[K12OSN] Can't authenticate, from a linux client (K12LTSP), against a samba PDC/tdbsam
orlando carvalho
carlos.om.carvalho at gmail.com
Sat Feb 3 21:21:17 UTC 2007
Hi,
Since September 2006, I've been using a samba PDC (3.0.20) with tdbsam, to
authenticate the users of a school network (90 XP boxes). All the users are
able to log in the network from XP boxes.
Recently, I've installed a samba client (K12LTSP) in the domain, but, I' ve
a problem getting linux client to authenticate against the Samba PDC. After
setup all the config files (smb.conf, nsswitch, system-auth/pam amd
pam_mount.conf) and start all services, I can't log in. The error message is
"Account disabled by the administrator". This happen with all accounts.
When I try to logon into the linux client machine with a username and
password stored in samba I get the following in /var/log/messages:
==> messages <==
Jan 31 17:41:38 ltspserver1 nmbd[2954]:
Jan 31 17:41:38 ltspserver1 nmbd[2954]: *****
Jan 31 17:42:29 ltspserver1 pam_winbind[3455]: user 'p1012' OK
Jan 31 17:42:29 ltspserver1 pam_winbind[3455]: user 'p1012' granted access
Jan 31 17:42:29 ltspserver1 gdm[3740]: session_child_run: Utilizador não
autorizado a iniciar sessão
Jan 31 17:59:44 ltspserver1 restorecond: Reset file context /etc/mtab:
system_u:object_r:etc_t:s0->system_u:object_r:etc_runtime_t:s0
Jan 31 18:00:18 ltspserver1 pam_winbind[3832]: user 'p1012' OK
Jan 31 18:00:18 ltspserver1 pam_winbind[3832]: user 'p1012' granted access
Jan 31 18:00:18 ltspserver1 gdm[3846]: session_child_run: Utilizador não
autorizado a iniciar sessão
Jan 31 18:08:28 ws253.ltsp -- MARK --
TRANSLATION of "Utilizador não autorizado a iniciar sessão": User not
allowed to start session
In Samba PDC the command pdbedit -Lv p1012, prints:
Unix username: p1012
NT username:
Account Flags: [UX ]
User SID: S-1-5-21-3881466999-1126814743-3210567677-7692
Primary Group SID: S-1-5-21-3881466999-1126814743-3210567677-2113
Full Name: Carlos Carvalho
Home Directory: \\servlinux\p1012
HomeDir Drive: X:
Logon Script: logon.bat
Profile Path:
Domain: ESCOLA
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Tue, 19 Jan 2038 03:14:07 GMT
Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT
Password last set: Thu, 04 Jan 2007 18:00:11 GMT
Password can change: Thu, 04 Jan 2007 18:00:11 GMT
Password must change: Tue, 19 Jan 2038 03:14:07 GMT
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
All the following commands succeeded:
wbinfo -u
wbinfo -g
wbinfo -t
getent passwd
My config files are:
SMB.CONF (SAMBA PDC):
[global]
unix charset = iso8859-1
display charset = cp850
workgroup = ESCOLA
server string = Samba Server
passdb backend = tdbsam
passwd chat = *new*password* %n\n re-enter*new*password* %n\n
password*changed*
username map = /etc/samba/smbusers
log level = 2 auth
syslog = 0
log file = /var/log/samba/%m.log
max log size = 50
name resolve order = wins bcast hosts
time server = Yes
printcap name = cups
show add printer wizard = No
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u
logon script = logon.bat
logon path =
logon drive = X:
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
admin users = root
veto oplock files = /*.doc/*.xls/*.mdb/
[homes]
comment = Home Directories - %p
valid users = %S
read only = No
browseable = No
[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = No
[netlogon]
comment = Network Logon Service
path = /home/netlogon/%u
read only = No
browseable = No
[software]
comment = Instalacao de SW
path = /apps/programas
create mode = 770
directory mode = 770
valid users = root @ti
admin users = p650 p1012 p894
writeable = yes
browseable = no
[professores]
comment = Ficheiros para professores
path = /apps/professores
create mode = 770
directory mode = 770
valid users = root @professores
admin users = p650 p1012 p894
writeable = yes
browseable = no
[administracao]
comment = Programas de Gestao
path = /apps/administracao
create mode = 775
directory mode = 775
valid users = root @professores @t1213
admin users = p894 p774 p140
writeable = yes
browseable = no
[software_livre]
comment = Software Livre
path = /dados/livre
create mode = 777
directory mode = 777
valid users = root @professores @alunos @formacao
admin users = p1012 p755 p650 p894
writeable = yes
browseable = yes
SMB.CONF (LINUX CLIENT):
[global]
workgroup = ESCOLA
security = domain
log file = /var/log/samba/%m.log
max log size = 50
wins server = 192.168.1.10
password server = 192.168.1.10
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/false
winbind use default domain = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /usr/spool/samba
browseable = no
SYSTEM-AUTH (LINUX CLIENT):
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_mount.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_smb_auth.so use_first_pass nolocal
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_mkhomedir.so skel=/etc/skel umask 0022
session optional pam_mount.so use_first_pass
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
PAM_MOUNT (LINUX CLIENT):
debug 0
mkmountpoint 1
fsckloop /dev/loop7
options_allow nosuid,nodev,loop,encryption
options_require nosuid,nodev
lsof /usr/sbin/lsof %(MNTPT)
fsck /sbin/fsck -p %(FSCKTARGET)
losetup /sbin/losetup -p0 "%(before=\"-e \" CIPHER)" "%(before=\"-k \"
KEYBITS)" %(FSCKLOOP) %(VOLUME)
unlosetup /sbin/losetup -d %(FSCKLOOP)
cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o
"username=%(USER)%(before=\",\" OPTIONS)"
smbmount /bin/mount -t smbfs //%(SERVER)/%(VOLUME) %(MNTPT) -o
"username=%(USER)%(before=\",\" OPTIONS)"
ncpmount /bin/mount -t ncpfs %(SERVER)/%(USER) %(MNTPT) -o
"pass-fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)"
umount /bin/umount %(MNTPT)
lclmount /bin/mount -p0 %(VOLUME) %(MNTPT) "%(before=\"-o \" OPTIONS)"
cryptmount /bin/mount -t crypt "%(before=\"-o \" OPTIONS)" %(VOLUME)
%(MNTPT)
nfsmount /bin/mount %(SERVER):%(VOLUME) "%(MNTPT)%(before=\"-o \" OPTIONS)"
mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT)
mntcheck /bin/mount # For BSD's (don't have /etc/mtab)
pmvarrun /usr/sbin/pmvarrun -u %(USER) -d -o %(OPERATION)
volume * smb 192.168.1.10 & /home/&/online uid=&,dmask=0570 - -
I've tested with k12ltsp 5.0/k12ltsp 6.0 and Samba 3.0.23c/Samba
3.0.23dwithout success. Before testing, I installed all the updates
availables.
Almost everything is working well and the system is able to create the users
home directories with pam_mkhomedir.so skel=/etc/skel umask 0022.
I tried the commands <<smbpasswd -e p1012>> and <<pdbedit -r -c "[X ]
p1012>> without success.
Meanwhile, I joined with success, a linux client Fedora core 4.
I need an easy way to deploy terminals, so, could you help me to find
correct way to solve my problem?
Thank You,
Carlos Carvalho
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/k12osn/attachments/20070203/b1d9414f/attachment.htm>
More information about the K12OSN
mailing list