I have been trying to set up a linux file/print server to work with my existing network (NT4 and win2k machines). I would like the linux box to do authentication with our existing PDC (NT4). Right now, I can get lists of users and groups (that is, getent passwd and getent group return the correct lists) but am unable to connect to the linux box (both login and samba) using any of my NT accounts. Has anyone dealt with the problem before? What was the solution?

Thanks in advance,

Jason Raycroft

I am running Redhat 7.3, with the following configuration:

SMB.CONF - items in (parentheses) are replaced with actual names
# Samba config file created using SWAT
# from localhost.localdomain (127.0.0.1)
# Date: 2002/07/05 14:12:15

# Global parameters
[global]

winbind uid = 10000-20000
winbind gid = 10000-20000
winbind cache = 30
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash

security = DOMAIN
workgroup = (my workgroup)
password server = (my server)
encrypt passwords = Yes

netbios name = (my linux box)
server string = Samba Server on Red Hat 7.3
obey pam restrictions = No
pam password change = No
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*success fully*
unix password sync = YES
log file = /var/log/samba/%U.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 0
preferred master = False
local master = No
domain master = False
dns proxy = No
remote announce = 172.16.77.4
guest account = guest
hosts allow = 172.16.77.0/255.255.255.0 127.
printing = nt
map to guest = Bad User

[homes]
path = /home/%D/%U
valid users = %S
read only = No
create mask = 0777
directory mask = 0777
browseable = No

[public]
path = /home/public
valid users = %S
read only = No
create mask = 0777
browseable = Yes

[Project 1]
path = /projects/proj1
read only = no
create mask = 0777
browseable = yes
guest ok = no
valid users = @(NT-group1)



nsswitch

passwd: files winbind
shadow: files winbind
group: files winbind

#hosts: db files nisplus nis dns
hosts: files nisplus dns

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files nisplus
rpc: files
services: files nisplus

netgroup: files nisplus

publickey: nisplus

automount: files nisplus
aliases: files nisplus


/etc/pam.d/samba

#%PAM-1.0
auth required /lib/security/pam_stack.so service=system auth
account required /lib/security/pam_stack.so service=system-auth


/etc/pam.d/login
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so

Try setting your security to server and see if that helps at all. You might also want to play with the encrypt passwords setting. I think you have to do more work to get that to work with a pdc.

Since you are using "security = domain" can we safely assume that you have successfully joined the NT domain with your Linux machine?

Yes, I was able to join the NT domain and change the password for the machine account. The biggest problem that I have is that winbind works halfway. Users can reach the box through "network places" /if/ they have an account on the linux box (so samba is working). When I run getent passwd I get a list of all of my NT users, and when I run getent group I get the list of groups - so winbind works up to that point. Now, when I try to reach my linux box with valid NT users who do not have explicit accounts on the linux box - they are unable to connect. Additionally, I have tried to login to the linux box as an NT user (both local and remote) with no luck.

Today, I will be setting this up again on a fresh install, and will let you know how it goes.

Thanks
Jason Raycroft

Problem fixed

as it turns out, for "valid users" in smb.conf, I was using just the NT group and usernames. Should have been:

valid users = @DOMAIN+groupname DOMAIN+username

(that is if the winbind separator is "+")

Jason Raycroft

Hi,

I post here since this is the problem that comes closest to mine :)

I have a linux server in my domain and I'm able to get the user/groups list from my PDC with getent.

However I'm still unable to access my linux shares.
Also when I try wbinfo -a DOMAIN+username%password the plain text authentication is successful but the challenge/response one fails.

Here's my config: with this config everyone can access IT and no one can access public

# Samba config file created using SWAT
# from localhost.localdomain (127.0.0.1)
# Date: 2002/07/22 11:57:24

# Global parameters
[global]
workgroup = DOMAIN
server string = Fileserver_linux
security = DOMAIN
encrypt passwords = Yes
password server = *
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = lpstat
dns proxy = No
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = +
hosts allow = 192.168.70. 127.
printing = cups

[public]
comment = Public space with read-write access
path = /home/local/samba-public
valid users = @DOMAIN+groupname DOMAIN+username
read only = No
guest ok = Yes

[IT]
comment = Public space with read-write access
path = /home/local/samba-it
read only = No
guest ok = Yes

[printers]
comment = All Printers
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No

Hope someone can point me in the right direction