Samba authentication problem

[HaMBoNE79]

I have a samba server setup that is authenticating with a Windows domain. This part of the authentication is working flawlessly and all the domain users can access the shares with no problems. My main problem is that the local accounts that were created on this server can not authenticate with samba. No matter what I try the local users can not login.

So far I have reset both the local and samba passwords, checked that the local accounts are enabled, and I have made sure that I am trying to mount shares using SERVERNAME\username when it asks for the user.

Here is my smb.conf file:

Code:

[global]
	workgroup = WORKGROUP
	realm = REALM.COM
	server string = engineering file server
	security = ADS
	obey pam restrictions = Yes
	password server = XXX.XXX.XXX.XXX
	unix extensions = No
	keepalive = 900
	socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 IPTOS_LOWDELAY SO_KEEPALIVE
	preferred master = No
	local master = No
	domain master = No
	wins server = XXX.XXX.XXX.XXX
	ldap ssl = no
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template primary group = users
	template homedir = /home/shares/bu_onen1/bu/users8/%U
	template shell = /bin/bash
	winbind separator = +
	winbind cache time = 900
	winbind enum users = No
	winbind enum groups = No
	winbind use default domain = Yes

[bu_onen1]
	path = /home/shares/bu_onen1
	read only = No
	vfs object = recycle
		recycle:keeptree = Yes
		recycle:repository = .undelete/%U
		recycle:exclude = ~$*.doc *.lnk *.tmp *.temp
[homes]
	comment = Home directory for %U
	valid users = %S, %D+%S
	read only = No
	browseable = No

[ptc]
	path = /home/shares/bu_onen1/ptc

[ptc1]
	path = /home/shares/bu_onen1/ptc1

[newprogs]
	path = /home/shares/newprogs
	read only = No
	create mask = 0774
	directory mask = 0775

[public]
	path = /home/shares/public
	read only = No
	create mask = 0774
	directory mask = 0775

[pdf_print]
	path = /var/spool/cups-pdf/
	read only = No

Here is my /etc/pam.d/samba file:

Code:

#%PAM-1.0
auth	   sufficient  	pam_winbind.so
#auth       required	pam_nologin.so
auth       required	pam_stack.so service=system-auth  
account    required	pam_stack.so service=system-auth
account	   sufficient   pam_winbind.so
session    required     pam_mkhomedir.so skel=/etc/skel umask=0022
session    required	pam_stack.so service=system-auth
password   required	pam_stack.so service=system-auth
password   sufficient   pam_winbind.so use_authtok

Here is my /etc/pam.d/system-auth file:

Code:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     sufficient	  /lib/security/$ISA/pam_krb5.so
account     sufficient    /lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so

One other thing I tried that I forgot to mention is that I tried setting the "auth methods" to "guest, sam, winbind" but still has no luck.

[HaMBoNE79]

FYI, I can log into SWAT using local user credentials without a problem so I know the passwords are setup correctly.

[Roxoff]

Try the following:

- Make sure you smb server is set to use encrypted passwords
- Make sure that each user has an account on the Linux machine. If the user names are different, map Windows user name to Linux ones using /etc/samba/smbusers
- For each user, set their samba password with smbpasswd; set it to be the same as their Windows password.
- Restart Samba and test.

[HaMBoNE79]

Roxoff...I think you are missing the point here.

First, I'm authenticating Windows users via Winbind through our domain controller which is working fine. The accounts for the Windows users are virtual accounts that get created on the fly. I'm not concerned with any of this because I'm trying to authenticate a user that was created on the server and not one that was created on the domain. In other words, I'm trying to authenticate a Linux user and not a Windows user.

Second, I have already reset the Linux users's passwords via smbpasswd and it didn't help. I can still log into the Linux user's account through SWAT without a problem, but I cannot access it from another computer. I have tried everything I know to try (with the domain name specified, without it specified, etc.) and it still will not allow me to login from another machine.

[winter]

your going have to map the accounts to a unix uid if you have a windows dc

[paragpdoke]

Hi.
Maybe this helps:
I had:
security=share
on Solaris 9. And on the windows box, set the plain text password key value to 1
[You may save this as a .reg file and import]
-----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\l anmanworkstation\parameters]
"enableplaintextpassword"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\l anmanworkstation\parameters]
"enableplaintextpassword"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\l anmanworkstation\parameters]
"enableplaintextpassword"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\lanmanworkstation\parameters]
"enableplaintextpassword"=dword:00000001
-----------------

Then restart your windows box and try mapping again.
Do let us know if this helped.
-Parag
http://paragpdoke.blogspot.com

[maclinwin]

Did you set up create machine accounts on your samba server?

If you configured samba as a PDC then a requirement is that you include machine trust.

If that's your configuration.

[paragpdoke]

Hi maclinwin.
Was your reply intended for HaMBoNE79 ?
If not, my Solaris 10 box has local authentication. I do not understand what PDC is but if it refers to Domain Controller; no. My domain controller is different and not configured in the samba installation.

Regards,
Parag P. Doke
http://paragpdoke.blogspot.com

[maclinwin]

My bad.

PDC= Windows Primary Domain Controller. Samba on Linux is a great PDC alternative to Win servers.

I need to read the threads closer.