[K12OSN] Can't authenticate, from a linux client (K12LTSP), against a samba PDC/tdbsam

Burke Almquist balmquist at mindfirestudios.com
Mon Feb 5 12:39:34 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Did you setup a machine account for the linux box??

On Feb 3, 2007, at 3:21 PM, orlando carvalho wrote:

> Hi,
>
> Since September 2006, I've been using a samba PDC (3.0.20) with  
> tdbsam, to authenticate the users of a school network (90 XP  
> boxes). All the users are able to log in the network from XP boxes.
>
> Recently, I've installed a samba client (K12LTSP) in the domain,  
> but, I' ve a problem getting linux client to authenticate against  
> the Samba PDC. After setup all the config files (smb.conf,  
> nsswitch, system-auth/pam amd pam_mount.conf) and start all  
> services, I can't log in. The error message is "Account disabled by  
> the administrator". This happen with all accounts.
>
> When I try to logon into the linux client machine with a username  
> and password stored in samba I get the following in /var/log/messages:
>
> ==> messages <==
>
> Jan 31 17:41:38 ltspserver1 nmbd[2954]:
>
> Jan 31 17:41:38 ltspserver1 nmbd[2954]: *****
>
> Jan 31 17:42:29 ltspserver1 pam_winbind[3455]: user 'p1012' OK
>
> Jan 31 17:42:29 ltspserver1 pam_winbind[3455]: user 'p1012' granted  
> access
>
> Jan 31 17:42:29 ltspserver1 gdm[3740]: session_child_run:  
> Utilizador não autorizado a iniciar sessão
>
> Jan 31 17:59:44 ltspserver1 restorecond: Reset file context /etc/ 
> mtab: system_u:object_r:etc_t:s0->system_u:object_r:etc_runtime_t:s0
>
> Jan 31 18:00:18 ltspserver1 pam_winbind[3832]: user 'p1012' OK
>
> Jan 31 18:00:18 ltspserver1 pam_winbind[3832]: user 'p1012' granted  
> access
>
> Jan 31 18:00:18 ltspserver1 gdm[3846]: session_child_run:  
> Utilizador não autorizado a iniciar sessão
>
> Jan 31 18:08:28 ws253.ltsp -- MARK --
>
>
>
> TRANSLATION of "Utilizador não autorizado a iniciar sessão": User  
> not allowed to start session
>
>
>
> In Samba PDC the command pdbedit -Lv p1012, prints:
>
> Unix username: p1012
>
> NT username:
>
> Account Flags: [UX ]
>
> User SID: S-1-5-21-3881466999-1126814743-3210567677-7692
>
> Primary Group SID: S-1-5-21-3881466999-1126814743-3210567677-2113
>
> Full Name: Carlos Carvalho
>
> Home Directory: \\servlinux\p1012
>
> HomeDir Drive: X:
>
> Logon Script: logon.bat
>
> Profile Path:
>
> Domain: ESCOLA
>
> Account desc:
>
> Workstations:
>
> Munged dial:
>
> Logon time: 0
>
> Logoff time: Tue, 19 Jan 2038 03:14:07 GMT
>
> Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT
>
> Password last set: Thu, 04 Jan 2007 18:00:11 GMT
>
> Password can change: Thu, 04 Jan 2007 18:00:11 GMT
>
> Password must change: Tue, 19 Jan 2038 03:14:07 GMT
>
> Last bad password : 0
>
> Bad password count : 0
>
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
>
>
> All the following commands succeeded:
>
> wbinfo -u
>
> wbinfo -g
>
> wbinfo -t
>
> getent passwd
>
>
>
> My config files are:
>
>
>
> SMB.CONF (SAMBA PDC):
>
> [global]
>
> unix charset = iso8859-1
>
> display charset = cp850
>
> workgroup = ESCOLA
>
> server string = Samba Server
>
> passdb backend = tdbsam
>
> passwd chat = *new*password* %n\n re-enter*new*password* %n\n  
> password*changed*
>
> username map = /etc/samba/smbusers
>
> log level = 2 auth
>
> syslog = 0
>
> log file = /var/log/samba/%m.log
>
> max log size = 50
>
> name resolve order = wins bcast hosts
>
> time server = Yes
>
> printcap name = cups
>
> show add printer wizard = No
>
> add user script = /usr/sbin/useradd -m %u
>
> delete user script = /usr/sbin/userdel -r %u
>
> add group script = /usr/sbin/groupadd %g
>
> delete group script = /usr/sbin/groupdel %g
>
> add user to group script = /usr/sbin/usermod -G %g %u
>
> add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/ 
> nobody %u
>
> logon script = logon.bat
>
> logon path =
>
> logon drive = X:
>
> domain logons = Yes
>
> os level = 65
>
> preferred master = Yes
>
> domain master = Yes
>
> wins support = Yes
>
> ldap ssl = no
>
> idmap uid = 10000-20000
>
> idmap gid = 10000-20000
>
> admin users = root
>
> veto oplock files = /*.doc/*.xls/*.mdb/
>
>
>
> [homes]
>
> comment = Home Directories - %p
>
> valid users = %S
>
> read only = No
>
> browseable = No
>
>
>
> [printers]
>
> comment = SMB Print Spool
>
> path = /var/spool/samba
>
> guest ok = Yes
>
> printable = Yes
>
> use client driver = Yes
>
> browseable = No
>
>
>
> [netlogon]
>
> comment = Network Logon Service
>
> path = /home/netlogon/%u
>
> read only = No
>
> browseable = No
>
> [software]
>
> comment = Instalacao de SW
>
> path = /apps/programas
>
> create mode = 770
>
> directory mode = 770
>
> valid users = root @ti
>
> admin users = p650 p1012 p894
>
> writeable = yes
>
> browseable = no
>
>
>
> [professores]
>
> comment = Ficheiros para professores
>
> path = /apps/professores
>
> create mode = 770
>
> directory mode = 770
>
> valid users = root @professores
>
> admin users = p650 p1012 p894
>
> writeable = yes
>
> browseable = no
>
> [administracao]
>
> comment = Programas de Gestao
>
> path = /apps/administracao
>
> create mode = 775
>
> directory mode = 775
>
> valid users = root @professores @t1213
>
> admin users = p894 p774 p140
>
> writeable = yes
>
> browseable = no
>
> [software_livre]
>
> comment = Software Livre
>
> path = /dados/livre
>
> create mode = 777
>
> directory mode = 777
>
> valid users = root @professores @alunos @formacao
>
> admin users = p1012 p755 p650 p894
>
> writeable = yes
>
> browseable = yes
>
>
>
> SMB.CONF (LINUX CLIENT):
>
> [global]
>
> workgroup = ESCOLA
>
> security = domain
>
> log file = /var/log/samba/%m.log
>
> max log size = 50
>
> wins server = 192.168.1.10
>
> password server = 192.168.1.10
>
> idmap uid = 16777216-33554431
>
> idmap gid = 16777216-33554431
>
> winbind enum users = yes
>
> winbind enum groups = yes
>
> template shell = /bin/false
>
> winbind use default domain = yes
>
> [homes]
>
> comment = Home Directories
>
> browseable = no
>
> writable = yes
>
>
>
> [printers]
>
> comment = All Printers
>
> path = /usr/spool/samba
>
> browseable = no
>
>
>
> SYSTEM-AUTH (LINUX CLIENT):
>
> #%PAM-1.0
>
> # This file is auto-generated.
>
> # User changes will be destroyed the next time authconfig is run.
>
> auth required pam_env.so
>
> auth required pam_mount.so
>
> auth sufficient pam_unix.so nullok try_first_pass
>
> auth sufficient pam_smb_auth.so use_first_pass nolocal
>
> auth sufficient pam_winbind.so use_first_pass
>
> auth required pam_deny.so
>
>
>
> account required pam_unix.so broken_shadow
>
> account sufficient pam_localuser.so
>
> account sufficient pam_succeed_if.so uid < 500 quiet
>
> account [default=bad success=ok user_unknown=ignore] pam_winbind.so
>
> account required pam_permit.so
>
>
>
> password requisite pam_cracklib.so try_first_pass retry=3
>
> password sufficient pam_unix.so md5 shadow nullok try_first_pass  
> use_authtok
>
> password sufficient pam_winbind.so use_authtok
>
> password required pam_deny.so
>
>
>
> session optional pam_mkhomedir.so skel=/etc/skel umask 0022
>
> session optional pam_mount.so use_first_pass
>
> session optional pam_keyinit.so revoke
>
> session required pam_limits.so
>
> session [success=1 default=ignore] pam_succeed_if.so service in  
> crond quiet use_uid
>
> session required pam_unix.so
>
>
>
> PAM_MOUNT (LINUX CLIENT):
>
> debug 0
>
> mkmountpoint 1
>
> fsckloop /dev/loop7
>
> options_allow	nosuid,nodev,loop,encryption
>
> options_require	nosuid,nodev
>
> lsof /usr/sbin/lsof %(MNTPT)
>
> fsck /sbin/fsck -p %(FSCKTARGET)
>
> losetup /sbin/losetup -p0 "%(before=\"-e \" CIPHER)" "%(before=\"-k  
> \" KEYBITS)" %(FSCKLOOP) %(VOLUME)
>
> unlosetup /sbin/losetup -d %(FSCKLOOP)
>
> cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o  
> "username=%(USER)%(before=\",\" OPTIONS)"
>
> smbmount /bin/mount -t smbfs //%(SERVER)/%(VOLUME) %(MNTPT) -o  
> "username=%(USER)%(before=\",\" OPTIONS)"
>
> ncpmount /bin/mount -t ncpfs %(SERVER)/%(USER) %(MNTPT) -o "pass- 
> fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)"
>
> umount /bin/umount %(MNTPT)
>
> lclmount /bin/mount -p0 %(VOLUME) %(MNTPT) "%(before=\"-o \" OPTIONS)"
>
> cryptmount /bin/mount -t crypt "%(before=\"-o \" OPTIONS)" % 
> (VOLUME) %(MNTPT)
>
> nfsmount /bin/mount %(SERVER):%(VOLUME) "%(MNTPT)%(before=\"-o \"  
> OPTIONS)"
>
> mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT)
>
> mntcheck /bin/mount # For BSD's (don't have /etc/mtab)
>
> pmvarrun /usr/sbin/pmvarrun -u %(USER) -d -o %(OPERATION)
>
>
>
> volume * smb 192.168.1.10 & /home/&/online uid=&,dmask=0570 - -
>
>
>
>
>
> I've tested with k12ltsp 5.0/k12ltsp 6.0 and Samba 3.0.23c/Samba  
> 3.0.23d without success. Before testing, I installed all the  
> updates availables.
>
> Almost everything is working well and the system is able to create  
> the users home directories with pam_mkhomedir.so skel=/etc/skel  
> umask 0022.
>
> I tried the commands <<smbpasswd -e p1012>> and <<pdbedit -r -c  
> "[X ] p1012>> without success.
>
> Meanwhile, I joined with success, a linux client Fedora core 4.
>
> I need an easy way to deploy terminals, so, could you help me to  
> find correct way to solve my problem?
>
>
>
> Thank You,
>
> Carlos Carvalho
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iEYEARECAAYFAkXHJYYACgkQfqZR3ThMfXRqcwCfWo/hOS1a4EIxHSYaZvQPrdXz
QLIAnRABXKujaqfkecK+yer2vaDhbd1R
=oV8A
-----END PGP SIGNATURE-----

More information about the K12OSN mailing list