authenticating users from a Windows Domain Controller on Red Hat AS 3 U3

Christopher.Wood_at_gxs.com
Date: 02/25/05

  • Next message: bruce: "rh8.0 gnome UI issues"
    To: redhat-list@redhat.com
    Date: Fri, 25 Feb 2005 11:47:14 -0500
    
    

    Hello,

    I am trying to set up a Linux server (Linux 2.4.21-20.ELsmp) to authenticate
    Windows users on an Active Directory controller. I want to be able to
    authenticate users for Samba shares and to authenticate telnet ftp, and
    console logons without creating separate or shared accounts on the linux
    box. I followed the instructions at
    http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#winb
    indcfg

    Our ADS must be running in legacy mode because I used 'net rpc join' and not
    'net ads join' to join the domain.

    Now I can enumerate the users using winbind -u, but I cannot connect to a
    Samba share, even if specify everyone can use the share. If I try to connect
    to the Samba share from my PC using an existing linux user (like root), I
    get a dialogbox that says "The credentials supplied conflict with an
    existing set of credentials".

    I get these messages on the console when I try to connect to the Samba share
    /export/kickstart:

    Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
    nsswitch/winbindd_acct.c:winbindd_create_user(911)
    Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
    idmap_allocate_id() failed!
    Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
    nsswitch/winbindd_acct.c:winbindd_create_user(911)
    Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
    idmap_allocate_id() failed!
    Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
    nsswitch/winbindd_acct.c:winbindd_create_user(911)
    Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
    idmap_allocate_id() failed!
    Feb 25 11:29:16 myserver smbd[1859]: [2005/02/25 11:29:16, 0]
    auth/auth_util.c:make_server_info_info3(1122)
    Feb 25 11:29:16 myserver smbd[1859]: make_server_info_info3: pdb_init_sam
    failed!
    Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
    nsswitch/winbindd_acct.c:winbindd_create_user(911)
    Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
    idmap_allocate_id() failed!
    Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
    nsswitch/winbindd_acct.c:winbindd_create_user(911)
    Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
    idmap_allocate_id() failed!
    Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
    nsswitch/winbindd_acct.c:winbindd_create_user(911)
    Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
    idmap_allocate_id() failed!
    Feb 25 11:29:16 myserver smbd[1859]: [2005/02/25 11:29:16, 0]
    auth/auth_util.c:make_server_info_info3(1122)
    Feb 25 11:29:16 myserver smbd[1859]: make_server_info_info3: pdb_init_sam
    failed!
    Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
    nsswitch/winbindd_acct.c:winbindd_create_user(911)
    Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
    idmap_allocate_id() failed!
    Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
    nsswitch/winbindd_acct.c:winbindd_create_user(911)
    Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
    idmap_allocate_id() failed!
    Feb 25 11:29:17 myserver winbindd[1833]: [2005/02/25 11:29:17, 0]
    nsswitch/winbindd_acct.c:winbindd_create_user(911)
    Feb 25 11:29:17 myserver winbindd[1833]: winbindd_create_user:
    idmap_allocate_id() failed!
    Feb 25 11:29:17 myserver smbd[1859]: [2005/02/25 11:29:17, 0]
    auth/auth_util.c:make_server_info_info3(1122)
    Feb 25 11:29:17 myserver smbd[1859]: make_server_info_info3: pdb_init_sam
    failed!
    Feb 25 11:29:47 myserver winbindd[1833]: [2005/02/25 11:29:47, 0]
    libsmb/cliconnect.c:cli_session_setup_spnego(759)
    Feb 25 11:29:47 myserver winbindd[1833]: Kinit failed: Malformed
    representation of principal

    I am NOT running nscd

    My /etc/samba/smb.conf - I tried security=DOMAIN and that doesn't work
    either.
    [global]
            server string = ohio edf kickstart server
            printcap name = /etc/printcap
            load printers = yes
            cups options = raw
            log file = /var/log/samba/%m.log
            max log size = 50
            security = ADS
            socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
            password server = mydomaincontroller
            guest ok = yes
            workgroup = mydomain
            dns proxy = no
    [homes]
            comment = Home Directories
            browseable = no
            writeable = yes
    [printers]
            comment = All Printers
            path = /var/spool/samba
            browseable = no
            printable = yes
    [kickstart]
            comment = Red Hat Linux Kickstart Files
            path = /export/kickstart
            writeable = yes
            guest ok = yes

    My /etc/pam.d/samba:
    auth required pam_stack.so service=system-auth
    account required pam_stack.so service=system-auth
    session required pam_stack.so service=system-auth
    password required pam_stack.so service=system-auth

    My /etc/pam.d/login:
    auth required pam_securetty.so
    auth required pam_stack.so service=system-auth
    auth required pam_nologin.so
    auth sufficient pam_winbind.so
    auth sufficient pam_unix.so use_first_pass
    account required pam_stack.so service=system-auth
    password required pam_stack.so service=system-auth
    session required pam_stack.so service=system-auth
    session optional pam_console.so

    My /etc/pam.d/sshd
    auth required pam_stack.so service=system-auth
    auth required pam_nologin.so
    account required pam_stack.so service=system-auth
    password required pam_stack.so service=system-auth
    session required pam_stack.so service=system-auth
    session required pam_limits.so
    session optional pam_console.so

    My /etc/pam_smb.conf
    MYDOMAIN
    mydomaincontroller

    My /etc/pam.d/system-auth
    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth required /lib/security/$ISA/pam_env.so
    auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
    auth required /lib/security/$ISA/pam_deny.so
    account required /lib/security/$ISA/pam_unix.so
    password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
    password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
    md5 shadow
    password required /lib/security/$ISA/pam_deny.so
    session required /lib/security/$ISA/pam_limits.so
    session required /lib/security/$ISA/pam_unix.so

    My /var/log/samba/smbd.log
      smbd version 3.0.6-2.3E started.
      Copyright Andrew Tridgell and the Samba Team 1992-2004
    [2005/02/25 08:52:11, 0] smbd/server.c:main(760)
      smbd version 3.0.6-2.3E started.
      Copyright Andrew Tridgell and the Samba Team 1992-2004
    [2005/02/25 08:52:11, 0] lib/util_sock.c:get_peer_addr(1000)
      getpeername failed. Error was Transport endpoint is not connected
    [2005/02/25 11:14:13, 0] smbd/server.c:main(760)
      smbd version 3.0.6-2.3E started.
      Copyright Andrew Tridgell and the Samba Team 1992-2004

    My /var/log/samba/winbindd.log:
    [2005/02/25 11:31:12, 0] nsswitch/winbindd_acct.c:winbindd_create_user(911)
      winbindd_create_user: idmap_allocate_id() failed!
    [2005/02/25 11:31:12, 0] nsswitch/winbindd_acct.c:winbindd_create_user(911)
      winbindd_create_user: idmap_allocate_id() failed!
    [2005/02/25 11:34:53, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
      Kinit failed: Malformed representation of principal
    [2005/02/25 11:39:53, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
      Kinit failed: Malformed representation of principal
    [2005/02/25 11:44:54, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
      Kinit failed: Malformed representation of principal

    Thanks so much if anyone can help!

    Chris

    -- 
    redhat-list mailing list
    unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
    https://www.redhat.com/mailman/listinfo/redhat-list
    

  • Next message: bruce: "rh8.0 gnome UI issues"

    Relevant Pages

    • Re: Authenticate a linux client to a directory (ldap)
      ... > would not even give the user the ability to attempt to authenticate ... a Windows client that gets authenticated by AD verifies ... > the Linux client world or not. ... The closest thing "like" AD in Linux is Samba, ...
      (comp.os.linux.misc)
    • Re: Windows Domain
      ... Christian wrote: ... > Linux box to work/register on the domain and access file shares etc then ... >>Anyone know for sure if this will authenticate against an MS Proxy? ... authenticate against Windows 2K DC you need Samba. ...
      (linux.redhat)
    • Re: [SLE] Samba Auth to AD
      ... to make life easier I would like to have samba ... my Google search pointed me to setting up the Linux box to authenticate ... linux box to allow only local users to login using the /etc/passwd ...
      (SuSE)
    • Re: [opensuse] trying to figure out how to share a data drive
      ... information about your linux setup so I can make sure we are talking ... partition that windows can read in a dual-boot scenario, ... running samba on linux, then you can share disk space just as if the operating ... your user name is 'george' If it's not, ...
      (SuSE)
    • Re: Samba Network
      ... only samba and may stay this way for a time. ... I can write from a linux box accross ... 100000 2 tcp 111 portmapper ... 100000 2 udp 111 portmapper ...
      (alt.os.linux.suse)