authenticating users from a Windows Domain Controller on Red Hat AS 3 U3

Christopher.Wood_at_gxs.com
Date: 02/25/05

  • Next message: bruce: "rh8.0 gnome UI issues"
    To: redhat-list@redhat.com
    Date: Fri, 25 Feb 2005 11:47:14 -0500
    
    

    Hello,

    I am trying to set up a Linux server (Linux 2.4.21-20.ELsmp) to authenticate
    Windows users on an Active Directory controller. I want to be able to
    authenticate users for Samba shares and to authenticate telnet ftp, and
    console logons without creating separate or shared accounts on the linux
    box. I followed the instructions at
    http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#winb
    indcfg

    Our ADS must be running in legacy mode because I used 'net rpc join' and not
    'net ads join' to join the domain.

    Now I can enumerate the users using winbind -u, but I cannot connect to a
    Samba share, even if specify everyone can use the share. If I try to connect
    to the Samba share from my PC using an existing linux user (like root), I
    get a dialogbox that says "The credentials supplied conflict with an
    existing set of credentials".

    I get these messages on the console when I try to connect to the Samba share
    /export/kickstart:

    Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
    nsswitch/winbindd_acct.c:winbindd_create_user(911)
    Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
    idmap_allocate_id() failed!
    Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
    nsswitch/winbindd_acct.c:winbindd_create_user(911)
    Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
    idmap_allocate_id() failed!
    Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
    nsswitch/winbindd_acct.c:winbindd_create_user(911)
    Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
    idmap_allocate_id() failed!
    Feb 25 11:29:16 myserver smbd[1859]: [2005/02/25 11:29:16, 0]
    auth/auth_util.c:make_server_info_info3(1122)
    Feb 25 11:29:16 myserver smbd[1859]: make_server_info_info3: pdb_init_sam
    failed!
    Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
    nsswitch/winbindd_acct.c:winbindd_create_user(911)
    Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
    idmap_allocate_id() failed!
    Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
    nsswitch/winbindd_acct.c:winbindd_create_user(911)
    Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
    idmap_allocate_id() failed!
    Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
    nsswitch/winbindd_acct.c:winbindd_create_user(911)
    Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
    idmap_allocate_id() failed!
    Feb 25 11:29:16 myserver smbd[1859]: [2005/02/25 11:29:16, 0]
    auth/auth_util.c:make_server_info_info3(1122)
    Feb 25 11:29:16 myserver smbd[1859]: make_server_info_info3: pdb_init_sam
    failed!
    Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
    nsswitch/winbindd_acct.c:winbindd_create_user(911)
    Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
    idmap_allocate_id() failed!
    Feb 25 11:29:16 myserver winbindd[1833]: [2005/02/25 11:29:16, 0]
    nsswitch/winbindd_acct.c:winbindd_create_user(911)
    Feb 25 11:29:16 myserver winbindd[1833]: winbindd_create_user:
    idmap_allocate_id() failed!
    Feb 25 11:29:17 myserver winbindd[1833]: [2005/02/25 11:29:17, 0]
    nsswitch/winbindd_acct.c:winbindd_create_user(911)
    Feb 25 11:29:17 myserver winbindd[1833]: winbindd_create_user:
    idmap_allocate_id() failed!
    Feb 25 11:29:17 myserver smbd[1859]: [2005/02/25 11:29:17, 0]
    auth/auth_util.c:make_server_info_info3(1122)
    Feb 25 11:29:17 myserver smbd[1859]: make_server_info_info3: pdb_init_sam
    failed!
    Feb 25 11:29:47 myserver winbindd[1833]: [2005/02/25 11:29:47, 0]
    libsmb/cliconnect.c:cli_session_setup_spnego(759)
    Feb 25 11:29:47 myserver winbindd[1833]: Kinit failed: Malformed
    representation of principal

    I am NOT running nscd

    My /etc/samba/smb.conf - I tried security=DOMAIN and that doesn't work
    either.
    [global]
            server string = ohio edf kickstart server
            printcap name = /etc/printcap
            load printers = yes
            cups options = raw
            log file = /var/log/samba/%m.log
            max log size = 50
            security = ADS
            socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
            password server = mydomaincontroller
            guest ok = yes
            workgroup = mydomain
            dns proxy = no
    [homes]
            comment = Home Directories
            browseable = no
            writeable = yes
    [printers]
            comment = All Printers
            path = /var/spool/samba
            browseable = no
            printable = yes
    [kickstart]
            comment = Red Hat Linux Kickstart Files
            path = /export/kickstart
            writeable = yes
            guest ok = yes

    My /etc/pam.d/samba:
    auth required pam_stack.so service=system-auth
    account required pam_stack.so service=system-auth
    session required pam_stack.so service=system-auth
    password required pam_stack.so service=system-auth

    My /etc/pam.d/login:
    auth required pam_securetty.so
    auth required pam_stack.so service=system-auth
    auth required pam_nologin.so
    auth sufficient pam_winbind.so
    auth sufficient pam_unix.so use_first_pass
    account required pam_stack.so service=system-auth
    password required pam_stack.so service=system-auth
    session required pam_stack.so service=system-auth
    session optional pam_console.so

    My /etc/pam.d/sshd
    auth required pam_stack.so service=system-auth
    auth required pam_nologin.so
    account required pam_stack.so service=system-auth
    password required pam_stack.so service=system-auth
    session required pam_stack.so service=system-auth
    session required pam_limits.so
    session optional pam_console.so

    My /etc/pam_smb.conf
    MYDOMAIN
    mydomaincontroller

    My /etc/pam.d/system-auth
    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth required /lib/security/$ISA/pam_env.so
    auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
    auth required /lib/security/$ISA/pam_deny.so
    account required /lib/security/$ISA/pam_unix.so
    password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
    password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
    md5 shadow
    password required /lib/security/$ISA/pam_deny.so
    session required /lib/security/$ISA/pam_limits.so
    session required /lib/security/$ISA/pam_unix.so

    My /var/log/samba/smbd.log
      smbd version 3.0.6-2.3E started.
      Copyright Andrew Tridgell and the Samba Team 1992-2004
    [2005/02/25 08:52:11, 0] smbd/server.c:main(760)
      smbd version 3.0.6-2.3E started.
      Copyright Andrew Tridgell and the Samba Team 1992-2004
    [2005/02/25 08:52:11, 0] lib/util_sock.c:get_peer_addr(1000)
      getpeername failed. Error was Transport endpoint is not connected
    [2005/02/25 11:14:13, 0] smbd/server.c:main(760)
      smbd version 3.0.6-2.3E started.
      Copyright Andrew Tridgell and the Samba Team 1992-2004

    My /var/log/samba/winbindd.log:
    [2005/02/25 11:31:12, 0] nsswitch/winbindd_acct.c:winbindd_create_user(911)
      winbindd_create_user: idmap_allocate_id() failed!
    [2005/02/25 11:31:12, 0] nsswitch/winbindd_acct.c:winbindd_create_user(911)
      winbindd_create_user: idmap_allocate_id() failed!
    [2005/02/25 11:34:53, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
      Kinit failed: Malformed representation of principal
    [2005/02/25 11:39:53, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
      Kinit failed: Malformed representation of principal
    [2005/02/25 11:44:54, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
      Kinit failed: Malformed representation of principal

    Thanks so much if anyone can help!

    Chris

    -- 
    redhat-list mailing list
    unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
    https://www.redhat.com/mailman/listinfo/redhat-list
    

  • Next message: bruce: "rh8.0 gnome UI issues"