ADS authenentication & Samba/Winbind

Matthijs.Sneijders at corusgroup.com Matthijs.Sneijders at corusgroup.com
Wed Nov 1 08:02:11 UTC 2006


1.  is your time synced correctly?
2.  is DNS working correctly forward/reverse?
3. can you get a ticket using kinit?

Matthijs

                                                     
 Matthijs Sneijders                                  
                                                     


                                                         
     CORUS                                               
     Research,                                           
     Development                                         
     &                                                   
     Technology                                          
                                                         
     Building                                            
     3G16 room                                           
     3-312                                               
                                                         
     P.O. Box                                            
     10.000                                              
                                                         
     1970 CA                                             
     IJMUIDEN                                            
                                                         
     phone       +31 (0)251-496400                       
                                                         
     fax         +31 (0)251-470064                       
                                                         
     mail        matthijs.sneijders at corusgroup.com       
                                                         





|---------+------------------------------>
|         |           "Buddy Jennings"   |
|         |           <buddyj at msn.com>   |
|         |           Sent by:           |
|         |           redhat-list-bounces|
|         |           @redhat.com        |
|         |                              |
|         |                              |
|         |           31-10-2006 23:42   |
|         |           Please respond to  |
|         |           General Red Hat    |
|         |           Linux discussion   |
|         |           list               |
|         |                              |
|---------+------------------------------>
  >-------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                   |
  |       To:       redhat-list at redhat.com                                                                            |
  |       cc:                                                                                                         |
  |       Subject:  ADS authenentication & Samba/Winbind                                                              |
  >-------------------------------------------------------------------------------------------------------------------|




Sorry for the long post, but any help would be appreciated!

I have two RH AS4 boxes.  I have configured both to authenticate against my
windows ADS.
The only difference between the machines is one is a 32-bit build and the
other is a 64-bit build.
Linux 64bit.mydomain.com 2.6.9-42.0.3.ELsmp #1 SMP Mon Sep 25 17:24:31 EDT
2006 x86_64 x86_64 x86_64 GNU/Linux
Linux 32bit.mydomains.com 2.6.9-42.0.3.ELsmp #1 SMP Mon Sep 25 17:28:02 EDT
2006 i686 i686 i386 GNU/Linux

Both machines allow domain users to login to standard services, ssh or ftp
for example.
Home directories are created when they login in on either machine.
ntlm_auth
and getent works on both systems.

My 32-bit machine will allow 3rd part aps (those I've tested) to
authenticate the users, but the same  apps fail to authenticate the same
users on the 64-bit machine.

I have compared the following files (they are the same bytes even!)
/etc/pam.d/system-auth
/etc/pam.d/squid
/etc/pam.d/samba
/etc/samba/smb.conf
/etc/hosts
/etc/sysconfig/iptables
/etc/sysconfig/samba
/etc/sysconfig/authconfig
/etc/sysconfig/network
/etc/sysconfig/squid
/etc/sysconfig/saslauthd
/etc/krb5.conf
/etc/nsswitch.conf
/etc/pam_smb.conf
/etc/log.d/conf/services/pam.conf

Both machines are running the same services.

In the /var/log/samba directory:
smbd.log are similiar.
nmbd.log: The 32-bit machine promotes itself as local browser master, the
64-bit machine
doesn't , otherwise all entries are the same.

/var/log/message and /var/log/secure shows the same sequence on login on
either machine.

A 3rd party vendor gave me a utility that calls pam-auth and outputs debug
info call caut.Notice that the module called auth_etc_passwd passes on
32-bit but not on the 64-bit.

32-bit output (passwords x'd out!):

[root@ tmp]# ./caut

Authentication dump
service (eg "su") -
user name - mydomain\buddyj
password (will be echoed) - xxxxxx
auth_auth: debug 1 inline 0
auth_trusted: getspname did not find an entry for User mydomain\buddyj
auth_etc_passswd: getpwnam found entry for User mydomain\buddyj
     pw_name: buddyj
   pw_passwd: *
auth_check_passwd_crypt: FAILED (Standard crypt) *****
auth_check_passwd_crypt: Salt * passwd * crypt_result **XXXXXXXXXX
Calling pam_start
pam_start succeeded for service , user mydomain\buddyj
Calling pam_authenticate
[GUI]Authentication failure for mydomain\buddyj  (PAM Err# 7)
[Result]NOK
Authentication failure for mydomain\buddyj

64-bit output:
root at 64bit  caut]# ./caut

Authentication dump
service (eg "su") -
user name - mydomain\buddyj
password (will be echoed) - xxxxx
auth_auth: debug 1 inline 0
auth_trusted: getspname did not find an entry for User mydomain\buddyj
auth_etc_passwd: getpwnam did not find an entry for User mydomain\buddyj
Calling pam_start
pam_start succeeded for service , user mydomain\buddyj
Calling pam_authenticate
[GUI]Authentication failure for mydomain\buddyj  (PAM Err# 7)
[Result]NOK
Authentication failure for mydomain\buddyj

I can't find any config difference!  How else can you determine
configuration differences between two machines?  Any suggestions?

I'll post a follow up of the steps I used on both machines.

Thanx!
Buddy


--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list



**********************************************************************
This transmission is confidential and must not be used or disclosed by
anyone other than the intended recipient. Neither Corus Group Plc nor
any of its subsidiaries can accept any responsibility for any use or
misuse of the transmission by anyone.
**********************************************************************




More information about the redhat-list mailing list