authenticating users from a Windows Domain Controller on Red Hat AS 3 U3

Christopher.Wood at gxs.com Christopher.Wood at gxs.com
Fri Feb 25 16:47:14 UTC 2005 

Hello,

I am trying to set up a Linux server (Linux 2.4.21-20.ELsmp) to authenticate
Windows users on an Active Directory controller. I want to be able to
authenticate users for Samba shares and to authenticate telnet ftp, and
console logons without creating separate or shared accounts on the linux
box. I followed the instructions at 
http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#winb
indcfg

Our ADS must be running in legacy mode because I used 'net rpc join' and not
'net ads join' to join the domain. 

Now I can enumerate the users using winbind -u, but I cannot connect to a
Samba share, even if specify everyone can use the share. If I try to connect
to the Samba share from my PC using an existing linux user (like root), I
get a dialogbox that says "The credentials supplied conflict with an
existing set of credentials". 

I get these messages on the console when I try to connect to the Samba share
/export/kickstart:

Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
nsswitch/winbindd_acct.c:winbindd_create_user(911)
Feb 25 11:29:16 myserver winbindd[1833]:   winbindd_create_user:
idmap_allocate_id() failed!
Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
nsswitch/winbindd_acct.c:winbindd_create_user(911)
Feb 25 11:29:16 myserver winbindd[1833]:   winbindd_create_user:
idmap_allocate_id() failed!
Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
nsswitch/winbindd_acct.c:winbindd_create_user(911)
Feb 25 11:29:16 myserver winbindd[1833]:   winbindd_create_user:
idmap_allocate_id() failed!
Feb 25 11:29:16 myserver smbd[1859]: [2005/02/25 11:29:16, 0]
auth/auth_util.c:make_server_info_info3(1122)
Feb 25 11:29:16 myserver smbd[1859]:   make_server_info_info3: pdb_init_sam
failed!
Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
nsswitch/winbindd_acct.c:winbindd_create_user(911)
Feb 25 11:29:16 myserver winbindd[1833]:   winbindd_create_user:
idmap_allocate_id() failed!
Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
nsswitch/winbindd_acct.c:winbindd_create_user(911)
Feb 25 11:29:16 myserver winbindd[1833]:   winbindd_create_user:
idmap_allocate_id() failed!
Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
nsswitch/winbindd_acct.c:winbindd_create_user(911)
Feb 25 11:29:16 myserver winbindd[1833]:   winbindd_create_user:
idmap_allocate_id() failed!
Feb 25 11:29:16 myserver smbd[1859]: [2005/02/25 11:29:16, 0]
auth/auth_util.c:make_server_info_info3(1122)
Feb 25 11:29:16 myserver smbd[1859]:   make_server_info_info3: pdb_init_sam
failed!
Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
nsswitch/winbindd_acct.c:winbindd_create_user(911)
Feb 25 11:29:16 myserver winbindd[1833]:   winbindd_create_user:
idmap_allocate_id() failed!
Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
nsswitch/winbindd_acct.c:winbindd_create_user(911)
Feb 25 11:29:16 myserver winbindd[1833]:   winbindd_create_user:
idmap_allocate_id() failed!
Feb 25 11:29:17 myserver winbindd[1833]: [2005/02/25 11:29:17, 0]
nsswitch/winbindd_acct.c:winbindd_create_user(911)
Feb 25 11:29:17 myserver winbindd[1833]:   winbindd_create_user:
idmap_allocate_id() failed!
Feb 25 11:29:17 myserver smbd[1859]: [2005/02/25 11:29:17, 0]
auth/auth_util.c:make_server_info_info3(1122)
Feb 25 11:29:17 myserver smbd[1859]:   make_server_info_info3: pdb_init_sam
failed!
Feb 25 11:29:47 myserver winbindd[1833]: [2005/02/25 11:29:47, 0]
libsmb/cliconnect.c:cli_session_setup_spnego(759)
Feb 25 11:29:47 myserver winbindd[1833]:   Kinit failed: Malformed
representation of principal

I am NOT running nscd

My /etc/samba/smb.conf  - I tried security=DOMAIN and that doesn't work
either.
[global]
        server string = ohio edf kickstart server
        printcap name = /etc/printcap
        load printers = yes
        cups options = raw
        log file = /var/log/samba/%m.log
        max log size = 50
        security = ADS
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        password server = mydomaincontroller
        guest ok = yes
        workgroup = mydomain
        dns proxy = no
[homes]
        comment = Home Directories
        browseable = no
        writeable = yes
[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        printable = yes
[kickstart]
        comment = Red Hat Linux Kickstart Files
        path = /export/kickstart
        writeable = yes
        guest ok = yes

My /etc/pam.d/samba:
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth

My /etc/pam.d/login:
auth       required     pam_securetty.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
auth       sufficient   pam_winbind.so
auth       sufficient   pam_unix.so use_first_pass
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so

My /etc/pam.d/sshd
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so

My /etc/pam_smb.conf
MYDOMAIN
mydomaincontroller

My /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_unix.so
password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

My /var/log/samba/smbd.log
  smbd version 3.0.6-2.3E started.
  Copyright Andrew Tridgell and the Samba Team 1992-2004
[2005/02/25 08:52:11, 0] smbd/server.c:main(760)
  smbd version 3.0.6-2.3E started.
  Copyright Andrew Tridgell and the Samba Team 1992-2004
[2005/02/25 08:52:11, 0] lib/util_sock.c:get_peer_addr(1000)
  getpeername failed. Error was Transport endpoint is not connected
[2005/02/25 11:14:13, 0] smbd/server.c:main(760)
  smbd version 3.0.6-2.3E started.
  Copyright Andrew Tridgell and the Samba Team 1992-2004

My /var/log/samba/winbindd.log:
[2005/02/25 11:31:12, 0] nsswitch/winbindd_acct.c:winbindd_create_user(911)
  winbindd_create_user: idmap_allocate_id() failed!
[2005/02/25 11:31:12, 0] nsswitch/winbindd_acct.c:winbindd_create_user(911)
  winbindd_create_user: idmap_allocate_id() failed!
[2005/02/25 11:34:53, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
  Kinit failed: Malformed representation of principal
[2005/02/25 11:39:53, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
  Kinit failed: Malformed representation of principal
[2005/02/25 11:44:54, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
  Kinit failed: Malformed representation of principal

Thanks so much if anyone can help!


Chris

More information about the redhat-list mailing list