Re: [Samba] wbinfo -a is failing

Samba Team, could you please advise if I have broken security by making
the following changes.....Thanks.........TJ
This may or may not be applicable to your case but take a look at the
following I just did on my Mandrake box:

> [tim@localhost tim]$ wbinfo -a tim%secret
> plaintext password authentication succeeded
> challenge/response password authentication failed
> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> error messsage was: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly.
> Could not authenticate user tim with challenge/response
> [tim@localhost tim]$ ls -l /var/cache/samba/w
> winbindd_cache.tdb winbindd_idmap.tdb winbindd_privileged
> [tim@localhost tim]$ ls -l /var/cache/samba/winbindd_privileged/
> ls: /var/cache/samba/winbindd_privileged/: Permission denied
>
> [tim@localhost tim]$ su
> Password:
>
> [root@localhost tim]# ls -l /var/cache/samba/
> total 6852
> drwxr-x--- 2 root root 4096 Apr 13 13:43 winbindd_privileged/
>
>

Once this worked I changed the group ownership to "Domain Admins". Then I tried again, no root this time, and it seceded!

> [root@localhost tim]# chgrp "Domain Admins" /var/cache/samba/winbindd_privileged/
> [tim@localhost tim]$ ls -l /var/cache/samba/
> drwxrwx--- 2 root Domain Admins 4096 Apr 13 13:43 winbindd_privileged/
> [tim@localhost tim]$ wbinfo -a tim%secret
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>

I hope this helps.....TJ

On Tue, 2004-04-13 at 14:16, Jim Smith wrote:

> I have edited /etc/pam.d/login to include the following
>
> auth sufficient /lib/security/pam_winbind.so
>
> account sufficient /lib/security/pam_winbind.so
>
> but at that point I still not able to use wbinfo -a but that also broke wbinfo -u and wbinfo -g
>
> I got the documentatin from here.
>
> http://us3.samba.org/samba/docs/using_samba/ch09.html
>
>
>
>
>
> Jim
>
>
>
> ----- Original Message -----
> From: Tim Jordan <timothy_jordan@labor.state.ak.us>
> Date: Tue, 13 Apr 2004 11:29:50 -0800
> To: Jim Smith <elemint1@linuxmail.org>
> Subject: Re: [Samba] wbinfo -a is failing
>
> > Good winbindd is working.
> >
> > Here are notes from a server I configured about year ago. This may help
> > in your case. I do know that some systems function differently with
> > pam. Also pam is very "touchy" - so you may have to tweak your configs
> > until it works.
> >
> > /etc/pam.d/login
> > auth required /lib/security/pam_securetty.so
> > auth required /lib/security/pam_nologin.so
> > auth sufficient /lib/security/pam_winbind.so
> > auth sufficient /lib/security/pam_env.so
> > auth required /lib/security/pam_unix.so use_first_pass nullok
> >
> > account sufficient /lib/security/pam_winbind.so
> > account sufficient /lib/security/pam_unix.so
> >
> >
> > /etc/pam.d/system-auth
> > auth required /lib/security/pam_env.so
> > auth sufficient /lib/security/pam_winbind.so
> > auth sufficient /lib/security/pam_unix.so use_first_pass nullok
> > use_first_pass
> > auth required /lib/security/pam_deny.so
> >
> > account sufficient /lib/security/pam_winbind.so
> > account sufficient /lib/security/pam_unix.so
> >
> >
> > I'll be here for another hour if I can help,
> > TJ
> >
> > On Tue, 2004-04-13 at 13:12, Jim Smith wrote:
> >
> > > wbinfo -u and wbinfo -g both work and report back the users and groups from the AD domian.
> > >
> > >
> > > JIm
> > > ----- Original Message -----
> > > From: Tim Jordan <timothy_jordan@labor.state.ak.us>
> > > Date: Tue, 13 Apr 2004 10:44:18 -0800
> > > To: Jim Smith <elemint1@linuxmail.org>
> > > Subject: Re: [Samba] wbinfo -a is failing
> > >
> > > > If your going to logon with AD doing the authentication - then yes you
> > > > need to tweak your pam.d/login.
> > > >
> > > > You should be able to query the domain for users and groups if you
> > > > configured properly.
> > > > wbinfo -u
> > > > wbinfo -g
> > > >
> > > > Let me know,
> > > > TJ
> > > > On Tue, 2004-04-13 at 12:28, Jim Smith wrote:
> > > >
> > > > > I specified it in my smb.conf by password server = ip.address.of.MS.AD.server
> > > > >
> > > > > I have not edited my /etc/pam.d/login file maybe that is the problem...
> > > > >
> > > > > When I try to use wbinfo and I check tcpdump I do not see any traffic coming accross to the AD server so it seems the traffic is not getting off the samba server and going to the AD server.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Jim
> > > > > ----- Original Message -----
> > > > > From: Tim Jordan <timothy_jordan@labor.state.ak.us>
> > > > > Date: Tue, 13 Apr 2004 10:22:00 -0800
> > > > > To: Jim Smith <elemint1@linuxmail.org>
> > > > > Subject: Re: [Samba] wbinfo -a is failing
> > > > >
> > > > > > Jim, did you specify the password server in your smb.conf?
> > > > > >
> > > > > > On Tue, 2004-04-13 at 11:28, Jim Smith wrote:
> > > > > >
> > > > > > > I have been reading the FAQ and the online samba how to's and been googeling to find out why wbinfo is failing on me.
> > > > > > >
> > > > > > >
> > > > > > > I am tryitng to use wbinfo -a domainname\\username%password to authenticate to my MS AD domain but what is happening is every time I try I get the following output.
> > > > > > >
> > > > > > > plaintext password authentication failed
> > > > > > > error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
> > > > > > > error messsage was: No logon servers
> > > > > > > Could not authenticate user domain\username%password with plaintext password
> > > > > > > challenge/response password authentication failed
> > > > > > > error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
> > > > > > > error messsage was: No logon servers
> > > > > > > Could not authenticate user doamin\username with challenge/response
> > > > > > >
> > > > > > >
> > > > > > > OS Debian
> > > > > > > Samba 3.0.2a-1
> > > > > > >
> > > > > > >
> > > > > > > Jim
> > > > > > > --
> > > > > > > ______________________________________________
> > > > > > > Check out the latest SMS services @ http://www.linuxmail.org
> > > > > > > This allows you to send and receive SMS through your mailbox.
> > > > > > >
> > > > > > >
> > > > > > > Powered by Outblaze

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Apr 13 14:39:57 2004