Solved

Can not Log in Linux with Windows user

Posted on 2004-04-03
4
453 Views
Last Modified: 2010-05-18
I have recently upgraded my system from Samba 2.7 to Samba 3.0.2a

I am on a 2K Domain running in mixed mode named FLORIDA and I was able to add my Linux system (MDKFTP) successfully to the domain.  It is recognized in Network Neighborhood, and when I double click on it asks me to authenticate.  When I try to put in my Windows username (FLORIDA\dthomas or FLORIDA+dthomas) and password it does not authenticate.  When I checked auth.log it displayed the following:

pam_winbind[21813] request failed: Access Denied, PAM error was 4, NT_Status_Access_Denied
pam_winbind[21813] internal module error: (retval = 4, user = FLORIDA\dthomas)

I am trying to share this directory with Windows:  /var/ftp/ftp/

The following functions work on MDKFTP:

wbinfo -t  : It says that the secret is good
wbinfo -g: It shows all the groups in AD
wbinfo -u: It shows all the users in AD
getent passwd: It shows all the users
getent group: It shows all the groups

smb.conf

[global]
      log file = /var/log/samba/log.%m
      character set = ISO8859-15
      socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
      wins server = 192.168.0.29
      encrypt passwords = yes
      # winbind use default domain = yes
      # winbind separator = +
      winbind uid = 10000-20000
      winbind gid = 10000-20000
      template shell = /usr/sbin/scponlyc
      dns proxy = No
      server string = Samba Server %v
      password server = *
      winbind enum users = yes
      winbind enum groups = yes
      local master = No
      template homedir = /var/ftp//ftp
      workgroup = FLORIDA
      os level = 18
      max log size = 50

[ftp]
      comment = FTP folder
      valid users = @FLORIDA\MDKFTP_R,@FLORIDA\MDKFTP_W
      inherit permissions = yes
      path = /var/ftp/ftp
      write list = @FLORIDA\MDKFTP_W
      inherit acls = yes

nsswitch.conf

passwd:     files winbind nisplus nis
shadow:     files winbind nisplus nis
group:      files winbind nisplus nis

#hosts:     db files nisplus nis dns
hosts:      files winbind dns nisplus nis

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files    

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   nisplus

publickey:  nisplus

automount:  files nisplus
aliases:    files nisplus


PAM:

/etc/pam.d/login

#%PAM-1.0
auth       required      /lib/security/pam_securetty.so
auth         sufficient      /lib/security/pam_winbind.so
auth         sufficient      /lib/security/pam_unix.so use_first_pass
auth       required      /lib/security/pam_stack.so service=system-auth
auth       required      /lib/security/pam_nologin.so
account         sufficient      /lib/security/pam_winbind.so
account    required      /lib/security/pam_stack.so service=system-auth
password   required      /lib/security/pam_stack.so service=system-auth
session    required      /lib/security/pam_stack.so service=system-auth
session    optional      /lib/security/pam_console.so

auth       required     /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/concord/loginusers

/etc/pam.d/xdm

#%PAM-1.0
auth       required      /lib/security/pam_pwdb.so shadow nullok
auth         sufficient      /lib/security/pam_winbind.so
auth       required      /lib/security/pam_nologin.so
account    required      /lib/security/pam_pwdb.so
account         sufficient      /lib/security/pam_winbind.so
password   required      /lib/security/pam_cracklib.so
password   required      /lib/security/pam_pwdb.so shadow nullok use_authtok
session    required      /lib/security/pam_pwdb.so
session    optional     /lib/security/pam_console.so

/etc/pam.d/samba3

#%PAM-1.0
auth         required      /lib/security/pam_securetty.so
auth       required      /lib/security/pam_nologin.so
auth         sufficient      /lib/security/pam_winbind.so
auth       required      /lib/security/pam_wdb.so use_first_pass shadow nullok
account    required      /lib/security/pam_winbind.so
session    required      /lib/security/pam_stack.so service=system-auth

/etc/pam.d/system-auth-winbind

#%PAM-1.0

auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_winbind.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok use_first_pass
auth        required      /lib/security/pam_deny.so

account     sufficient    /lib/security/pam_winbind.so
account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

Any help would be much appreciated.

Thank you

Dan
0
Comment
Question by:t79homasdw
4 Comments
 
LVL 6

Accepted Solution

by:
parkerig earned 250 total points
ID: 10755817
Hi,

On my box there is a directory of examples.

find / -name smb.conf

Try using and editing one of them.
I would start with the one that says simple.

For testing I always make myself root equivalent in the smb.conf file and do a real simple share eg

[exceed]
   comment = Share to give files to Third Party
   path = /home/exceed/interface
   read only = no
   writeable = yes
   public = yes
   guest ok = yes

In the past when I have had probelms it was normally because the files created at unix level or directory created at unix level had permissions that the guest user couldn't use.

So for testing make sure the directory is chmod 777 /testing and the files init are xwrxwrxwr - for simplicity.

Once all ok then add the required security

I hope this helps a bit
Ian
0
 

Assisted Solution

by:richiemarshall
richiemarshall earned 250 total points
ID: 10783542
Hi,

It sounds like a pam/winbind issue to me. I recently setup samba 3 on debian and was having very similar issues. I can't remember exactly what I did to resolve the issue, but it did involve modifying the pam settings.

Looking at the settings that I have;
pam.d/login has:
auth       sufficient   pam_winbind.so
account    required     pam_winbind.so
session    required     pam_mkhomedir.so skel=/etc/skel umask=0077

pam/samba has account sufficient not account required.
I also have an entry session sufficient pam_winbind.so in my common-session settings (sorry, debian does it a little differently) and I couldn;t see an equivalent in your settings.

Hope this makes sense, and helps!

Rich
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 15718632
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Split: parkerig{http:#10755817} & richiemarshall{http:#10783542}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Tolomir
EE Cleanup Volunteer



0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now