[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Can't authenticate, from a linux client (K12LTSP), against a samba PDC/tdbsam



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Did you setup a machine account for the linux box??

On Feb 3, 2007, at 3:21 PM, orlando carvalho wrote:

Hi,

Since September 2006, I've been using a samba PDC (3.0.20) with tdbsam, to authenticate the users of a school network (90 XP boxes). All the users are able to log in the network from XP boxes.

Recently, I've installed a samba client (K12LTSP) in the domain, but, I' ve a problem getting linux client to authenticate against the Samba PDC. After setup all the config files (smb.conf, nsswitch, system-auth/pam amd pam_mount.conf) and start all services, I can't log in. The error message is "Account disabled by the administrator". This happen with all accounts.

When I try to logon into the linux client machine with a username and password stored in samba I get the following in /var/log/messages:

==> messages <==

Jan 31 17:41:38 ltspserver1 nmbd[2954]:

Jan 31 17:41:38 ltspserver1 nmbd[2954]: *****

Jan 31 17:42:29 ltspserver1 pam_winbind[3455]: user 'p1012' OK

Jan 31 17:42:29 ltspserver1 pam_winbind[3455]: user 'p1012' granted access

Jan 31 17:42:29 ltspserver1 gdm[3740]: session_child_run: Utilizador não autorizado a iniciar sessão

Jan 31 17:59:44 ltspserver1 restorecond: Reset file context /etc/ mtab: system_u:object_r:etc_t:s0->system_u:object_r:etc_runtime_t:s0

Jan 31 18:00:18 ltspserver1 pam_winbind[3832]: user 'p1012' OK

Jan 31 18:00:18 ltspserver1 pam_winbind[3832]: user 'p1012' granted access

Jan 31 18:00:18 ltspserver1 gdm[3846]: session_child_run: Utilizador não autorizado a iniciar sessão

Jan 31 18:08:28 ws253.ltsp -- MARK --



TRANSLATION of "Utilizador não autorizado a iniciar sessão": User not allowed to start session



In Samba PDC the command pdbedit -Lv p1012, prints:

Unix username: p1012

NT username:

Account Flags: [UX ]

User SID: S-1-5-21-3881466999-1126814743-3210567677-7692

Primary Group SID: S-1-5-21-3881466999-1126814743-3210567677-2113

Full Name: Carlos Carvalho

Home Directory: \\servlinux\p1012

HomeDir Drive: X:

Logon Script: logon.bat

Profile Path:

Domain: ESCOLA

Account desc:

Workstations:

Munged dial:

Logon time: 0

Logoff time: Tue, 19 Jan 2038 03:14:07 GMT

Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT

Password last set: Thu, 04 Jan 2007 18:00:11 GMT

Password can change: Thu, 04 Jan 2007 18:00:11 GMT

Password must change: Tue, 19 Jan 2038 03:14:07 GMT

Last bad password : 0

Bad password count : 0

Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF



All the following commands succeeded:

wbinfo -u

wbinfo -g

wbinfo -t

getent passwd



My config files are:



SMB.CONF (SAMBA PDC):

[global]

unix charset = iso8859-1

display charset = cp850

workgroup = ESCOLA

server string = Samba Server

passdb backend = tdbsam

passwd chat = *new*password* %n\n re-enter*new*password* %n\n password*changed*

username map = /etc/samba/smbusers

log level = 2 auth

syslog = 0

log file = /var/log/samba/%m.log

max log size = 50

name resolve order = wins bcast hosts

time server = Yes

printcap name = cups

show add printer wizard = No

add user script = /usr/sbin/useradd -m %u

delete user script = /usr/sbin/userdel -r %u

add group script = /usr/sbin/groupadd %g

delete group script = /usr/sbin/groupdel %g

add user to group script = /usr/sbin/usermod -G %g %u

add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/ nobody %u

logon script = logon.bat

logon path =

logon drive = X:

domain logons = Yes

os level = 65

preferred master = Yes

domain master = Yes

wins support = Yes

ldap ssl = no

idmap uid = 10000-20000

idmap gid = 10000-20000

admin users = root

veto oplock files = /*.doc/*.xls/*.mdb/



[homes]

comment = Home Directories - %p

valid users = %S

read only = No

browseable = No



[printers]

comment = SMB Print Spool

path = /var/spool/samba

guest ok = Yes

printable = Yes

use client driver = Yes

browseable = No



[netlogon]

comment = Network Logon Service

path = /home/netlogon/%u

read only = No

browseable = No

[software]

comment = Instalacao de SW

path = /apps/programas

create mode = 770

directory mode = 770

valid users = root @ti

admin users = p650 p1012 p894

writeable = yes

browseable = no



[professores]

comment = Ficheiros para professores

path = /apps/professores

create mode = 770

directory mode = 770

valid users = root @professores

admin users = p650 p1012 p894

writeable = yes

browseable = no

[administracao]

comment = Programas de Gestao

path = /apps/administracao

create mode = 775

directory mode = 775

valid users = root @professores @t1213

admin users = p894 p774 p140

writeable = yes

browseable = no

[software_livre]

comment = Software Livre

path = /dados/livre

create mode = 777

directory mode = 777

valid users = root @professores @alunos @formacao

admin users = p1012 p755 p650 p894

writeable = yes

browseable = yes



SMB.CONF (LINUX CLIENT):

[global]

workgroup = ESCOLA

security = domain

log file = /var/log/samba/%m.log

max log size = 50

wins server = 192.168.1.10

password server = 192.168.1.10

idmap uid = 16777216-33554431

idmap gid = 16777216-33554431

winbind enum users = yes

winbind enum groups = yes

template shell = /bin/false

winbind use default domain = yes

[homes]

comment = Home Directories

browseable = no

writable = yes



[printers]

comment = All Printers

path = /usr/spool/samba

browseable = no



SYSTEM-AUTH (LINUX CLIENT):

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth required pam_env.so

auth required pam_mount.so

auth sufficient pam_unix.so nullok try_first_pass

auth sufficient pam_smb_auth.so use_first_pass nolocal

auth sufficient pam_winbind.so use_first_pass

auth required pam_deny.so



account required pam_unix.so broken_shadow

account sufficient pam_localuser.so

account sufficient pam_succeed_if.so uid < 500 quiet

account [default=bad success=ok user_unknown=ignore] pam_winbind.so

account required pam_permit.so



password requisite pam_cracklib.so try_first_pass retry=3

password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok

password sufficient pam_winbind.so use_authtok

password required pam_deny.so



session optional pam_mkhomedir.so skel=/etc/skel umask 0022

session optional pam_mount.so use_first_pass

session optional pam_keyinit.so revoke

session required pam_limits.so

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so



PAM_MOUNT (LINUX CLIENT):

debug 0

mkmountpoint 1

fsckloop /dev/loop7

options_allow	nosuid,nodev,loop,encryption

options_require	nosuid,nodev

lsof /usr/sbin/lsof %(MNTPT)

fsck /sbin/fsck -p %(FSCKTARGET)

losetup /sbin/losetup -p0 "%(before=\"-e \" CIPHER)" "%(before=\"-k \" KEYBITS)" %(FSCKLOOP) %(VOLUME)

unlosetup /sbin/losetup -d %(FSCKLOOP)

cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"

smbmount /bin/mount -t smbfs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"

ncpmount /bin/mount -t ncpfs %(SERVER)/%(USER) %(MNTPT) -o "pass- fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)"

umount /bin/umount %(MNTPT)

lclmount /bin/mount -p0 %(VOLUME) %(MNTPT) "%(before=\"-o \" OPTIONS)"

cryptmount /bin/mount -t crypt "%(before=\"-o \" OPTIONS)" % (VOLUME) %(MNTPT)

nfsmount /bin/mount %(SERVER):%(VOLUME) "%(MNTPT)%(before=\"-o \" OPTIONS)"

mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT)

mntcheck /bin/mount # For BSD's (don't have /etc/mtab)

pmvarrun /usr/sbin/pmvarrun -u %(USER) -d -o %(OPERATION)



volume * smb 192.168.1.10 & /home/&/online uid=&,dmask=0570 - -





I've tested with k12ltsp 5.0/k12ltsp 6.0 and Samba 3.0.23c/Samba 3.0.23d without success. Before testing, I installed all the updates availables.

Almost everything is working well and the system is able to create the users home directories with pam_mkhomedir.so skel=/etc/skel umask 0022.

I tried the commands <<smbpasswd -e p1012>> and <<pdbedit -r -c "[X ] p1012>> without success.

Meanwhile, I joined with success, a linux client Fedora core 4.

I need an easy way to deploy terminals, so, could you help me to find correct way to solve my problem?



Thank You,

Carlos Carvalho

_______________________________________________
K12OSN mailing list
K12OSN redhat com
https://www.redhat.com/mailman/listinfo/k12osn
For more info see <http://www.k12os.org>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iEYEARECAAYFAkXHJYYACgkQfqZR3ThMfXRqcwCfWo/hOS1a4EIxHSYaZvQPrdXz
QLIAnRABXKujaqfkecK+yer2vaDhbd1R
=oV8A
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]