Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] Samba/winbind with Active Directory auth

456 views
Skip to first unread message

Kris Kaido

unread,
Jan 18, 2010, 10:40:02 AM1/18/10
to
Hi List,

I'm installing a Samba server with the intended purpose of serving files to
Windows users with seamless authentication on the smb server.
For that, I've been reading and following every single google search result
regarding the subject, but it seems I'm stuck at some point where other
people are not blocked ...

To summarize, I have these commands OK:
# kinit admin...@DOMAIN.EXAMPLE.COM
# klist (ticket ok)
# net join ads -S server -U admin_user
# wbinfo -u and -g (both showing "DOMAIN\...")
# wbinfo -t (succeeded)

I configured PAM to use winbind, and to test it I'm using ssh with the same
config as I will for samba

Here's what I get when I try to ssh into my smb server using my AD
credentials:
Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): getting password
(0x00000000)
Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): request failed:
Named pipe dicconnected, PAM error was System error (4), NT error was
NT_STATUS_PIPE_DISCONNECTED
Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): internal module
error (retval = 4, user = 'DOMAIN\myusername')
Jan 18 15:34:18 smb sshd[9157]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.6
user= DOMAIN\myusername
Jan 18 15:34:20 smb sshd[9157]: Failed password for DOMAIN\myusername from
192.168.5.6 port 50872 ssh2

Any idea on what this error (NT_STATUS...) means ?

Also when trying this I get an error:
smb:~# wbinfo -a admin_user%admin_pwd
plaintext password authentication failed
Could not authenticate user henry_admin with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_PIPE_DISCONNECTED (0xc00000b0)
error messsage was: Named pipe dicconnected
Could not authenticate user admin_user with challenge/response
smb:~#

Here's my PAM config:
auth sufficient pam_winbind.so
auth required pam_unix.so use_first_pass
account sufficient pam_winbind.so
account required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session sufficient pam_winbind.so
session required pam_unix.so
password requisite pam_cracklib.so retry=3 type=
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_winbind.so use_first_pass
password required pam_deny.so

Any help would be greatly appreciated.

Thanks,

k.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Frank Gruman

unread,
Jan 18, 2010, 1:50:02 PM1/18/10
to

Two things.

1 - make sure nscd is disabled (not just stopped - disable it to prevent
restarting on the next reboot)
2 - I found that using "winbind use default domain = yes" caused a lot
of my default authentication issues to go away. I only have one domain
and so I don't need the extra information / complexity of having to
specify domains.

Regards,
Frank

Alexander R. Fahrutdinov

unread,
Jan 18, 2010, 11:30:02 PM1/18/10
to
В сообщении от Понедельник 18 января 2010 19:33:00 автор Kris Kaido написал:

> Hi List,
>
> I'm installing a Samba server with the intended purpose of serving files to
> Windows users with seamless authentication on the smb server.
> For that, I've been reading and following every single google search result
> regarding the subject, but it seems I'm stuck at some point where other
> people are not blocked ...
>
> To summarize, I have these commands OK:
> # kinit admin...@DOMAIN.EXAMPLE.COM
> # klist (ticket ok)
> # net join ads -S server -U admin_user
> # wbinfo -u and -g (both showing "DOMAIN\...")
> # wbinfo -t (succeeded)

Try to use Kerberos auth (wbinfo -K login%pass). It's possible, Windows PDC
does not support NT-style auth via pipe. Also, try 'nt pipe support = no'
option in smb.conf file.

Volker Lendecke

unread,
Jan 19, 2010, 2:30:02 AM1/19/10
to
On Tue, Jan 19, 2010 at 08:23:45AM +0400, Alexander R. Fahrutdinov wrote:
> В сообщении от Понедельник 18 января 2010 19:33:00 автор Kris Kaido написал:
> > Hi List,
> >
> > I'm installing a Samba server with the intended purpose of serving files to
> > Windows users with seamless authentication on the smb server.
> > For that, I've been reading and following every single google search result
> > regarding the subject, but it seems I'm stuck at some point where other
> > people are not blocked ...
> >
> > To summarize, I have these commands OK:
> > # kinit admin...@DOMAIN.EXAMPLE.COM
> > # klist (ticket ok)
> > # net join ads -S server -U admin_user
> > # wbinfo -u and -g (both showing "DOMAIN\...")
> > # wbinfo -t (succeeded)
>
> Try to use Kerberos auth (wbinfo -K login%pass). It's possible, Windows PDC
> does not support NT-style auth via pipe. Also, try 'nt pipe support = no'
> option in smb.conf file.

???

nt pipe support = no

is extremely unlikely to ever help these days.

Volker

signature.asc

Robert Freeman-Day

unread,
Feb 2, 2010, 9:40:01 AM2/2/10
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kris and Johan,

Both of you have not appended your smb.conf files. Maybe doing that
would help as well.

- From what I am seeing, the pam stack Kris gave was authenticating via
winbind which would use either plaintext, lanman, ntlm or ntlmv2 and not
configured to authenticate using kerberos. The plaintext password
authentication is pretty insecure and this is what I suspect your setup
is attempting to use. Win 2008 has that disabled by default as well as
(afaik) lanman and ntlm. If you plan on using winbind to authenticate,
you will likely need to add the following directive in the [global]
section of your smb.conf file:

client ntlmv2 auth = yes

You may then need to restart winbindd and smbd (hell, you could restart
the whole machine if you felt like it). Tell us if this works out for you.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAktoNyMACgkQup357T5MfTZZQACfddZOp6HuFaC7yQ4ccQY3s/Gx
DqQAn3/1pdGzOj+LnnNEFNiabeMff/Qq
=F63l
-----END PGP SIGNATURE-----

Johan.B...@tieto.com

unread,
Feb 2, 2010, 10:40:01 AM2/2/10
to
Hello Robert, Kris.

I have tried with client ntlmv2 auth = yes but I'm still getting the problem.

This is output from the messages log;

Feb 2 16:32:26 udcsp03 winbindd[19999]: [2010/02/02 16:32:26, 0] rpc_client/cli_pipe.c:cli_pipe_verify_schannel(354)
Feb 2 16:32:26 udcsp03 winbindd[19999]: cli_pipe_verify_schannel: auth_len 56.

Above Startup

Feb 2 16:32:26 udcsp03 winbindd[20007]: [2010/02/02 16:32:26, 0] nsswitch/idmap.c:smb_register_idmap(146)
Feb 2 16:32:26 udcsp03 winbindd[20007]: Idmap module rid already registered!
Feb 2 16:32:26 udcsp03 winbindd[20007]: [2010/02/02 16:32:26, 0] lib/module.c:do_smb_load_module(69)
Feb 2 16:32:26 udcsp03 winbindd[20007]: Module '/usr/lib64/samba/idmap/rid.so' initialization failed: NT_STATUS_OBJECT_NAME_COLLISION

The above is from when I do wbinfo -g or wbinfo -u

Feb 2 16:33:07 udcsp03 winbindd[19999]: [2010/02/02 16:33:07, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
Feb 2 16:33:07 udcsp03 winbindd[19999]: rpc_api_pipe: Remote machine INFRADC06.sweinfra.se pipe \NETLOGON fnum 0x8008returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED

And above the main problem, wbinfo -a domainuser%password

I'm attaching my smb.conf.

/JB

0 new messages