I'm trying to do something fairly simple: login to a Linux box using a
Windows AD-based account. I've followed the various recipes available
online for configuring Linux (winbind, PAM, etc.) to this send, and I've
got it working almost.
I'm able to authenticate an AD-based user immediately after bringing up
the Linux box, but a short time later (roughly 5 minutes, but it varies)
I can no longer authenticate. Running 'wbinfo -u' fixes the problem
temporarily, although I'm not sure how or why. The 'winbind cache time'
param in smb.conf has no effect on the problem.
Any ideas as to what's going on? Is this more likely to be a
misconfiguration or an issue with my version of Samba? Thanks in advance
for any insight.
System configuration info follows:
AD server is Windows Server 2003 SP1. There is only one AD domain, named
"DMAIN.LCAL", and it is small (for testing purposes).
Linux box is Fedora Core 3. Kernel is 2.6.9-1.667. It is joined to the
AD server domain only.
Win2k3 is running as a guest S in VMware and Fedora is the host S. (I
doubt this config has anything to do with the problem.)
Samba packages:
samba-common-3.0.10-1.fc3
samba-swat-3.0.10-1.fc3
samba-3.0.10-1.fc3
samba-client-3.0.10-1.fc3
I'm running winbind, but not smbd or nmbd. The latter doesn't seem to be
necessary, nor is it sufficient to solve my problem.
smb.conf:
[global]
workgroup = DMAIN
realm = DMAIN.LCAL
server string = Samba Server
security = ADS
password server = vmdc1.domain.local
log level = 1 ads:10 auth:10 sam:10 rpc:10 winbind:5
log file = /var/log/samba/%m.log
max log size = 50
name resolve order = lmhosts bcast
socket options = TCP_NDELAY SRCVBUF=8192 SSNDBUF=8192
printcap name = /etc/printcap
dns proxy = No
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind cache time = 10
winbind enum users = No
winbind enum groups = No
winbind use default domain = Yes
cups options = raw
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
PAM packages:
pam-0.77-65
pam_passwdqc-0.7.5-2
pam-devel-0.77-65
pam_smb-1.1.7-5
pam_krb5-2.1.2-1
pam_ccreds-1-3
/etc/pam.d/system-auth (used by /etc/pam.d/sshd, etc.):
#auth
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
#account
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_winbind.so
account required /lib/security/$ISA/pam_permit.so
#password
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so
#session
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
Relevant nsswitch.conf lines:
passwd: files winbind
shadow: files winbind
group: files winbind
EM

password server = vmdc1.domain.local

AFAIK this option is only required for security = DMAIN - if you're
using security = ADS then when you join the domain Samba/winbind will
find out which server to use for passwords. I also think you will need
Samba running to 'maintain' the connection to the domain - although if
you can run "net ads testjoin" without smbd running then I guess it
shouldn't matter.

Cheers,
Adam.

Adam Nielsen wrote:
>password server = vmdc1.domain.local

AFAIK this option is only required for security = DMAIN - if you're
using security = ADS then when you join the domain Samba/winbind will
find out which server to use for passwords.

Thanks for the reply, Adam. I believe 'password server' is K with
'security = ADS' -- it just saves a lookup of the KDC in /etc/krb5.conf.

I also think you will need
Samba running to 'maintain' the connection to the domain - although if
you can run "net ads testjoin" without smbd running then I guess it
shouldn't matter.

Yeah, it doesn't. 'wbinfo -t' also succeeds without smbd.
-McG

PGP SIGNED MESSAGE
Hash: SHA1

Adam Nielsen wrote:
>password server = vmdc1.domain.local

AFAIK this option is only required for security = DMAIN - if you're
using security = ADS then when you join the domain Samba/winbind will
find out which server to use for passwords. I also think you will need
Samba running to 'maintain' the connection to the domain - although if
you can run "net ads testjoin" without smbd running then I guess it
shouldn't matter.

The "password server" option works the same for both
security = domain and ads.

cheers, jerry
PGP SIGNATURE
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

vLiEI2JRbzWvckcJeY71BuI=
=WTAE
PGP SIGNATURE

Try running just nmbd and winbind. WIthout nmbd running, wins resolution of
the linux host is not going to work and maybe that is what is hindering the
authentication.

Good luck,
Vijay Avarachen

1/18/06, McGlorfin <mcglorfin (AT) yahoo (DOT) comwrote:

I'm trying to do something fairly simple: login to a Linux box using a
Windows AD-based account. I've followed the various recipes available
online for configuring Linux (winbind, PAM, etc.) to this send, and I've
got it working almost.

I'm able to authenticate an AD-based user immediately after bringing up
the Linux box, but a short time later (roughly 5 minutes, but it varies)
I can no longer authenticate. Running 'wbinfo -u' fixes the problem
temporarily, although I'm not sure how or why. The 'winbind cache time'
param in smb.conf has no effect on the problem.

Any ideas as to what's going on? Is this more likely to be a
misconfiguration or an issue with my version of Samba? Thanks in advance
for any insight.

System configuration info follows:

AD server is Windows Server 2003 SP1. There is only one AD domain, named
"DMAIN.LCAL", and it is small (for testing purposes).

Linux box is Fedora Core 3. Kernel is 2.6.9-1.667. It is joined to the
AD server domain only.

Win2k3 is running as a guest S in VMware and Fedora is the host S. (I
doubt this config has anything to do with the problem.)

Samba packages:
samba-common-3.0.10-1.fc3
samba-swat-3.0.10-1.fc3
samba-3.0.10-1.fc3
samba-client-3.0.10-1.fc3

I'm running winbind, but not smbd or nmbd. The latter doesn't seem to be
necessary, nor is it sufficient to solve my problem.

smb.conf:
[global]
workgroup = DMAIN
realm = DMAIN.LCAL
server string = Samba Server
security = ADS
password server = vmdc1.domain.local
log level = 1 ads:10 auth:10 sam:10 rpc:10 winbind:5
log file = /var/log/samba/%m.log
max log size = 50
name resolve order = lmhosts bcast
socket options = TCP_NDELAY SRCVBUF=8192 SSNDBUF=8192
printcap name = /etc/printcap
dns proxy = No
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind cache time = 10
winbind enum users = No
winbind enum groups = No
winbind use default domain = Yes
cups options = raw

[homes]
comment = Home Directories
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

PAM packages:
pam-0.77-65
pam_passwdqc-0.7.5-2
pam-devel-0.77-65
pam_smb-1.1.7-5
pam_krb5-2.1.2-1
pam_ccreds-1-3

/etc/pam.d/system-auth (used by /etc/pam.d/sshd, etc.):
#auth
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
#account
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_winbind.so
account required /lib/security/$ISA/pam_permit.so
#password
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so
#session
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so

Relevant nsswitch.conf lines:
passwd: files winbind
shadow: files winbind
group: files winbind

EM

Vijay Avarachen wrote:
Try running just nmbd and winbind. WIthout nmbd running, wins resolution of
the linux host is not going to work and maybe that is what is hindering the
authentication.
Thanks for the reply, but running nmbd has no effect on the problem.
-McG