Samba/Winbind Active Directory authentication broken after upgrade to 14.04

upgrade samba 14.04 active-directory

26,447

Solution 1

Does

getent passwd

Return anything?

How about

wbinfo -u

I am working on the same thing and for me wbinfo -u worked but getent passwd did not. I was able to get getent passwd to work by adding these packages.

 apt-get install libnss-winbind libpam-winbind

Once getent passwd returned domain users I was able to ssh into the machine with my domain cred.

Solution 2

I was having the same issue but, through some hacking I was able to get it to work finally.

After Adding libnss-winbind - getent passwd worked and i was getting a setgid error when I attempted to log in as a AD user.

So I started hacking at the smb.conf file.

I copied the smb.conf file I had from a working 12.04LTS server and made some minor changes and it worked.

This is my smb.conf.

[global]
allow trusted domains = Yes
workgroup = DOMAIN
server string = 'Test Server'
security = ads
realm = DOMAIN.COM
password server = 0.0.0.0
domain master = no
local master = no
preferred master = no
idmap backend = tdb
idmap uid = 10000-99999
idmap gid = 10000-99999
idmap config DOMAIN:backend = rid
idmap config DOMAIN:range = 10000-99999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
template homedir = /home/DOMAIN.COM/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = true
restrict anonymous = 2
log file = /var/log/samba/log.%m
max log size = 50

26,447

vocoder

Updated on September 18, 2022

Comments

vocoder over 1 year
I was on Ubuntu desktop 12.04 and had it joined to the domain using samba/winbind/krb5 - worked great without any issues, I could log onto my comptuer using my active directory account. I upgraded to 14.40 and it seems to have broken. It seems that 14.04 has upgraded to Samba4 and I'm not sure if that is the issue or not. I made a few changes to my smb.conf file that appear to be Samba4 changes - and that allows me to join to the domain using net ads join -U username - works fine...my computer is joined to the domain - and I can get a ticket using kerberos and see that it is valid. However when I log out of my local account and try to log back in using my domain account, it always tells me invalid password. any ideas? after running testparm on my smb.conf file, it told me idmap uid and idmap gid are no longer used....and it also told me that "security=ads" combined with "password server" should not be combined. I'm wondering if that is the issue.

edit: possibly has something to do with my pam.d files - i just did a clean installation of 14.04 and am unable to log in....it doesn't even ask me for my password...which goes away if i go back to the default pam files - here is what i have

/etc/pam.d/common-account:
```
    account sufficient pam_winbind.so
    account required pam_unix.so
```
/etc/pam.d/common-auth:
```
    auth sufficient pam_winbind.so
    auth required pam_unix.so nullok_secure use_first_pass
```
/etc/pam.d/common-password:
```
    password required pam_unix.so nullok obscure min=4 max=50 md5
```
/etc/pam.d/common-session:
```
    session required pam_mkhomedir.so umask=0022 skel=/etc/skel
```
here is my test /etc/samba/smb.conf:
```
    [global]

    workgroup = MYDOMAIN
    security = ADS
    realm = MYDOMAIN.COM
    netbios name = trusty

    idmap config *:backend = tdb
    idmap config *:range = 70001-80000
    idmap config MYDOMAIN:backend = ad
    idmap config MYDOMAIN:schema_mode = rfc2307
    idmap config MYDOMAIN:range = 500-40000

    winbind nss info = rfc2307
    [test]
    path = /srv/samba/test
    read only = no
```
and here is my /etc/krb5.conf
```
    [libdefaults]
    default_realm = MYDOMAIN.COM
    ticket_lifetime = 24000
    allow_weak_crypto = yes
    [realms]
    MYDOMAIN.COM = {
            kdc = my.domain.com
            admin_server = my.domain.com
            default_domain = MYDOMAIN.COM
    }


    [domain_realm]
    .mydomain.com = MYDOMAIN.COM
    mydomain.com = MYDOMAIN.COM
    [login]
    krb4_convert = true
    krb4_get_tickets = false
```
/etc/nsswitch.conf
```
    passwd:         compat winbind
    group:          compat winbind
    shadow:         compat winbind

    hosts:          files mdns4_minimal [NOTFOUND=return] dns wins
    networks:       files

    protocols:      db files
    services:       db files
    ethers:         db files
    rpc:            db files

    netgroup:       nis
```
edit: one last thing.....I noticed if I type pam-auth-update, I don't see the ability to enable a pam profile for active directory or ldap...i swear that was there in 12.04...?
vocoder about 10 years

installing libnss-winbind and libpam-winbind did make the option show up in pam-auth-update so at least that is a step in the right direction. Still unable to login with domain users though. I'm wondering if I need to create the symlinks that this page mentions (i'm guessing not, as i tried and still can't login) - wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
vocoder about 10 years

this appears in auth.log when trying to log in using a domain account:
vocoder about 10 years

Apr 25 11:59:28 mycomputer lightdm: pam_unix(lightdm:auth): check pass; user unknown Apr 25 11:59:28 mycomputer lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= Apr 25 11:59:28 mycomputer lightdm: pam_winbind(lightdm:auth): getting password (0x00000388) Apr 25 11:59:28 mycomputer lightdm: pam_winbind(lightdm:auth): pam_get_item returned a password Apr 25 11:59:30 mycomputer lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or dirctry