Samba/Winbind Active Directory authentication broken after upgrade to 14.04
Solution 1
Does
getent passwd
Return anything?
How about
wbinfo -u
I am working on the same thing and for me wbinfo -u worked but getent passwd did not. I was able to get getent passwd to work by adding these packages.
apt-get install libnss-winbind libpam-winbind
Once getent passwd returned domain users I was able to ssh into the machine with my domain cred.
Solution 2
I was having the same issue but, through some hacking I was able to get it to work finally.
After Adding libnss-winbind - getent passwd worked and i was getting a setgid error when I attempted to log in as a AD user.
So I started hacking at the smb.conf file.
I copied the smb.conf file I had from a working 12.04LTS server and made some minor changes and it worked.
This is my smb.conf.
[global]
allow trusted domains = Yes
workgroup = DOMAIN
server string = 'Test Server'
security = ads
realm = DOMAIN.COM
password server = 0.0.0.0
domain master = no
local master = no
preferred master = no
idmap backend = tdb
idmap uid = 10000-99999
idmap gid = 10000-99999
idmap config DOMAIN:backend = rid
idmap config DOMAIN:range = 10000-99999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
template homedir = /home/DOMAIN.COM/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = true
restrict anonymous = 2
log file = /var/log/samba/log.%m
max log size = 50
Related videos on Youtube
vocoder
Updated on September 18, 2022Comments
-
vocoder over 1 year
I was on Ubuntu desktop 12.04 and had it joined to the domain using samba/winbind/krb5 - worked great without any issues, I could log onto my comptuer using my active directory account. I upgraded to 14.40 and it seems to have broken. It seems that 14.04 has upgraded to Samba4 and I'm not sure if that is the issue or not. I made a few changes to my smb.conf file that appear to be Samba4 changes - and that allows me to join to the domain using net ads join -U username - works fine...my computer is joined to the domain - and I can get a ticket using kerberos and see that it is valid. However when I log out of my local account and try to log back in using my domain account, it always tells me invalid password. any ideas? after running testparm on my smb.conf file, it told me idmap uid and idmap gid are no longer used....and it also told me that "security=ads" combined with "password server" should not be combined. I'm wondering if that is the issue.
edit: possibly has something to do with my pam.d files - i just did a clean installation of 14.04 and am unable to log in....it doesn't even ask me for my password...which goes away if i go back to the default pam files - here is what i have
/etc/pam.d/common-account:
account sufficient pam_winbind.so account required pam_unix.so
/etc/pam.d/common-auth:
auth sufficient pam_winbind.so auth required pam_unix.so nullok_secure use_first_pass
/etc/pam.d/common-password:
password required pam_unix.so nullok obscure min=4 max=50 md5
/etc/pam.d/common-session:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
here is my test /etc/samba/smb.conf:
[global] workgroup = MYDOMAIN security = ADS realm = MYDOMAIN.COM netbios name = trusty idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config MYDOMAIN:backend = ad idmap config MYDOMAIN:schema_mode = rfc2307 idmap config MYDOMAIN:range = 500-40000 winbind nss info = rfc2307 [test] path = /srv/samba/test read only = no
and here is my /etc/krb5.conf
[libdefaults] default_realm = MYDOMAIN.COM ticket_lifetime = 24000 allow_weak_crypto = yes [realms] MYDOMAIN.COM = { kdc = my.domain.com admin_server = my.domain.com default_domain = MYDOMAIN.COM } [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM [login] krb4_convert = true krb4_get_tickets = false
/etc/nsswitch.conf
passwd: compat winbind group: compat winbind shadow: compat winbind hosts: files mdns4_minimal [NOTFOUND=return] dns wins networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
edit: one last thing.....I noticed if I type pam-auth-update, I don't see the ability to enable a pam profile for active directory or ldap...i swear that was there in 12.04...?
-
vocoder about 10 yearsinstalling libnss-winbind and libpam-winbind did make the option show up in pam-auth-update so at least that is a step in the right direction. Still unable to login with domain users though. I'm wondering if I need to create the symlinks that this page mentions (i'm guessing not, as i tried and still can't login) - wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
-
vocoder about 10 yearsthis appears in auth.log when trying to log in using a domain account:
-
vocoder about 10 yearsApr 25 11:59:28 mycomputer lightdm: pam_unix(lightdm:auth): check pass; user unknown Apr 25 11:59:28 mycomputer lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= Apr 25 11:59:28 mycomputer lightdm: pam_winbind(lightdm:auth): getting password (0x00000388) Apr 25 11:59:28 mycomputer lightdm: pam_winbind(lightdm:auth): pam_get_item returned a password Apr 25 11:59:30 mycomputer lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or dirctry