From owner-freebsd-stable@FreeBSD.ORG Fri Jun 24 10:48:00 2005 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2AA016A41C for ; Fri, 24 Jun 2005 10:48:00 +0000 (GMT) (envelope-from freebsd-stable@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 612BC43D53 for ; Fri, 24 Jun 2005 10:48:00 +0000 (GMT) (envelope-from freebsd-stable@m.gmane.org) Received: from root by ciao.gmane.org with local (Exim 4.43) id 1Dllbv-0005ne-DD for freebsd-stable@freebsd.org; Fri, 24 Jun 2005 12:40:35 +0200 Received: from 81-188-7-152.sdsl.easynet.be ([81.188.7.152]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 24 Jun 2005 12:40:35 +0200 Received: from tfa by 81-188-7-152.sdsl.easynet.be with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 24 Jun 2005 12:40:35 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-stable@freebsd.org From: Thomas Fazekas Followup-To: gmane.network.samba.general Date: Fri, 24 Jun 2005 11:14:09 +0200 Lines: 106 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8Bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: 81-188-7-152.sdsl.easynet.be User-Agent: KNode/0.9.0 Sender: news Cc: samba@lists.samba.org, freebsd-current@freebsd.org, freebsd-stable@freebsd.org, freebsd-config@freebsd.org Subject: Winbind NT domain authentication X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jun 2005 10:48:01 -0000 Hi list, Sorry for the cros-post, I'm not sure which list is better for me as I got a question related to samba, configuration, FreeBSD. I'm trying to configure NT authentication on FreeBSD 5.4 with Samba 3.0.12 (installed form the ports collection). I've folowed the Samba 3 howto I've managed the following : wbinfo -g returns correctly the domain groups wbinfo -u returns all the users (including those ones from the domain) ntlm auth does authenticate the user correctly ntlm_auth --username=usr1 password: NT_STATUS_OK: Success (0x0) and in the winbind log I get :         rpc: trusted_domains         [ 3141]: request interface version         [ 3141]: request location of privileged pipe         [ 3141]: request domain name         [ 3141]: request misc info         [ 3141]: pam auth MYDOMAIN\usr1         rpc_dc_name: Returning DC PASSV_SERV (_the_ip_) for domain MYDOMAIN         IPC$ connections done anonymously         Connecting to host=PASSV_SERV         Connecting to _the_ip_ at port 445 I suspect this means that my samba/winbind configuration is correct. The trouble is that I still can't login (login or ssh) with usernames from the domain. If I try with MYDOMAIN\usr1 I just get an Access Denied. The worse is that I'm not sure that I'm looking for the logs in the right place, the auth.log of messages doesn't show any trace of winbind beeing called. My smb.conf : workgroup = MYDOMAIN netbios name = MY_BSD password server = passwd_serv_ip security = domain encrypt passwords = yes #passdb backend = tdbsam guest server string = MY_BSD Samba Server # separate domain and username with '\', like DOMAIN\username winbind separator = \\ # use uids from 10000 to 20000 for domain users idmap uid = 10000-20000 # use gids from 10000 to 20000 for domain groups idmap gid = 10000-20000 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes # give winbind users a real shell (only needed if they have telnet access) template homedir = /home/winnt/%D%U template shell = /usr/local/bin/bash My nsswitch.conf group: compat winbind group_compat: nis hosts: files dns winbind networks: files passwd: compat winbind passwd_compat: nis shells: files and finally my /etc/pam.d/sshd # auth auth required pam_nologin.so no_warn #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass #auth required pam_unix.so no_warn try_first_pass #tfa auth sufficient pam_winbind.so debug try_first_pass auth sufficient pam_unix.so no_warn try_first_pass # account #account required pam_krb5.so account required pam_login_access.so account sufficient pam_winbind.so debug account sufficient pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password sufficient pam_winbind.so debug try_first_pass password sufficient pam_unix.so no_warn try_first_pass I hope this question is not silly but only for NT authentication smbd/nmbd is not necessary to run, isn't it ? Winbind should do de job. This is the 2'nd week I keep trying setting this thing up, and one of the most frustrating experience ever... Can anybody give me some hints (other then going to a psychiatrist) Thomas