Need Howto for SMB Authentication

Trying to authenticate against a Samba PDC. Recieve Access Denied error message, following a message suggesting looking towards KDM logs.

Is there any good HowTo’s for smb authentication?

John

Looking at the following link…
PDC Authentication HOWTO

Its a great explanation, but doesnt follow the PAM file format that OpenSuSE uses. The writer based the doc off a RedHat install. I am abit nervous modifying pam files when the document isnt written for OpenSuSE.

John

So it appears that I can authenticate against a Windows AD without issue. But authenticating against Samba PDC, there is nearly no good documentation geared towards OpenSuSE users.

Unless nothing else comes up, I guess I will try this again in the next version of SLES and OpenSuSE.

At this point, does any one have any good commands on the client that they run to trouble shoot weather the client is connecting?

I have tried wbinfo -u, and get no responce.

John

On Thu October 29 2009 04:16 pm, Johnfm3 wrote:

>
> So it appears that I can authenticate against a Windows AD without
> issue. But authenticating against Samba PDC, there is nearly no good
> documentation geared towards OpenSuSE users.
>
> Unless nothing else comes up, I guess I will try this again in the next
> version of SLES and OpenSuSE.
>
> At this point, does any one have any good commands on the client that
> they run to trouble shoot weather the client is connecting?
>
> I have tried wbinfo -u, and get no responce.
>
> John
>
>
John;

Samba uses ntlm passwords. The password data base is provided through the
PDC. Thus PAM does not really come in here.

  1. First make sure the Samba ports are open on your machine. Samba needs the
    following ports:
    TCP: 135,139 and 445
    UDP: 137,138
    You must also allow Broadcasts through the firewall.
    While testing, try just turning off the firewall. Once you have Samba working
    without the firewall open the above ports and turn the firewall back on.

  2. To fully use domain resources you need to add your machine to the domain
    with the net rpc command.


net rpc join member -U<administrator>%<admpasswd>

<administrator> is the name of the domain administrator and <admpasswd> is
his/her password.
See: man net

  1. Make sure that the workgroup set in /etc/samba/smb.conf is the name of
    your domain and that both nmbd and smbd are running.

  2. Although it does not directly apply to your issue of joining a Samba
    Domain, I think you will find the following Howto on Samba useful to you.
    http://opensuse.swerdna.org/suselanprimer.html

  3. You need to have a user who is authorized to use domain resources. i.e.
    You need a domain account.

Best of luck. OpenSuse is fully able to participate or control a Samba
Domain.

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

Good points that I didnt speak of. I have dissabled all firewalls for the testing of this setup.

I also didnt state, but I have joined the OpenSuSE 11.1 box to the SLES 11 PDC Domain (smb.local).

I did have the workgroup setting correct. It was done in yast samba-server.
smb.conf
workgroup = SMB.LOCAL

The strange thing is, the server can do a net lookup <username> and find the info pertaining to the needed user. But I cant pull any info using wbinfo -u -g, and the client has no luck at all.

John

Users are being stored in LDAP. Is there a good way to pull user info that SMB see’s from the LDAP? I would have thought that wbinfo -u -g would have pulled all users and groups.

John

On Thu October 29 2009 05:56 pm, Johnfm3 wrote:

>
> Users are being stored in LDAP. Is there a good way to pull user info
> that SMB see’s from the LDAP? I would have thought that wbinfo -u -g
> would have pulled all users and groups.
>
> John
>
>
John;
Is winbindd running?

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

Server doesnt have winbind installed.
Client winbind installed and running.

John

But the server is working when logging in on a Windows Machine.
Does that make sense?

John

On Thu October 29 2009 06:16 pm, Johnfm3 wrote:

>
> But the server
Which machine does the word “server” refer? The PDC?
> is working when logging in on a Windows Machine.
> Does that make sense?
>
> John
>
>
John;
If your domain is really a “.local” domain, make sure /etc/host.conf contains
the parameter:


mdns off

(see: man host.conf)
This may alone solve your problem.

If the above does not help:
Can you explain just a bit just exactly what you are trying to do? Are you
trying to set up a member server or just access a Samba Domain as a client?
What version of OpenSuse are you trying to configure (11.1)? Can you post
the contents of /etc/samba/smb.conf? Conceal any sensitive information
(Public IP/Domain name etc) with substitute values.


P. V.
“We’re all in this together, I’m pulling for you.” Red Green

As I have a large family, including 5 kids, I dont even try to afford MS products. Thus my entire network is ran by Novell SuSE and OpenSuSE.

The one goal I keep trying for during each new release of SLES or OpenSuSE is the ability of Linux Roaming Profiles without the need of mounting to the /home dir. Samba group has been working on the pam_csync which allows linux clients to copy to and from a file server during logon/logoff to sync the local home dir with the remote file server.

Currently I use LDAP to authenticate my users. Which doesnt seem to have a mechanism for kicking off the csync application. Thus we come to SMB. So I am trying to setup a SLES PDC that can serve the user accounts and home directories to the client machines.

Any Ideas?

John

On Thu October 29 2009 08:46 pm, Johnfm3 wrote:

>
> As I have a large family, including 5 kids, I dont even try to afford MS
> products. Thus my entire network is ran by Novell SuSE and OpenSuSE.
>
> The one goal I keep trying for during each new release of SLES or
> OpenSuSE is the ability of Linux Roaming Profiles without the need of
> mounting to the /home dir. Samba group has been working on the
> pam_csync which allows linux clients to copy to and from a file server
> during logon/logoff to sync the local home dir with the remote file
> server.
>
> Currently I use LDAP to authenticate my users. Which doesnt seem to
> have a mechanism for kicking off the csync application. Thus we come
> to SMB. So I am trying to setup a SLES PDC that can serve the user
> accounts and home directories to the client machines.
>
> Any Ideas?
>
> John
>
>
John;

I did not realize you were trying to authenticate Linux users with domain
credentials. My first thought was it was not possible however you might want
to look at Chapter 7 of “Samba3 by Example”.
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#id2596338

Just be sure you backup /etc/pam.d first and have your recovery disk handy.

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

Oh my Gosh, some how I missed this one. My PDC is set up with out LDAP right now, and my client was able to Authenticate, ask to change password, then FAIL an go back to logon screen. This happens with console login and KDE4. I will read thru this and see what happens. Will post back the results in 14hrs. Going to bed.

Night,
John

On Thu October 29 2009 05:56 pm, Johnfm3 wrote:

>
> Good points that I didnt speak of. I have dissabled all firewalls for
> the testing of this setup.
>
> I also didnt state, but I have joined the OpenSuSE 11.1 box to the SLES
> 11 PDC Domain (smb.local).
>
> I did have the workgroup setting correct. It was done in yast
> samba-server.
> smb.conf
> workgroup = SMB.LOCAL
>
> The strange thing is, the server can do a net lookup <username> and
> find the info pertaining to the needed user. But I cant pull any info
> using wbinfo -u -g, and the client has no luck at all.
>
> John
>
John;

I forgot to mention this last night. Make sure you disable NSCD on any system
running winbindd. SEE:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#id2657393


P. V.
“We’re all in this together, I’m pulling for you.” Red Green

Ok, this may be the wrong place for this question, if I am installing ldapsmb-tools from SuSE DVD, why do I need the smbldap-tools from IDEALX? I installed the smbldap-tools and the useradd script failed.

Any thoughts?

John

Happy Halloween.
Well, after trying a few times, every time I restart the box it freezes during boot. I tried both NSS Winbind and NSS LDAP.

I am guessing OpenSuSE and Novell need more work. Anyways, I shouldnt need to edit conf files when there is a Join Windows Domain icon in Yast. That should take care of everything needed. Other wise, more work is needed.

Thanks for your assistance, will try again on later releases.
John

Ok, so I tried something very simple. After reverting to a prior snap shot on my vm, I performed the following…

installed winbind
started winbind
Yast => Network Services => Windows Domain Membership
Joined the samba.local (my test domain)domain
modified the login and xdm pam.d files as so…

/etc/pam.d/login

#%PAM-1.0
auth sufficient pam_unix2.so nullok
auth sufficient pam_winbind.so use_first_pass use_authtok
auth required pam_securetty.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_mail.so
account sufficient pam_unix2.so
account sufficient pam_winbind.so user_first_pass use_authtok
password required pam_pwcheck.so nullok
password sufficient pam_unix2.so nullok use_first_pass use_authtok
password sufficient pam_winbind.so use_first_pass use_authtok
session sufficient pam_unix2.so none
session sufficient pam_winbind.so use_first_pass use_authtok
session required pam_limits.so

/etc/pam.d/gdm (/etc/pam.d/xdm)

#%PAM-1.0
auth sufficient pam_unix2.so nullok
auth sufficient pam_winbind.so use_first_pass use_authtok
account sufficient pam_unix2.so
account sufficient pam_winbind.so use_first_pass use_authtok
password sufficient pam_unix2.so
password sufficient pam_winbind.so use_first_pass use_authtok
session sufficient pam_unix2.so
session sufficient pam_winbind.so use_first_pass use_authtok
session required pam_dev perm.so
session required pam_resmgr.so

created a /home/SAMBA.LOCAL/<username> folder
rebooted

Guess what almost worked.
I can login via console successfully. During login, I get Access Denied, and then a login prompt.

During a KDE login, I get the same Access Denied. Then a failure message pointing me to KDM log entries. Looking at log messages shows the following…

Oct 31 19:28:58 os111 kdm: :0[3581]: PAM unable to dlopen(/lib/security/pam_dev): /lib/security/pam_dev: cannot open shared object file: No such file or directory
Oct 31 19:28:58 os111 kdm: :0[3581]: PAM adding faulty module: /lib/security/pam_dev
Oct 31 19:28:58 os111 kdm: :0[3581]: PAM unable to dlopen(/lib/security/pam_resmgr.so): /lib/security/pam_resmgr.so: cannot open shared object file: No such file or directory
Oct 31 19:28:58 os111 kdm: :0[3581]: PAM adding faulty module: /lib/security/pam_resmgr.so
Oct 31 19:28:58 os111 kdm: :0[3581]: pam_winbind(xdm:auth): getting password (0x00000012)
Oct 31 19:28:58 os111 kdm: :0[3581]: pam_winbind(xdm:auth): pam_get_item returned a password
Oct 31 19:28:58 os111 kdm: :0[3581]: pam_winbind(xdm:auth): request failed: Access denied, PAM error was System error (4), NT error was NT_STATUS_ACCESS_DENIED
Oct 31 19:28:58 os111 kdm: :0[3581]: pam_winbind(xdm:auth): internal module error (retval = 4, user = ‘SAMBA.LOCAL\john’)

I am closer now than I have ever been. At least now console login works.

I will keep trying as later versions are produced…
Cheers,
John

The thing I still cant do is change owner of a file or folder to a domain member. So john’s home folder is still owned by root. Yet when john log’s in, hes in the homd dir.

Go figure

Happy Halloween,
John