn't the reason. I did several things but the most
important was to restart X and GDM. GDM now lets ntdomain-users to log
in but gnome chokes completely (or orbit or gconfd or whatever). As the
KDE works with ntdomain-users I'll let it be. 

> and that's how i tried to resolve this problem (but still not so far, as i
> still cannot authenticate) so i hope this will work:
>         winbind separator = -
>         idmap uid = 20000-30000     -> do they have to match linux-users?
>         winbind gid = 20000-30000   -> do they have to match linux-groups?

No, they don't have to match Linux-users or groups. 

>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind cache time = 10
>         template homedir = /user/%U -> the homedir
>         template shell = /bin/bash -> and a shell
> 
> Do you know, have the idmap uid and winbind gid numbers to match the
> linux-group numbers??
> 

No.

> i feel like the first rookie on this planet, as i still do not understand,
> why winbind has tu run on clients to, if i tell fedora to authenticate at
> MYDOMAIN at SERVER. if have activated this using
> redhat-config-authentication and just checked Samba-Auth and entered
> DOMAIN and SERVER.
> 

What are you actually trying to do? Trying to make Linux-clients to
authenticate from DOMAIN (that is what I'm trying to do)? Or trying to
use smb shares from Linux clients on server that authenticates from
DOMAIN or is a domain controller? In the later case you do not need
smb_auth or winbind. In the first case you need winbindd to fetch user
data from the DOMAIN. 

> btw, if i just enter the winbind.so after the pam-unix.so in system-auth
> and just add use_first_pass on pam-unix.so i get funny messages in the
> log:
> Dec 11 10:24:22 morpheus sshd(pam_unix)[26344]: check pass; user unknown
> Dec 11 10:24:22 morpheus pam_winbind[26344]: request failed: Unexpected
> information received, PAM error was 4, NT error was
> NT_STATUS_INVALID_PARAMETER
> Dec 11 10:24:22 morpheus pam_winbind[26344]: internal module error (retval
> = 4, user = `NOUSER'
Somehow what winbindd tried to use as a user became null or garbled so
no username was sent.

> Dec 11 10:24:26 morpheus sshd(pam_unix)[26344]: check pass; user unknown

Your Linux client doesn't know that user so it fails..

> Dec 11 10:24:26 morpheus pam_winbind[26344]: request failed: Unexpected
> information received, PAM error was 4, NT error was
> NT_STATUS_INVALID_PARAMETER
> Dec 11 10:24:26 morpheus pam_winbind[26344]: internal module error (retval
> = 4, user = `NOUSER'
> Dec 11 10:24:28 morpheus sshd(pam_unix)[26344]: 2 more authentication
> failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=trinity
> 
> if there is NOUSER i tried to authenticate with GWCH-roger (via ssh....)
> 
> and here if i login without indication of the domain...
> 
> Dec 11 10:25:03 morpheus su(pam_unix)[26393]: authentication failure;
> logname=roger uid=500 euid=0 tty= ruser=roger rhost=  user=root
> Dec 11 10:25:06 morpheus pam_winbind[26393]: request failed: Unexpected
> information received, PAM error was 4, NT error was
> NT_STATUS_INVALID_PARAMETER

What I now have in System-Auth:
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_winbind.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
                                                                                #account     required      /lib/security/$ISA/pam_unix.so
account     required      /lib/security/$ISA/pam_winbind.so
                                                                                password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5
shadow use_first_pass
password    required      /lib/security/$ISA/pam_deny.so
                                                                                session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

And in smb.conf concerning winbindd:

    workgroup = NTDOMAIN1
    security = DOMAIN
    update encrypted = Yes
    obey pam restrictions = Yes
    password server = NALLE
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template shell = /bin/bash
    winbind separator = +

Other relevant options are as defaults.

I'm rather sure that this is not the right way to do it especially
concerning the pam configuration but this seems to work somehow except
the gnome.
-- 
Mauri "mos" Sahlberg	Pretax Systems Oy	+358 207 44 2228
Technology Evangelist	Pääskylänrinne 8	+358 207 44 2201
Bsc Computer Science	FIN-00500 Helsinki	www.pretax.net
Development Manager	Finland

More information about the fedora-list mailing list