Find the answer to your Linux question:
Results 1 to 9 of 9
I have a samba server setup that is authenticating with a Windows domain. This part of the authentication is working flawlessly and all the domain users can access the shares ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2005
    Posts
    47

    Samba authentication problem


    I have a samba server setup that is authenticating with a Windows domain. This part of the authentication is working flawlessly and all the domain users can access the shares with no problems. My main problem is that the local accounts that were created on this server can not authenticate with samba. No matter what I try the local users can not login.

    So far I have reset both the local and samba passwords, checked that the local accounts are enabled, and I have made sure that I am trying to mount shares using SERVERNAME\username when it asks for the user.

    Here is my smb.conf file:
    Code:
    [global]
    	workgroup = WORKGROUP
    	realm = REALM.COM
    	server string = engineering file server
    	security = ADS
    	obey pam restrictions = Yes
    	password server = XXX.XXX.XXX.XXX
    	unix extensions = No
    	keepalive = 900
    	socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 IPTOS_LOWDELAY SO_KEEPALIVE
    	preferred master = No
    	local master = No
    	domain master = No
    	wins server = XXX.XXX.XXX.XXX
    	ldap ssl = no
    	idmap uid = 10000-20000
    	idmap gid = 10000-20000
    	template primary group = users
    	template homedir = /home/shares/bu_onen1/bu/users8/%U
    	template shell = /bin/bash
    	winbind separator = +
    	winbind cache time = 900
    	winbind enum users = No
    	winbind enum groups = No
    	winbind use default domain = Yes
    
    [bu_onen1]
    	path = /home/shares/bu_onen1
    	read only = No
    	vfs object = recycle
    		recycle:keeptree = Yes
    		recycle:repository = .undelete/%U
    		recycle:exclude = ~$*.doc *.lnk *.tmp *.temp
    [homes]
    	comment = Home directory for %U
    	valid users = %S, %D+%S
    	read only = No
    	browseable = No
    
    [ptc]
    	path = /home/shares/bu_onen1/ptc
    
    [ptc1]
    	path = /home/shares/bu_onen1/ptc1
    
    [newprogs]
    	path = /home/shares/newprogs
    	read only = No
    	create mask = 0774
    	directory mask = 0775
    
    [public]
    	path = /home/shares/public
    	read only = No
    	create mask = 0774
    	directory mask = 0775
    
    [pdf_print]
    	path = /var/spool/cups-pdf/
    	read only = No
    Here is my /etc/pam.d/samba file:
    Code:
    #%PAM-1.0
    auth	   sufficient  	pam_winbind.so
    #auth       required	pam_nologin.so
    auth       required	pam_stack.so service=system-auth  
    account    required	pam_stack.so service=system-auth
    account	   sufficient   pam_winbind.so
    session    required     pam_mkhomedir.so skel=/etc/skel umask=0022
    session    required	pam_stack.so service=system-auth
    password   required	pam_stack.so service=system-auth
    password   sufficient   pam_winbind.so use_authtok
    Here is my /etc/pam.d/system-auth file:

    Code:
    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth        required      /lib/security/$ISA/pam_env.so
    auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
    auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
    auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
    auth        required      /lib/security/$ISA/pam_deny.so
    
    account     required      /lib/security/$ISA/pam_unix.so broken_shadow
    account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
    account     sufficient	  /lib/security/$ISA/pam_krb5.so
    account     sufficient    /lib/security/$ISA/pam_winbind.so
    account     required      /lib/security/$ISA/pam_permit.so
    
    password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
    password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
    password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
    password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
    password    required      /lib/security/$ISA/pam_deny.so
    
    session     required      /lib/security/$ISA/pam_limits.so
    session     required      /lib/security/$ISA/pam_unix.so
    session     optional      /lib/security/$ISA/pam_krb5.so
    One other thing I tried that I forgot to mention is that I tried setting the "auth methods" to "guest, sam, winbind" but still has no luck.

  2. #2
    Just Joined!
    Join Date
    Jun 2005
    Posts
    47
    FYI, I can log into SWAT using local user credentials without a problem so I know the passwords are setup correctly.

  3. #3
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,933
    Try the following:

    - Make sure you smb server is set to use encrypted passwords
    - Make sure that each user has an account on the Linux machine. If the user names are different, map Windows user name to Linux ones using /etc/samba/smbusers
    - For each user, set their samba password with smbpasswd; set it to be the same as their Windows password.
    - Restart Samba and test.
    Linux user #126863 - see http://linuxcounter.net/

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Jun 2005
    Posts
    47
    Roxoff...I think you are missing the point here.

    First, I'm authenticating Windows users via Winbind through our domain controller which is working fine. The accounts for the Windows users are virtual accounts that get created on the fly. I'm not concerned with any of this because I'm trying to authenticate a user that was created on the server and not one that was created on the domain. In other words, I'm trying to authenticate a Linux user and not a Windows user.

    Second, I have already reset the Linux users's passwords via smbpasswd and it didn't help. I can still log into the Linux user's account through SWAT without a problem, but I cannot access it from another computer. I have tried everything I know to try (with the domain name specified, without it specified, etc.) and it still will not allow me to login from another machine.

  6. #5
    Linux User
    Join Date
    Jul 2005
    Posts
    369
    your going have to map the accounts to a unix uid if you have a windows dc
    All i want for christmas is a new liver....a second chance to get afflicted with Cirrhosis

  7. #6
    Just Joined!
    Join Date
    Jan 2007
    Posts
    5
    Hi.
    Maybe this helps:
    I had:
    security=share
    on Solaris 9. And on the windows box, set the plain text password key value to 1
    [You may save this as a .reg file and import]
    -----------------
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\l anmanworkstation\parameters]
    "enableplaintextpassword"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\l anmanworkstation\parameters]
    "enableplaintextpassword"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\l anmanworkstation\parameters]
    "enableplaintextpassword"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\lanmanworkstation\parameters]
    "enableplaintextpassword"=dword:00000001
    -----------------

    Then restart your windows box and try mapping again.
    Do let us know if this helped.
    -Parag
    http://paragpdoke.blogspot.com

  8. #7
    Just Joined!
    Join Date
    Dec 2006
    Posts
    62
    Did you set up create machine accounts on your samba server?

    If you configured samba as a PDC then a requirement is that you include machine trust.

    If that's your configuration.

  9. #8
    Just Joined!
    Join Date
    Jan 2007
    Posts
    5
    Hi maclinwin.
    Was your reply intended for HaMBoNE79 ?
    If not, my Solaris 10 box has local authentication. I do not understand what PDC is but if it refers to Domain Controller; no. My domain controller is different and not configured in the samba installation.

    Regards,
    Parag P. Doke
    http://paragpdoke.blogspot.com

  10. #9
    Just Joined!
    Join Date
    Dec 2006
    Posts
    62
    My bad.

    PDC= Windows Primary Domain Controller. Samba on Linux is a great PDC alternative to Win servers.

    I need to read the threads closer.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •