authenticating users from a Windows Domain Controller on Red Hat AS 3 U3
Christopher.Wood at gxs.com
Christopher.Wood at gxs.com
Fri Feb 25 16:47:14 UTC 2005
Hello,
I am trying to set up a Linux server (Linux 2.4.21-20.ELsmp) to authenticate
Windows users on an Active Directory controller. I want to be able to
authenticate users for Samba shares and to authenticate telnet ftp, and
console logons without creating separate or shared accounts on the linux
box. I followed the instructions at
http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#winb
indcfg
Our ADS must be running in legacy mode because I used 'net rpc join' and not
'net ads join' to join the domain.
Now I can enumerate the users using winbind -u, but I cannot connect to a
Samba share, even if specify everyone can use the share. If I try to connect
to the Samba share from my PC using an existing linux user (like root), I
get a dialogbox that says "The credentials supplied conflict with an
existing set of credentials".
I get these messages on the console when I try to connect to the Samba share
/export/kickstart:
Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
nsswitch/winbindd_acct.c:winbindd_create_user(911)
Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
idmap_allocate_id() failed!
Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
nsswitch/winbindd_acct.c:winbindd_create_user(911)
Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
idmap_allocate_id() failed!
Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
nsswitch/winbindd_acct.c:winbindd_create_user(911)
Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
idmap_allocate_id() failed!
Feb 25 11:29:16 myserver smbd[1859]: [2005/02/25 11:29:16, 0]
auth/auth_util.c:make_server_info_info3(1122)
Feb 25 11:29:16 myserver smbd[1859]: make_server_info_info3: pdb_init_sam
failed!
Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
nsswitch/winbindd_acct.c:winbindd_create_user(911)
Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
idmap_allocate_id() failed!
Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
nsswitch/winbindd_acct.c:winbindd_create_user(911)
Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
idmap_allocate_id() failed!
Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
nsswitch/winbindd_acct.c:winbindd_create_user(911)
Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
idmap_allocate_id() failed!
Feb 25 11:29:16 myserver smbd[1859]: [2005/02/25 11:29:16, 0]
auth/auth_util.c:make_server_info_info3(1122)
Feb 25 11:29:16 myserver smbd[1859]: make_server_info_info3: pdb_init_sam
failed!
Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
nsswitch/winbindd_acct.c:winbindd_create_user(911)
Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
idmap_allocate_id() failed!
Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
nsswitch/winbindd_acct.c:winbindd_create_user(911)
Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
idmap_allocate_id() failed!
Feb 25 11:29:17 myserver winbindd[1833]: [2005/02/25 11:29:17, 0]
nsswitch/winbindd_acct.c:winbindd_create_user(911)
Feb 25 11:29:17 myserver winbindd[1833]: winbindd_create_user:
idmap_allocate_id() failed!
Feb 25 11:29:17 myserver smbd[1859]: [2005/02/25 11:29:17, 0]
auth/auth_util.c:make_server_info_info3(1122)
Feb 25 11:29:17 myserver smbd[1859]: make_server_info_info3: pdb_init_sam
failed!
Feb 25 11:29:47 myserver winbindd[1833]: [2005/02/25 11:29:47, 0]
libsmb/cliconnect.c:cli_session_setup_spnego(759)
Feb 25 11:29:47 myserver winbindd[1833]: Kinit failed: Malformed
representation of principal
I am NOT running nscd
My /etc/samba/smb.conf - I tried security=DOMAIN and that doesn't work
either.
[global]
server string = ohio edf kickstart server
printcap name = /etc/printcap
load printers = yes
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
security = ADS
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
password server = mydomaincontroller
guest ok = yes
workgroup = mydomain
dns proxy = no
[homes]
comment = Home Directories
browseable = no
writeable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
printable = yes
[kickstart]
comment = Red Hat Linux Kickstart Files
path = /export/kickstart
writeable = yes
guest ok = yes
My /etc/pam.d/samba:
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
My /etc/pam.d/login:
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
My /etc/pam.d/sshd
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
My /etc/pam_smb.conf
MYDOMAIN
mydomaincontroller
My /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
My /var/log/samba/smbd.log
smbd version 3.0.6-2.3E started.
Copyright Andrew Tridgell and the Samba Team 1992-2004
[2005/02/25 08:52:11, 0] smbd/server.c:main(760)
smbd version 3.0.6-2.3E started.
Copyright Andrew Tridgell and the Samba Team 1992-2004
[2005/02/25 08:52:11, 0] lib/util_sock.c:get_peer_addr(1000)
getpeername failed. Error was Transport endpoint is not connected
[2005/02/25 11:14:13, 0] smbd/server.c:main(760)
smbd version 3.0.6-2.3E started.
Copyright Andrew Tridgell and the Samba Team 1992-2004
My /var/log/samba/winbindd.log:
[2005/02/25 11:31:12, 0] nsswitch/winbindd_acct.c:winbindd_create_user(911)
winbindd_create_user: idmap_allocate_id() failed!
[2005/02/25 11:31:12, 0] nsswitch/winbindd_acct.c:winbindd_create_user(911)
winbindd_create_user: idmap_allocate_id() failed!
[2005/02/25 11:34:53, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
Kinit failed: Malformed representation of principal
[2005/02/25 11:39:53, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
Kinit failed: Malformed representation of principal
[2005/02/25 11:44:54, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
Kinit failed: Malformed representation of principal
Thanks so much if anyone can help!
Chris
More information about the redhat-list
mailing list