we are using LucidLynx Linux, 64-bit,with ActiveDirectory accounts via samba/winbind 64-bit.I have 2 separate 32-bit applications:IBM MQ Toolkit (32-bit java-based) and Acrobat Reader
View 2 RepliesI added my linux server to a windows AD using winbind / samba. Everything worked just fine. After changing the OS to Debian lenny x64 I get a "segmentation fault" when trying to change user passwords. I am using the exact same configuration, on my 32 bit Server everything works.
debian:~# passwd <user>
sgmentation fault
tail /var/log/syslog:
kernel: [689689.005934] passwd[11209]: segfault at 0 ip b7b84418 sp bfc37fc0 error 4 in pam_winbind.so[b7b7e000+b000]
Debian Lenny 5.0
[Code].....
I have a Samba File Server that can authenticate users in my Windows AD to log into the server. Anyways, I have a good amount of Windows Admins on staff but our org wants to cut budget so our first "slash" as it were is cutting down the actual Windows based File Servers.So my question is, now that I have this test server up and authenticating for logins using Windbind....is there a way I can get system-config-samba to "see" winbind users and groups so that file servers can still be "point and click" for my Windows Admins?
View 3 Replies View RelatedIntent is to use samba+winbind to authenticate Ubuntu desktop against a Windows 2008 R2 domain (seems like I was able to get it working temporarily but it stopped working after some time). Quick overview of the issue: winbind is failing to lookup group ID's for a domain user causing the domain user to receive group errors on login and an inability to use domain groups in other configuration (sudoers, etc)
- Very basic install, boot to Ubuntu Desktop 10.04 LTS 64bit install, basic install options, perform software updates
- Following an Ubuntu AD HowTo [URL]
- Install kerberos, samba, winbind packages
- Make changes to krb5.conf, smb.conf, files in pam.d/ (to make the home directory and restrict login based on group membership, which works even in the half-working state but requires SID instead of text name)
After a reboot I can login as a domain account but I get the following error(s):
groups: cannot find name for group ID #####
##### is usually a number that ranges from 10000 to 10020, based on the smb.conf line regarding idmap I will get multiple group errors (one for each group that the user belongs to that winbind can't lookup for whatever reason, some groups can be resolved - see below) If I log-out and then log-in as a local user I can run the following command: id username The output returns something similar to the following:
uid=10002(username) gid=10003(domain users) groups=10003(domain users),10033,10032,10031,10030,10029,10028,10027,1 0026,10025,10024,10023,10022,10021(some group),10020,10019,10018(some other group),10017,10016,10015,10014,10013,10012,10011(s ome other other group),10010,10009,10008,10007
On a working system (Ubuntu 10.10 and when 10.04 decides to work) each group is followed by parenthesis' and the name of the group, this result clearly shows that some groups can be looked up but for some reason other groups are failing An output of /var/log/samba/log.winbind produces the following entries (that are logged when you run the id command)
[2011/08/03 19:04:39, 1] winbindd/winbindd_ads.c:1137(lookup_groupmem)
lsa_lookupsids call failed with NT_STATUS_PIPE_BROKEN - retrying...
[2011/08/03 19:04:39, 1] winbindd/winbindd_ads.c:1137(lookup_groupmem)
lsa_lookupsids call failed with NT_STATUS_PIPE_BROKEN - retrying...
The above repeats for what looks to be each group that fails (based on count of entries)If I use wbinfo I can resolve text group name to SID and SID to GID
wbinfo -n groupname (returns proper SID)
wbinfo -s SID (returns proper text group name)
wbinfo -Y SID (returns proper linux mapped group ID)
Following that process for a group that my user belongs to that is not resolving (via the id username command) will return the group ID (GID) properly (even though id username fails to lookup info for that same GID) Version Information:
uname -a
Linux hostname 2.6.32-33-generic #71-Ubuntu SMP Wed Jul 20 17:27:30 UTC 2011 x86_64 GNU/Linux
lsb_release -a
No LSB modules are available.
[code]....
Have recently setup Samba on a fresh install of Fedora 14 so that I can use it as a workstation in a Windows 2003 (win2k3) domain.
The install of Samba seems to have worked as I can connect to the Domain using ADS and kerberos. selinux and firewall have been disabled until I have it working 100%
The problem lies when i try to login to Gnome or TTY. It begins to create the home directory for the domain user logging in but after a certain process Fedora logs the user out of the system.
Have looked through several log files (/var/log/messages, log.winbindd, log.winbindd-dc-connect) but am unable to debug it any further.
Have posted the config files below which shows the Fedora machine is successfully connected to the domain as it lists its groups, users and validates logon credentials - it just won't logon!
Where i can go about debugging. Also if you need additional configs.
I've been searching around the web for help and have been really pulling my hair on this one. I have a Windows 2003 Server w/ AD on it. I have two linux machine, both running the same version of RHEL 5 (compute-1, compute-4)
When I log into compute-1, and do an "id dhuynh", I get this:
uid=1501(dhuynh) gid=1500(domain users) groups=1500(domain users),2013(dusers),1501(certsvc_dcom_access),1507 (BUILTIN+users)
When I log into compute-4, do do the same command, I get this:
uid=1500(dhuynh) gid=1504(domain users) groups=1504(domain users),1505(certsvc_dcom_access),1501(BUILTIN+user s)
Notice that the uid and gid are different. How do I get them to be the same? This is affective the file permissions in certain shared directories. I've check /etc/samba/smb.conf and they are identical. I also check /etc/nsswitch.conf and they are identical too.
I have setup a Centos5.5 VMWare guest with Samba and Winbind for Active Directory integration, using GUI tools. Authentication works flawlessly, with automatic home directory creation. What I want to achieve now is using local UNIX groups to controll access to shared folders, to avoid bothering AD administrators with groups management. This is my smb.conf global section:
workgroup = COGITANS
password server = domainserver.hq.cogitans.it
realm = HQ.COGITANS.IT
security = ads
[code]....
'finance' is a local UNIX group where I added user 'COGITANSalberto' (I also tried with 'alberto') as a secondary group (primary group is 'domain users' and it cannot be changed). I am sure the user is added, because it is listed in 'getent group'. If I specify user COGITANSalberto in valid users it works, i.e. only that use can access the share, the others get a NT_STATUS_ACCESS_DENIED error. But if I use +finance, access is denied to everybody, and this is the log:
[2010/09/11 14:12:37, 10] smbd/share_access.c:user_ok_token(211)
User COGITANSalberto not in 'valid users'
[2010/09/11 14:12:37, 2] smbd/service.c:make_connection_snum(617)
user 'COGITANSalberto' (from session setup) not permitted to access this share (finance)
[code]....
It seems like winbind cannot recognize finance as a local group. For the same reason, I guess, 'force group = finance' does not work either (files are created with 'domain users' group ownership). My /etc/nsswitch.conf:
passwd: files winbind
shadow: files winbind
group: files winbind
Grants and ownership on the '/repositories/shared/finance' folder are
root:domain users with permissions 775
I am unable to join a W2K or XP machine to a Samba PDC. I have tried to make this work on both 8.04 LTS and 10.04 LTS without success. Everything else works but I cannot add machine accounts "on the fly" using the "add machine script" as provided in the server guide. I have been able to make it work by enabling the root user but not as a user with admin privileges and sudo in the script. Despite multiple attempts including a new 10.04 install and following the instructions (in the 9.10 server guide) to the letter. Does anyone out there have a samba PDC actually running on Ubuntu and able to add machines on the fly without enabling the root account (i.e using SUDO in the script and a user from the admin group)?
View 1 Replies View RelatedWhat I want is to use the systems account as the samba accounts.In school we have a project to simulate some sort of corporation with different platforms. I've created a map called shared and for authentication the users should only need to be a member of the group employees. (force group = groupname in smb.conf right?) Now, I don't want to create the users with smbpasswd -a because there is alot of accounts and the users should be able to choose their own passwords. So, is it possible to sync the system accounts with samba and only use group as authentication?
View 2 Replies View RelatedI setup samba file sharing to auto mount in fstab. Everything works great except when a computer has more than on user account.
The folders in mnt are owned by root and ownership changes to the first user account no matter what user logs in. So only the first user can edit files in the mounted share.
Anyone got a clue why this is happening? Seems the mount folders should be changing ownership to the user that is logged in.
I have a samba server I had manually configured pam to use winbind in 8.04 I'm pretty sure that when I did that I broke pam. I had not choice at the time but in 10.04 there is a winbind pam module.How can I rewrite the pam configuration to use the default pam winbind configuration?
View 1 Replies View Relatedfor some reason the package winbind is misbehaving. A few upgrades ago I suddenly started getting this error message each time I try to upgrade or install winbind (or any other package).
Code:
john@john-desktop:~$ sudo apt-get upgrade
[sudo] password for johnny:
Reading package lists... Done
[Code]...
There are several DCs on our network, and winbind seems to use a win2008 one (found by wins maybe?), with which it has an incompatibility issue.
Can I specify somehow the ip address of the AD which winbind is allowed to use?
I have set "password server=<dc ip>" in smb.conf and it works now. I suspected that should be the right option to set, but the samba manual stating that option only takes effect with "security=ad" had misinformed me. Actually, it also takes effect with "security=domain".
I have an SSH server on my laptop, and I'm using the default configuration file, but I added "AllowUsers <myUserName>". I get lots of login attempts like the ones below in my /var/log/auth.log.From Google, I find that pam_winbind allows some kind of Windows authentication. This leaves me with 2 questions. What does winbind do when I have not configured any Windows/Samba accounts? How can I turn it off?
Code:
Oct 23 20:01:49 muon sshd[24329]: User root from 201.116.17.163 not allowed because not listed in AllowUsers
[code]...
I am trying to get a ubuntu machine (client) onto a windows active directory (domain) this i have done and you can login using winbind to the client desktop no problems however i dont want the domain users' home directories on the client machine so i have set up a ubuntu server (samba) to hold the home directories now so far i have been able to set up a share which both windows and linux can read and write to with no passwords needed, and if i have modified the /etc/fstab file on the client to mount the samba share on startup however if i login as a domain user it fails to create a home directory on the share with the following error:
"/mnt/home/admin2" does not exist
now the main question is this in fstab i have used a cred file stored in /usr/share/.smbcred which should be accessible by all users right? i know i can put the creds into the fstab file but i can't find how and it is just failing to mount when i try so if you know how i will try that, also does fstab run before or after the home directory is created as if it runs after then the cred file is working but the home directory is looking at a location which hasnt been mounted yet or if fstab runs before then the location is not mounting right (hoping for second one )
[Client]
Ubuntu 10.04 desktop
[Samba Server]
Ubuntu 8.04 LTS Server
[Windows Active Directory]
Windows server 2003
I have a NAS which I've re-installed with DEBAIN. Mostly its all working great but when I tell it to ping a NetBIOS name it takes 10 seconds per attempt rather than 1. Despite this it actually resolves the NetBIOS names very quickly (the first line from the ping including the IP address appears almost instantly) it just sits there for 10 secs every ping.
# ping -c3 qnap
PING qnap (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=1 ttl=64 time=0.175 ms
64 bytes from 192.168.1.100: icmp_seq=2 ttl=64 time=0.167 ms
64 bytes from 192.168.1.100: icmp_seq=3 ttl=64 time=0.158 ms
--- qnap ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 20036ms
rtt min/avg/max/mdev = 0.158/0.166/0.175/0.016 ms
#
# ping -c 3 [URL]
PING www.l.google.com (173.194.36.104) 56(84) bytes of data.
64 bytes from lhr14s01-in-f104.1e100.net (173.194.36.104): icmp_seq=1 ttl=49 time=40.3 ms
64 bytes from lhr14s01-in-f104.1e100.net (173.194.36.104): icmp_seq=2 ttl=49 time=25.4 ms
64 bytes from lhr14s01-in-f104.1e100.net (173.194.36.104): icmp_seq=3 ttl=49 time=25.7 ms
--- www.l.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2022ms
rtt min/avg/max/mdev = 25.491/30.518/40.313/6.926 ms
I'm really struggling to track down what may be causing this as it is strictly when resolving NetBIOS names yet it finds the IP immediately.
I have a few Redhat 8 servers that I have shut the winbind service off, yet I see lots of message int he /var/log/messages log in regards to winbind. The message i am seeing are
pam_winbind[25640]: write to socket failed!
pam_winbind[25640]: internal module error (retval = 3, us
er = `root'
There is a lot of these messages in the log.
After adding the box to the domain I restart the box, since then the Winbind service stops working and I 'm not able to start it.
when I do Service Winbind Start it tells me FAILED .
What would cause the Winbind service to stop working?
In short we are booting Centos 5.4 over PXE to a bunch of diskless clients. Once they are booted - we can login (as local root account) and RDP to windows machines using rdesktop as we require.
The next step of the project is to get user authentication to the Windows Domain controller working for the PXE image.
To do so - we continued with our physical install of Centos 5.4 (used to create the pxe image with rsync as per the wiki page for diskless clients) by following through this page. AD auth works perfect on this box (it has a local HDD install of centos obviously).
Once we rsync'd the changes over to the pxeboot location - and rebooted one of the diskless pxe clients - we get issues.
The issue is that winbind seems to start - however the file "/etc/samba/secrets.tdb" cant be read. We tried removing this file that the PXE clients use and recreating it using
touch /etc/samba/secrets.tdb
How do I turn winbind authentication off or vsftpd. I keep getting these error messages in the /var/log/ secure:vsftpd: pam_winbind(vsftpd:auth): request failed: No such user, PAM error was User not known to the underlying authentication module (10), NT error was NT_STATUS_NO_SUCH_USER.I already tried remarking out different things in the config files. Is it safe to remark out the winbind stuff in /etc/pam.d/system-auth if we are using the smbclient to connect to a Windows share?Why would you want to to use AD to authenticate users for something simple like FTP is beyond me.I merely want it to authenticate against local system users.
View 3 Replies View RelatedI'm running a squid server on debian lenny with ntlm_auth.
Everything is working good after following those two tutorials : [url] and [url]
As all was working perfectly i decided to rebbot my server, and after reboot the ntlm-auth was not working anymore.
When i tried to run the command "wbinfo" with many options i had this error message "error looking up domain users" or"error looking up domain group" so i think that the problem deals with winbind module.
I know that proxy user needs rights and that after reboot the rights are reseted, so this problem doesn't come from here.
And when i try to open IE with a client i have this "cache accesss denied" because the ntlm_auth wasn't done.
I tried to restart all services (samba,winbind,squid) without any success, only the "kinit" command is still working...
What is going on with winbind when the server is rebooted ?
Centos 5.4 64bit fully updated. What I am doing is vsftpd is setup and nfs shares are mounted to a NAS server which is running openfiler 2.3 fully updated. openfiler is winbind to AD and pulling users and groups over.
I have it confirmed working when a ftp users connects the username/password is authenticated against AD which works. User can login and is directed to the users folder on the nfs share.
Openfiler shows me UID and GID numbers for users and groups, centos also shows me UID and GID but they are different which is causing permissions/quota's to not work right.
Both servers are setup with krb and winbind, openfiler has a more recent version of winbind.
Here is an example...
AD Users are
user UID of 160010 as an example
user1 UID 160011
When user logs into the vsftp server it works and chrooted into the directory for that user. When user uploads files I can upload but the UID in the ftp client shows 1600011 which is user1 UID
logging into windows to that share shows in the security tab that user1 uploaded the files.
Centos is mapping user as 160011
openfiler is mapping user as 160010
windows is showing the user1 in the security tab.
So it appears that centos is not mapping the right numbers to the right users and groups.
If you need details please ask for it and I will provide.
Both configs are nearly a match and I have made small changes to the config files smb.conf but it failed resolve these issues to work so I reverted back. kinit works with authentication, getent works, wbinfo -a and -u works. wbinfo -u user shows different results on both servers, but authentication works user/password and I tried a different password to test.
Is this a known bug or a silly misconfiguration? I had authentication GUI tool configure the winbind stuff so its all fairly standard on the centos machine and the openfiler gui configure winbind configs.
following situation and configuring authentication for Windows users on my CentOS clients please:IHAC WIN2003 R2 Domaincontroller with ALL my users and groups maintained there. For Usermapping (SID to UID/GID) I want to use IMU which is included with WIN2003 R2 srv and extends my Active Directory schema for UID, GID, NIS Domain etc. I want now authenticate my Windows users on my CentOS clients via their "domainnameusername" and passwords on the CentOS clients.
I also have a NAS server which has usermapping integrated and resolves the Windows SID's to the UID/GID's configured within the IMU schema extensions. Now I have no idea to setup my CentOS clients to use winbind, PAM and LDAP (IMU supports LDAP queries for UID/GID resolving) WITHOUT needing any Samaba Server or functionality.
* Do I need to configure the smb.conf file because my usermapping is done on the NAS Server and I want to resolve my Windows Users/Groups UID/GID's from IMU via LDAP?
* Do I (just) need to Join the AD (2003 native) or even using Kerberos with generating ktpass.exe keytab files (what is needed/recommended and what is the difference?) Can I authenticate the users without using Kerberos?
For e.g. my username is "domainuser_a" and within the IMU the UID is set to "12345", I don't want Samba/winbind to do usermapping again based on the configured values in the smb.conf file. Some hints would be really nice for me to understand how exactly it works and what is needed...
Recently i configured Postfix with Cyrus-Imap and it all worked fine unless i wanted to allow also AD users to use Squirrelmail.Currently AD users are able to logon to ssh server without any problems.
- wbinfo -u & -g is fine
- testsaslauth - passed
- telnet to localhost 143 + a LOGIN user password - passed
- cyradm shows active mailbox for particular user
imap i pam.d:
#%PAM-1.0
auth include system-auth
account include system-auth
After months of consideration I finally decided to replace TheBat with Thunderbird 3.1 but I did not get far as I cannot even add an account.I have some gmail accounts and whey I try to add them, Thunderbird greenlights Incoming and outgoing servers, but then it circles endlessly at username. It happens with all my gmail accounts (IMAP is enabled).
View 6 Replies View RelatedCan someone tell me if it is possible to add several ubuntu one accounts to one machine. If i for example have an ubuntu one account myself, and my work has one too, can i have my machine subscribed to both?
View 4 Replies View RelatedI currently have an ftp server setup using Ubuntu 10.04 and pureftpd with mysql as the backend. All the ftp users are "virual users" that are stored in mysql. I want my existing users to be able to use scp to transfer files instead of ftp. As far as I know, you can only use ssh/scp if you have a system account. All of my virtual users use the same system account of "ftpuser".
Is it even possible for me to setup the users with scp access, even though they don't have an actual system account? I really don't want to setup system accounts for each user. I have a lot of ftp users and I plan on expanding that number, so adding system accounts isn't ideal, plus I feel like that will bring new security issues (researching chroot for ssh and how to lock down ssh).
I'm having some trouble getting samba to work properly. I'm following this tutorial [URL] when I run
Code: sudo smbclient -L localhost I receive the following: Code: Enter root's password: Anonymous login successful Domain=[SAMBA] OS=[Unix] Server=[Samba 3.4.7]
tree connect failed: NT_STATUS_END_OF_FILE I'm lost!
I'm installing a new laptop for a friend of mine and he wants 3 user accounts, similair to how he runs his windows setup.
1, an admin account, we have called this account peacemaker.
2. his account
3. an account for his girlfriend.
The problem we have is that if we want to do anything from the terminal that requires elevated priviledges, sudo does not accept his password or that of peacemakers. we have done sudo -i -u peacemaker but it still doesn't accept either password, stating his account is not in the sudoers list.
I'm not a massive expert here, but research brought me to this page:[URL]... But that then just means his account has admin rights, which is what we were trying to avoid. We wanted a setup similair to windows where if you want to run someting with elevated privledges if pops up asking for the admin password. This works in the gui, but not in the terminal.
So in short, my question is, is there anyway of having the terminal accept peacemakers user rights from the his normal user account? If I add the account to the sudoers list like it suggests, does this again just give his account the prilvedges rather than saying supply me with the password for peacemaker.
this is probably not really needed and he can just have his account as the main user, but coming from a windows background, he would prefer the 3 user accounts model (2 normal users, 1 admin)
is there a way to transfer over data from one account to another? I made a new account for my roommate but since we share the same data is there a way to transfer that over?
View 2 Replies View Related