[plug] Winbind, SMB, PAM

Timothy White weirdo at tigris.org
Fri Mar 11 13:28:22 WST 2005 

I am trying to get my Linux (Debian Testing/Unstable) box to
authenticate against my PDC (Samba 3) so that users can login to any
computer regardless of OS.
 From what I can see I have a number of problems probably all in winbind
and PAM.

I have winbind working as far as I can see.
$ wbinfo -t
checking the trust secret via RPC calls succeeded
$ sudo wbinfo -a dummy%dummy
plaintext password authentication failed
error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
error messsage was: Wrong Password
Could not authenticate user dummy%dummy with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
error messsage was: Wrong Password
Could not authenticate user dummy with challenge/response
$ sudo wbinfo -a dummy%random
plaintext password authentication succeeded
challenge/response password authentication succeeded
$ sudo wbinfo -a susan%passwd
plaintext password authentication succeeded
challenge/response password authentication succeeded

But the rest goes down hill. I can login as domain user Susan (not a
local user) but pam_mount mounts the the shares (will be home when it's
working) with UID 0.
$ id susan
uid=16777216 gid=16777216 groups=16777216
I can't login as the domain user dummy (also not a local user) and
running id gives
$ id dummy
id: dummy: No such user

This can also be seen with 'getent passwd' which shows all the local
users plus 1 domain user (susan) and 'getent group' which shows all the
local groups and 1 domain group (Domain Users which susan is a member of)
I believe that while I was testing everything I managed to get susan
logged in and now that things have changed for some reason she can still
login (cache?) but not others.

Trying to login in domain user dummy gives the following in
/var/log/auth.log
Mar 11 13:07:58 linmedia login[11854]: (pam_unix) check pass; user unknown
Mar 11 13:07:58 linmedia login[11854]: (pam_unix) authentication
failure; logname=tim uid=0 euid=0 tty=pts/0 ruser= rhost=
Mar 11 13:07:58 linmedia pam_winbind[11854]: user 'dummy' granted access
Mar 11 13:07:58 linmedia login[11854]: (pam_unix) could not identify
user (from getpwnam(dummy))
Mar 11 13:07:58 linmedia login[11854]: Permission denied
While susan gives
Mar 11 13:08:40 linmedia sudo:      tim : TTY=pts/0 ; PWD=/home/tim ;
USER=root ; COMMAND=/bin/login
Mar 11 13:08:43 linmedia login[11875]: (pam_unix) check pass; user unknown
Mar 11 13:08:43 linmedia login[11875]: (pam_unix) authentication
failure; logname=tim uid=0 euid=0 tty=pts/0 ruser= rhost=
Mar 11 13:08:43 linmedia pam_winbind[11875]: user 'susan' granted access
Mar 11 13:08:43 linmedia pam_winbind[11875]: user 'susan' granted access
Mar 11 13:08:43 linmedia login[11875]: (pam_unix) session opened for
user susan by tim(uid=0)
(Cut all pam_mount stuff, that can be dealt with later.)

/etc/pam.d:
:common-auth
auth    required        pam_mount.so
auth    sufficient    pam_unix.so nullok_secure use_first_pass
auth    sufficient    pam_winbind.so use_first_pass

:common-account
account    sufficient    pam_winbind.so
account    sufficient    pam_unix.so

Also logging in as a user with a local account and domain account works
fine with pam_mount mounting things fine. As susan it mounts things as root.
When the fetchmail daemon starts up it prompts for a password as
pam_mount seems to be operating on fetchmail as well. I can't see a
/etc/pam.d/fetchmail file so I'm not sure what to do there.
When susan logs in her login prompt is "I have no name!@linmedia:~$"
even though I have enabled  winbind enum users = yes, and winbind enum
groups = yes in smb.conf[1].

Also I have changed the idmap ranges for winbind since susan first
logged in so how can I get winbind to flush her our of the system and be
reallocated another number in the correct range?

Also I have set 'winbind use default domain = yes' so that users don't
need to use domain format logins (WHITE.LAN\user or WHITE.LAN+user...)

A few last questions. It appears that winbind isn't installed to startup
at boot. Where abouts should I put it? Before or after samba?
And should I look at using libpam-smb instead of libpam-winbind or is
winbind better? From what I can see Samba authenticates from PAM so I
should probably use winbind.

Any ideas? Sorry for the long email, hopefully someone will be able to
see a simple mistake.

Thanks Tim
p.s. In the long run I want it so that I can still login locally while
all other users must login over the domain so my home can't be mounted
over with my domain home.

[1] /etc/samba/smb.conf (without shares)
# Global parameters
[global]
    workgroup = WHITE.LAN
    realm = WHITE.LAN
    security = domain
    server string = %h server (Samba %v)
    map to guest = Bad User
    obey pam restrictions = Yes
    passdb backend = smbpasswd, guest
    guest account = public
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
    unix password sync = Yes
    log level = 3
    syslog = 0
    max log size = 1000
    large readwrite = No
    name resolve order = lmhosts host wins bcast
    socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096
SO_RCVBUF=4096
    os level = 33
    preferred master = no
    domain master = no
    wins support = Yes
    message command = /bin/sh -c '/usr/bin/linpopup
    panic action = /usr/share/samba/panic-action %d
    invalid users = root
    admin users = @adm
    include = /etc/samba/dhcp.conf

    winbind use default domain = yes
    password server = *
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template shell = /bin/bash
    template homedir = /home/%D/%U
    # Windind configuration

    winbind cache time = 10

    winbind uid = 10000-20000
    winbind gid = 10000-20000
    winbind enum users = yes
    winbind enum groups = yes
#End Global Config

--
Tim White - Use the Fox, Luke!
PGP/GPG id: 602E944D, Pub Key Serv: subkeys.pgp.net
Fingerprint: 04C2 9682 B7B2 3006 009D  A9F3 067E EDCD 602E 944D
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!
--
Linux linmedia 2.6.10linmedia #4 Mon Feb 21 21:19:38 WST 2005 i686 GNU/Linux

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20050311/f4404063/attachment.pgp>

More information about the plug mailing list