[Samba] problem authenticating users to Active Directory after Ubuntu 12.04 -> 14.04 upgrade

[Geoff Rowland]

To be safe, I performed a clean installation of Ubuntu 14.04 to make
sure the upgrade process wasn't breaking things. I am able to join a
domain, however it will always tell me invalid password when trying to
log in with a domain account. I guess that the major change was going
from Samba3 to Samba4 with these versions. I don't see anything crazy
in the samba logs. Am I missing something? here are the steps I followed:

apt-get install krb5-config krb5-user winbind samba smbclient
libnss-winbind libpam-winbind

config files:

smb.conf (had a more complex one but using this simple one for testing):

|[global]

workgroup = MYDOMAIN
security = ADS
realm = MYDOMAIN.COM
netbios name = trusty

idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:range = 500-40000

winbind nss info = rfc2307
[test]
path = /srv/samba/test
read only = no

|

krb5.conf:

|[libdefaults]
default_realm = MYDOMAIN.COM
ticket_lifetime = 24000
allow_weak_crypto = yes
[realms]
MYDOMAIN.COM = {
kdc = my.domain.com
admin_server = my.domain.com
default_domain = MYDOMAIN.COM
}


[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[login]
krb4_convert = true
krb4_get_tickets = false|

/etc/nsswitch.conf

| passwd: compat winbind
group: compat winbind
shadow: compat

hosts: files mdns4_minimal [NOTFOUND=return] dns wins
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis|


net ads join -U username

succesfully joins the domain
kinit acc...@MYDOMAIN.COM
klist confirms ticket created
su domainuser = "user not in passwd"
log out and try to log in with domain user = "invalid password"
log in with local account type
wbinfo -u shows domain users
wbinfo -g shows domain groups

not sure what else to try?
these exact steps work in Ubuntu 12.04

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[steve]

On Fri, 2014-04-25 at 11:27 -0400, Geoff Rowland wrote:


>
> not sure what else to try?

Look at the log at the time of the login.

Unless 14.04 has changed radically, I'd:
tail -f /var/log/syslog

Anything?
HTH
Steve

[Rowland Penny]

Hi, does 'getent passwd' show your domain users ?

Rowland

[Geoff Rowland]

I had forgotten I changed my pam files to default...now I changed them
back to what I had before so that winbind shows up before pam_unix - and
here is the output from auth.log:

Apr 25 13:08:09 mycomputer lightdm: pam_winbind(lightdm:auth): getting
password (0x00000000)
Apr 25 13:08:15 mycomputer lightdm: pam_winbind(lightdm:auth): user
'growland' granted access
Apr 25 13:08:15 mycomputer lightdm: pam_unix(lightdm:account): could not
identify user (from getpwnam(growland))
Apr 25 13:08:15 mycomputer lightdm: PAM unable to
dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared
object file: No such file or directory

Returns with invalid password (but I know the password is correct)

[Geoff Rowland]

On 04/25/2014 01:21 PM, Rowland Penny wrote:

> On 25/04/14 18:12, Geoff Rowland wrote:
>> I had forgotten I changed my pam files to default...now I changed them
>> back to what I had before so that winbind shows up before pam_unix -
>> and here is the output from auth.log:
>>
>> Apr 25 13:08:09 mycomputer lightdm: pam_winbind(lightdm:auth): getting
>> password (0x00000000)
>> Apr 25 13:08:15 mycomputer lightdm: pam_winbind(lightdm:auth): user
>> 'growland' granted access
>> Apr 25 13:08:15 mycomputer lightdm: pam_unix(lightdm:account): could
>> not identify user (from getpwnam(growland))
>> Apr 25 13:08:15 mycomputer lightdm: PAM unable to
>> dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open
>> shared object file: No such file or directory
>>
>> Returns with invalid password (but I know the password is correct)
>>
>>
>> On 04/25/2014 11:41 AM, steve wrote:
>>> On Fri, 2014-04-25 at 11:27 -0400, Geoff Rowland wrote:
>>>
>>>
>>>> not sure what else to try?
>>> Look at the log at the time of the login.
>>>
>>> Unless 14.04 has changed radically, I'd:
>>> tail -f /var/log/syslog
>>>
>>> Anything?
>>> HTH
>>> Steve
>>>
>>>

> sigh, I will try again, does 'getent passwd' show your domain users ???
>
> Rowland
>
getent passwd does not show my domain users...but it also does not show
my domain users on my 12.04 box, which is working fine.

wbinfo -u does show domain users.

net ads testjoin says Join is OK

klist shows ticket expires tomorrow
(I do seem to have to kinit to get a new ticket every time i reboot the
computer though?)

[Rowland Penny]

On 25/04/14 18:12, Geoff Rowland wrote:

> I had forgotten I changed my pam files to default...now I changed them
> back to what I had before so that winbind shows up before pam_unix -
> and here is the output from auth.log:
>
> Apr 25 13:08:09 mycomputer lightdm: pam_winbind(lightdm:auth): getting
> password (0x00000000)
> Apr 25 13:08:15 mycomputer lightdm: pam_winbind(lightdm:auth): user
> 'growland' granted access
> Apr 25 13:08:15 mycomputer lightdm: pam_unix(lightdm:account): could
> not identify user (from getpwnam(growland))
> Apr 25 13:08:15 mycomputer lightdm: PAM unable to
> dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open
> shared object file: No such file or directory
>
> Returns with invalid password (but I know the password is correct)
>
>
> On 04/25/2014 11:41 AM, steve wrote:
>> On Fri, 2014-04-25 at 11:27 -0400, Geoff Rowland wrote:
>>
>>
>>> not sure what else to try?
>> Look at the log at the time of the login.
>>
>> Unless 14.04 has changed radically, I'd:
>> tail -f /var/log/syslog
>>
>> Anything?
>> HTH
>> Steve
>>
>>
>

sigh, I will try again, does 'getent passwd' show your domain users ???

Rowland

[Rowland Penny]

OK, last thing first, put this in smb.conf:

winbind refresh tickets = Yes

Reload your config: smbcontrol all reload-config

Getent needs to show your domain users, do you have winbind in
/etc/nssswitch.conf :

......

passwd: compat winbind
group: compat winbind

Do you have libpam-winbind & libpam-krb5 installed ?

Rowland

[Geoff Rowland]

yes, I have libpam-winbind + libpam-krb5 installed, as well as winbind
in /etc/nsswitch.conf.
I added the entry to smb.conf and performed the command (restarted the
services as well, just to be sure), however I still have the same issue.

[Rowland Penny]

OK, my fileserver is running 14.04 and users can connect to shares and
via ssh, these are my main PAM files:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# here are the per-package modules (the "Primary" block)
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure
try_first_pass
auth [success=1 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account required pam_krb5.so minimum_uid=1000
# end of pam-auth-update config

#
# /etc/pam.d/common-password - password-related modules common to all
services
#
# here are the per-package modules (the "Primary" block)
password [success=3 default=ignore] pam_krb5.so minimum_uid=1000
password [success=2 default=ignore] pam_unix.so obscure
use_authtok try_first_pass sha512
password [success=1 default=ignore] pam_winbind.so
use_authtok try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_gnome_keyring.so
# end of pam-auth-update config

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote
sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session optional pam_krb5.so minimum_uid=1000
session required pam_unix.so
session optional pam_winbind.so
session optional pam_systemd.so
session optional pam_ck_connector.so nox11
# end of pam-auth-update config
session required pam_mkhomedir.so skel=/etc/skel
umask=0022

Do yours match the above ?? also do your AD users have uidNumber's &
gidNumber's

Rowland

[Geoff Rowland]

They do not have either set. Is this a (new?) requirement?

I edited my PAM files to match and still have the same result.

[Rowland Penny]

One more question, do have libnss-winbind installed ??

Rowland

[Geoff Rowland]

>> They do not have either set. Is this a (new?) requirement?
>>
>> I edited my PAM files to match and still have the same result.
> One more question, do have libnss-winbind installed ??
>
> Rowland
>

yes, i have libnss-winbind installed as well.

[Rowland Penny]

On 25/04/14 19:49, Geoff Rowland wrote:
>
>>> They do not have either set. Is this a (new?) requirement?
>>>
>>> I edited my PAM files to match and still have the same result.
>> One more question, do have libnss-winbind installed ??
>>
>> Rowland
>>
> yes, i have libnss-winbind installed as well.

OK, this is basicaly what I did to install my fileserver:

installed Ubuntu 14.04 with a fixed ipaddress and gave it a FQDN

Once installed, stopped NetworkManager from starting dnsmasq and removed
resolvconf, fully updated and then rebooted

I then installed samba winbind libpam-winbind libnss-winbind krb5-user
krb5-config ntp libpam-krb5

Stopped all samba services

Created a new smb.conf

[global]
workgroup = DOMAIN
realm = DOMAIN.COM
server string = %h server (Samba)
security = ADS
map to guest = Bad User
username map = /etc/samba/smbusers
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
client signing = if_required
printcap name = cups
local master = No
domain master = No
usershare allow guests = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind expand groups = 4

winbind nss info = rfc2307

winbind refresh tickets = Yes

winbind offline logon = Yes
winbind normalize names = Yes
idmap config DOMAIN:range = 10000-999999
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:backend = ad
idmap config *:range = 2000-9999

idmap config * : backend = tdb

map acl inherit = Yes
cups options = raw
store dos attributes = Yes
vfs objects = acl_xattr

[homes]
comment = Home Directories
valid users = %S
create mask = 0700
directory mask = 0700
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
print ok = Yes
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/printers

Create /etc/samba/smbusers
!root = DOMAIN\Administrator DOMAIN\administrator

sudo cp /etc/krb5.conf /etc/krb5.conf.orig

Edited /etc/krb5.conf to match the following:

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true

edit /etc/resolv.conf

ensure it points to AD DC

search domain.com
domain domain.com
nameserver 192.168.0.5 <--- this is the ip of my samba4 AD DC

sudo rm -f /var/lib/samba/*.tdb
sudo rm -f /var/cache/samba/*.tdb

edit /etc/ntp.conf

#------------------Start-----------------------------------
driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
server 192.168.0.5
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1
#disable auth
#broadcastclient
#----------------End----------------------------------------

sudo service ntp restart

sudo net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- DOMAIN
Joined 'MEMBER1' to dns domain 'domain.com'

Add 'winbind' to the passwd & group lines in nsswitch.conf:

#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind
group: compat winbind

sudo service smbd start
sudo service nmbd start
sudo service winbind start

'wbinfo -u' should display all domain users
'wbinfo -g' should display all domain groups

'getent passwd' should display all users, local & domain

'getent group' should display all groups, local & domain, only it
doesn't (known bug), but 'getent group <domain groupname>' will display
the domain group, (if it has a gidNumber).

[steve]

On Fri, 2014-04-25 at 19:58 +0100, Rowland Penny wrote:

Hi
We've been trying to reproduce the OP's login failure. The nearest we
can get is by replacing Rowland's:

>
> Edited /etc/krb5.conf to match the following:
>
> [libdefaults]
> default_realm = DOMAIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true

with the OP's krb5.conf However, it's not a faithful reproduction as
this is a simple Lubuntu domain member not running smbd. Please also
note that unlike the OP, we also lose the ability to kinit domain users.
HTH to narrow it down a little.
Steve

[Geoff Rowland]

I installed a fresh 14.04 box using your smb.conf and krb5.conf and am
still having issues. wbinfo -u returns domain users, wbinfo -g returns
domain groups, getent passwd returns local users only - and there is a
delay after displaying the last local user (like perhaps its trying to
contact the domain).

when i try to log in as a domain user, i see this in the auth.log:
pam_krb5(lightdm:auth): user growland authenticated as grow...@DOMAIN.COM
lightdm: gkr-pam: error looking up user information

this is a windows server 2008 server that it is authenticating against.
Is there any way to see more information about this error?

[Rowland Penny]

Hi, I can assure you that it does work, only thing I can think of (off
the top of my head) , do your users have the required uidNumber's and
gidNumber's ? if they don't, then 'getent passwd' will never work and
'getent passwd' MUST show all the domain users.

Rowland