ADS authenentication & Samba/Winbind
Buddy Jennings
buddyj at msn.com
Wed Nov 1 14:50:34 UTC 2006
1. Yes, they are time synced.
2. that appears okay
[root at newhou ~]# nslookup fdi-srvr1 (this is the PDC)
Server: 192.168.12.6
Address: 192.168.12.6#53
Name: fdi-srvr1.fdi.com
Address: 192.168.12.6
[root at newhou ~]# nslookup 192.168.12.6
Server: 192.168.12.6
Address: 192.168.12.6#53
6.12.168.192.in-addr.arpa name = fdi-srvr1.fdi.com.
+++++
[root at newhou ~]# nslookup 192.168.12.14
Server: 192.168.12.6
Address: 192.168.12.6#53
14.12.168.192.in-addr.arpa name = newhou.fdi.com.
3. Kinit -yes
[root at newhou ~]# kinit buddyj at FDI.COM
Password for buddyj at FDI.COM:
[root at newhou ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: buddyj at FDI.COM
Valid starting Expires Service principal
11/01/06 08:43:59 11/01/06 18:44:02 krbtgt/FDI.COM at FDI.COM
renew until 11/02/06 08:43:59
>From: Matthijs.Sneijders at corusgroup.com
>Reply-To: General Red Hat Linux discussion list <redhat-list at redhat.com>
>To: General Red Hat Linux discussion list <redhat-list at redhat.com>
>Subject: Re: ADS authenentication & Samba/Winbind
>Date: Wed, 1 Nov 2006 09:02:11 +0100
>
>1. is your time synced correctly?
>2. is DNS working correctly forward/reverse?
>3. can you get a ticket using kinit?
>
>Matthijs
>
>
> Matthijs Sneijders
>
>
>
>
> CORUS
> Research,
> Development
> &
> Technology
>
> Building
> 3G16 room
> 3-312
>
> P.O. Box
> 10.000
>
> 1970 CA
> IJMUIDEN
>
> phone +31 (0)251-496400
>
> fax +31 (0)251-470064
>
> mail matthijs.sneijders at corusgroup.com
>
>
>
>
>
>
>|---------+------------------------------>
>| | "Buddy Jennings" |
>| | <buddyj at msn.com> |
>| | Sent by: |
>| | redhat-list-bounces|
>| | @redhat.com |
>| | |
>| | |
>| | 31-10-2006 23:42 |
>| | Please respond to |
>| | General Red Hat |
>| | Linux discussion |
>| | list |
>| | |
>|---------+------------------------------>
>
> >-------------------------------------------------------------------------------------------------------------------|
> |
> |
> | To: redhat-list at redhat.com
> |
> | cc:
> |
> | Subject: ADS authenentication & Samba/Winbind
> |
>
> >-------------------------------------------------------------------------------------------------------------------|
>
>
>
>
>Sorry for the long post, but any help would be appreciated!
>
>I have two RH AS4 boxes. I have configured both to authenticate against my
>windows ADS.
>The only difference between the machines is one is a 32-bit build and the
>other is a 64-bit build.
>Linux 64bit.mydomain.com 2.6.9-42.0.3.ELsmp #1 SMP Mon Sep 25 17:24:31 EDT
>2006 x86_64 x86_64 x86_64 GNU/Linux
>Linux 32bit.mydomains.com 2.6.9-42.0.3.ELsmp #1 SMP Mon Sep 25 17:28:02 EDT
>2006 i686 i686 i386 GNU/Linux
>
>Both machines allow domain users to login to standard services, ssh or ftp
>for example.
>Home directories are created when they login in on either machine.
>ntlm_auth
>and getent works on both systems.
>
>My 32-bit machine will allow 3rd part aps (those I've tested) to
>authenticate the users, but the same apps fail to authenticate the same
>users on the 64-bit machine.
>
>I have compared the following files (they are the same bytes even!)
>/etc/pam.d/system-auth
>/etc/pam.d/squid
>/etc/pam.d/samba
>/etc/samba/smb.conf
>/etc/hosts
>/etc/sysconfig/iptables
>/etc/sysconfig/samba
>/etc/sysconfig/authconfig
>/etc/sysconfig/network
>/etc/sysconfig/squid
>/etc/sysconfig/saslauthd
>/etc/krb5.conf
>/etc/nsswitch.conf
>/etc/pam_smb.conf
>/etc/log.d/conf/services/pam.conf
>
>Both machines are running the same services.
>
>In the /var/log/samba directory:
>smbd.log are similiar.
>nmbd.log: The 32-bit machine promotes itself as local browser master, the
>64-bit machine
>doesn't , otherwise all entries are the same.
>
>/var/log/message and /var/log/secure shows the same sequence on login on
>either machine.
>
>A 3rd party vendor gave me a utility that calls pam-auth and outputs debug
>info call caut.Notice that the module called auth_etc_passwd passes on
>32-bit but not on the 64-bit.
>
>32-bit output (passwords x'd out!):
>
>[root@ tmp]# ./caut
>
>Authentication dump
>service (eg "su") -
>user name - mydomain\buddyj
>password (will be echoed) - xxxxxx
>auth_auth: debug 1 inline 0
>auth_trusted: getspname did not find an entry for User mydomain\buddyj
>auth_etc_passswd: getpwnam found entry for User mydomain\buddyj
> pw_name: buddyj
> pw_passwd: *
>auth_check_passwd_crypt: FAILED (Standard crypt) *****
>auth_check_passwd_crypt: Salt * passwd * crypt_result **XXXXXXXXXX
>Calling pam_start
>pam_start succeeded for service , user mydomain\buddyj
>Calling pam_authenticate
>[GUI]Authentication failure for mydomain\buddyj (PAM Err# 7)
>[Result]NOK
>Authentication failure for mydomain\buddyj
>
>64-bit output:
>root at 64bit caut]# ./caut
>
>Authentication dump
>service (eg "su") -
>user name - mydomain\buddyj
>password (will be echoed) - xxxxx
>auth_auth: debug 1 inline 0
>auth_trusted: getspname did not find an entry for User mydomain\buddyj
>auth_etc_passwd: getpwnam did not find an entry for User mydomain\buddyj
>Calling pam_start
>pam_start succeeded for service , user mydomain\buddyj
>Calling pam_authenticate
>[GUI]Authentication failure for mydomain\buddyj (PAM Err# 7)
>[Result]NOK
>Authentication failure for mydomain\buddyj
>
>I can't find any config difference! How else can you determine
>configuration differences between two machines? Any suggestions?
>
>I'll post a follow up of the steps I used on both machines.
>
>Thanx!
>Buddy
>
>
>--
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list
>
>
>
>**********************************************************************
>This transmission is confidential and must not be used or disclosed by
>anyone other than the intended recipient. Neither Corus Group Plc nor
>any of its subsidiaries can accept any responsibility for any use or
>misuse of the transmission by anyone.
>**********************************************************************
>
>--
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list
More information about the redhat-list
mailing list