Re: an old message in debian-user
Yuri wrote:
Hi! I've read your message (2002-09-02) about
"Samba, PAM, Authentication off an NT Domain".
I've just found this solution and it's work. now I'm installing
woody (dual boot) in all pc of my university! :)
download samba2.2.6 source and compile it. It's easy, read readme.
/etc/samba/smb.conf:
[global]
workgroup = YOURDOMAIN
server string = Samba Server %v
security = domain
encrypt passwords = Yes
password server = *
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
character set = ISO8859-15
os level = 18
local master = No
dns proxy = No
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = +
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = yes
/etc/pam.d/login:
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
account sufficient pam_winbind.so
account sufficient pam_unix.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
/etc/pam.d/xlock:
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
account sufficient pam_winbind.so
account sufficient pam_unix.so
/etc/nsswitch.conf:
passwd: files winbind nisplus nis
shadow: files nisplus nis
group: files winbind nisplus nis
hosts: files wins nisplus nis dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
hosts: files dns
restart samba windbind...
and join the domain
smbpasswd -j <DOMAIN> -r <DOMAIN_CONTROLLER> -U <DOMAIN_ADMIN>
It's all! bye!
I'm CC'ing this to the list, for posterity.
Yuri:
I _very_ much appreciate your response. However, I still have no joy.
(Of course, I haven't followed your instructions exactly, so that could
be my problem.)
Rather than dowloading/compiling samba2.2.6, I just did an "apt-get
install samba" from unstable. I now have at least samba, samba-common,
and samba-client on the box (some from earlier attempts at this). "smbd
-V" reports this version to be "2.999+3.0.alpha20-4 for Debian". Since
the 3.0 is pretty much a rewrite, perhaps something has broken between
here and there.
Here's the global section of my /etc/samba/smb.conf:
[global]
workgroup = ACU
server string = %h server (Samba %v)
security = domain
encrypt passwords = true
password server = *
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 18
local master = No
dns proxy = no
winbind uid = 10000-20000
winbind gid = 10000-20000
template shell = /bin/bash
winbind separator = +
template homedir = /home/%D/%U
winbind use default domain = yes
and my /etc/pam.d/login:
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
account sufficient pam_winbind.so
account sufficient pam_unix.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
and my /etc/pam.d/xlock:
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
account sufficient pam_winbind.so
account sufficient pam_unix.so
and my /etc/nsswitch.conf:
passwd: files winbind
group: files winbind
shadow: files winbind
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
I restarted /etc/init.d/samba and /etc/init.d/winbind, and then the
"smbpasswd" command as you gave produced an error to use a different
command. So I did "net rpc join -U <DOMAIN_ADMIN>", which produced this:
[2002/12/09 21:56:24, 1] rpc_client/cli_netlogon.c:cli_nt_setup_creds(303)
cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
[2002/12/09 21:56:24, 1] libsmb/trust_passwd.c:just_change_the_password(44)
just_change_the_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)!
[2002/12/09 21:56:24, 1] utils/net_rpc.c:run_rpc_command(156)
rpc command function failed! (NT_STATUS_ACCESS_DENIED)
Password: (I put in my domain password here)
Joined domain ACU.
The "getent passwd" and "getent group" commands show me username and
group names in the ACU domain. However, when I switch over to a second
virtual terminal and try to log in, I get "Login incorrect". I've tried
logging in as "ACU+snert" (snert is a legitimate user on the ACU
domain), as "snert", and as "westk" (westk is a local account on the
box, and it now fails also, so I better not have a power outage between
now and when I get this fixed - doh!).
Anyone know where my problem might lie?
Thanks!
Kent
ACU+westk
Reply to: