Re: ADS authenentication & Samba/Winbind

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



1.  Yes, they are time synced.


2. that appears okay

[root@newhou ~]# nslookup fdi-srvr1  (this is the PDC)
Server:         192.168.12.6
Address:        192.168.12.6#53

Name:   fdi-srvr1.fdi.com
Address: 192.168.12.6

[root@newhou ~]# nslookup 192.168.12.6
Server:         192.168.12.6
Address:        192.168.12.6#53

6.12.168.192.in-addr.arpa       name = fdi-srvr1.fdi.com.

+++++

[root@newhou ~]# nslookup 192.168.12.14
Server:         192.168.12.6
Address:        192.168.12.6#53

14.12.168.192.in-addr.arpa      name = newhou.fdi.com.



3. Kinit -yes
[root@newhou ~]# kinit buddyj@xxxxxxx
Password for buddyj@xxxxxxx:
[root@newhou ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: buddyj@xxxxxxx

Valid starting     Expires            Service principal
11/01/06 08:43:59  11/01/06 18:44:02  krbtgt/FDI.COM@xxxxxxx
       renew until 11/02/06 08:43:59

From: Matthijs.Sneijders@xxxxxxxxxxxxxx
Reply-To: General Red Hat Linux discussion list <redhat-list@xxxxxxxxxx>
To: General Red Hat Linux discussion list <redhat-list@xxxxxxxxxx>
Subject: Re: ADS authenentication & Samba/Winbind
Date: Wed, 1 Nov 2006 09:02:11 +0100

1.  is your time synced correctly?
2.  is DNS working correctly forward/reverse?
3. can you get a ticket using kinit?

Matthijs


 Matthijs Sneijders




     CORUS
     Research,
     Development
     &
     Technology

     Building
     3G16 room
     3-312

     P.O. Box
     10.000

     1970 CA
     IJMUIDEN

     phone       +31 (0)251-496400

     fax         +31 (0)251-470064

     mail        matthijs.sneijders@xxxxxxxxxxxxxx






|---------+------------------------------>
|         |           "Buddy Jennings"   |
|         |           <buddyj@xxxxxxx>   |
|         |           Sent by:           |
|         |           redhat-list-bounces|
|         |           @redhat.com        |
|         |                              |
|         |                              |
|         |           31-10-2006 23:42   |
|         |           Please respond to  |
|         |           General Red Hat    |
|         |           Linux discussion   |
|         |           list               |
|         |                              |
|---------+------------------------------>
>-------------------------------------------------------------------------------------------------------------------| | | | To: redhat-list@xxxxxxxxxx | | cc: | | Subject: ADS authenentication & Samba/Winbind | >-------------------------------------------------------------------------------------------------------------------|




Sorry for the long post, but any help would be appreciated!

I have two RH AS4 boxes.  I have configured both to authenticate against my
windows ADS.
The only difference between the machines is one is a 32-bit build and the
other is a 64-bit build.
Linux 64bit.mydomain.com 2.6.9-42.0.3.ELsmp #1 SMP Mon Sep 25 17:24:31 EDT
2006 x86_64 x86_64 x86_64 GNU/Linux
Linux 32bit.mydomains.com 2.6.9-42.0.3.ELsmp #1 SMP Mon Sep 25 17:28:02 EDT
2006 i686 i686 i386 GNU/Linux

Both machines allow domain users to login to standard services, ssh or ftp
for example.
Home directories are created when they login in on either machine.
ntlm_auth
and getent works on both systems.

My 32-bit machine will allow 3rd part aps (those I've tested) to
authenticate the users, but the same  apps fail to authenticate the same
users on the 64-bit machine.

I have compared the following files (they are the same bytes even!)
/etc/pam.d/system-auth
/etc/pam.d/squid
/etc/pam.d/samba
/etc/samba/smb.conf
/etc/hosts
/etc/sysconfig/iptables
/etc/sysconfig/samba
/etc/sysconfig/authconfig
/etc/sysconfig/network
/etc/sysconfig/squid
/etc/sysconfig/saslauthd
/etc/krb5.conf
/etc/nsswitch.conf
/etc/pam_smb.conf
/etc/log.d/conf/services/pam.conf

Both machines are running the same services.

In the /var/log/samba directory:
smbd.log are similiar.
nmbd.log: The 32-bit machine promotes itself as local browser master, the
64-bit machine
doesn't , otherwise all entries are the same.

/var/log/message and /var/log/secure shows the same sequence on login on
either machine.

A 3rd party vendor gave me a utility that calls pam-auth and outputs debug
info call caut.Notice that the module called auth_etc_passwd passes on
32-bit but not on the 64-bit.

32-bit output (passwords x'd out!):

[root@ tmp]# ./caut

Authentication dump
service (eg "su") -
user name - mydomain\buddyj
password (will be echoed) - xxxxxx
auth_auth: debug 1 inline 0
auth_trusted: getspname did not find an entry for User mydomain\buddyj
auth_etc_passswd: getpwnam found entry for User mydomain\buddyj
     pw_name: buddyj
   pw_passwd: *
auth_check_passwd_crypt: FAILED (Standard crypt) *****
auth_check_passwd_crypt: Salt * passwd * crypt_result **XXXXXXXXXX
Calling pam_start
pam_start succeeded for service , user mydomain\buddyj
Calling pam_authenticate
[GUI]Authentication failure for mydomain\buddyj  (PAM Err# 7)
[Result]NOK
Authentication failure for mydomain\buddyj

64-bit output:
root@64bit  caut]# ./caut

Authentication dump
service (eg "su") -
user name - mydomain\buddyj
password (will be echoed) - xxxxx
auth_auth: debug 1 inline 0
auth_trusted: getspname did not find an entry for User mydomain\buddyj
auth_etc_passwd: getpwnam did not find an entry for User mydomain\buddyj
Calling pam_start
pam_start succeeded for service , user mydomain\buddyj
Calling pam_authenticate
[GUI]Authentication failure for mydomain\buddyj  (PAM Err# 7)
[Result]NOK
Authentication failure for mydomain\buddyj

I can't find any config difference!  How else can you determine
configuration differences between two machines?  Any suggestions?

I'll post a follow up of the steps I used on both machines.

Thanx!
Buddy


--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list



**********************************************************************
This transmission is confidential and must not be used or disclosed by
anyone other than the intended recipient. Neither Corus Group Plc nor
any of its subsidiaries can accept any responsibility for any use or
misuse of the transmission by anyone.
**********************************************************************

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list


--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux