Platform: RHEL 5.10 Version: Samba 3.6.6-0.136 Only on a single VM, one of my co-workers is able to log into the VM using his AD credentials without issue, whereas my account appears to have trouble locating user information: [root@ncxxxlwb05 ~]# wbinfo -i myDom.mjplakus XXX.mjplakus:*:16777224:16777229::/home/XXX/mjplakus:/bin/bash [root@ncxxxlwb05 ~]# wbinfo -i myDom.jadavis6 failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user xxx.jadavis6 Thinking that winbind could have just cached a negative return (for instance AD wasn't available when it had to refresh its cache entry for my user account) I set both winbind cache time and idmap negative cache time to be 1 second but I got the same results. Same results with above cache values and doing net cache flush several times. I didn't find anything in /var/log/samba/* under normal debug levels so I set debug level = 8 and this started being printed in the logs when I tried to resolve my name: [2013/12/05 14:21:59.795061, 3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam myDom.jadavis6 [2013/12/05 14:21:59.795161, 1] ../librpc/ndr/ndr.c:414(ndr_pull_error) ndr_pull_error(13): value out of range [2013/12/05 14:21:59.795219, 5] winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) Could not convert sid S-1-5-21-652622394-3291385539-1351089441-10771: NT_STATUS_INVALID_PARAMETER [2013/12/05 14:21:59.795391, 6] winbindd/winbindd.c:869(winbind_client_request_read) closing socket 29, client exited Which seems like it contains the actual problem but I don't know how to read the error and would like some guidance on this. It seems like it doesn't like the SID associated with my AD account for some reason, but I don't know why or how to work around it. I'm present in the active directory domain referenced, but for some reason it's unable to pull only my account's information.

I have a server that is configured with winbind and samba to provide active directory authentication. The active directory integration works fine however whenever I authenticate I see the following errors: ## **Errors** Authentication:

May 11 00:25:29 SERVER sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=USERNAME

Sudo:

May 11 01:33:14 SERVER sudo: pam_unix(sudo:auth): authentication failure; logname=USER_NAME uid=2005125 euid=0 tty=/dev/pts/2 ruser=USER_NAME rhost=  user=USER_NAME

## **Configuration** /etc/samba/smb.conf:

[global]
        workgroup = WORKGROUP
        realm = DOMAIN NAME
        security = ADS
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = No
        winbind separator = +
        kerberos method = secrets and keytab
        idmap config * : backend = autorid
        idmap config * : range = 1000000-19999999
        idmap config * : rangesize = 1000000
        template shell = /bin/bash
        netbios name = SERVERNAME

/etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_winbind.so

/etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

sshd_config:

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
AuthorizedKeysFile .ssh/authorized_keys
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp  /usr/libexec/openssh/sftp-server
UsePrivilegeSeparation yes
AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f
AuthorizedKeysCommandUser ec2-instance-connect
Banner /etc/motd
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

How can i get this log fixed?

Hello, i'am issuing e problem with winbind samba joined computer. the system is unable to verify the group memberships in Forest B. All users from Forest B are only part of the "Domain Users" group; id B\\USERNAME -> returns only uid(b\username) and gid(b\domain users) however, once they log in to the system via SSH, the group memberships are correctly populated. Record saved into samlogon net cache with the respective SID and username This limitation poses a problem if we want to restrict SSH access to specific users and groups. Have you encountered this issue or found a solution to it? https://unix.stackexchange.com/questions/536001/samba-winbind-how-to-authenticate-from-trusted-ad-domain-one-way-trust/790017?noredirect=1#comment1515924_790017

Hello linux newbie here. **What I am trying to achieve:** to be able to login to Linux machine with Active Directory credentials from trusted domain. I have the following setup: +----------------+ +---------------+ +-----------+ | Forest B | | Forest A | | User in | | | one-way trust | | | domain B +----------+ Domain B +<--------------+ Domain A | | | | b.net | | a.net | +-----------+ | | | | | | | | +----------------+ +-------+-------+ | | | | | +-------+-------+ | | | Ubuntu 16.04 | | samba 4.7.12 | | | | | | | +---------------+ I have successfully joined my Ubuntu 16.04 to Active Directory domain A with samba winbind, but I am unable to login to the machine with user account that exists in domain B. Domain A and domain B are Active Directory domains and they have one-way trust so that domain A trusts domain B, but domain B does not trust domain A. Here are my smb.conf, krb5.conf and nsswitch.conf /etc/samba/smb.conf [global] workgroup = A security = ADS realm = A.NET encrypt passwords = yes idmap config *:range = 16777216-33554431 allow trusted domains = yes winbind trusted domains only = no kerberos method = secrets and keytab winbind refresh tickets = yes template shell = /bin/bash server string = %h server (Samba, Ubuntu) dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d server role = standalone server passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no /etc/krb5.conf [libdefaults] default_realm = A.NET dns_lookup_kdc = false krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu:88 kdc = kerberos-1.mit.edu:88 kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } MEDIA-LAB.MIT.EDU = { kdc = kerberos.media.mit.edu admin_server = kerberos.media.mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } MOOF.MIT.EDU = { kdc = three-headed-dogcow.mit.edu:88 kdc = three-headed-dogcow-1.mit.edu:88 admin_server = three-headed-dogcow.mit.edu } CSAIL.MIT.EDU = { kdc = kerberos-1.csail.mit.edu kdc = kerberos-2.csail.mit.edu admin_server = kerberos.csail.mit.edu default_domain = csail.mit.edu krb524_server = krb524.csail.mit.edu } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } GNU.ORG = { kdc = kerberos.gnu.org kdc = kerberos-2.gnu.org kdc = kerberos-3.gnu.org admin_server = kerberos.gnu.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } GRATUITOUS.ORG = { kdc = kerberos.gratuitous.org admin_server = kerberos.gratuitous.org } DOOMCOM.ORG = { kdc = kerberos.doomcom.org admin_server = kerberos.doomcom.org } ANDREW.CMU.EDU = { kdc = kerberos.andrew.cmu.edu kdc = kerberos2.andrew.cmu.edu kdc = kerberos3.andrew.cmu.edu admin_server = kerberos.andrew.cmu.edu default_domain = andrew.cmu.edu } CS.CMU.EDU = { kdc = kerberos.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu } DEMENTIA.ORG = { kdc = kerberos.dementix.org kdc = kerberos2.dementix.org admin_server = kerberos.dementix.org } stanford.edu = { kdc = krb5auth1.stanford.edu kdc = krb5auth2.stanford.edu kdc = krb5auth3.stanford.edu master_kdc = krb5auth1.stanford.edu admin_server = krb5-admin.stanford.edu default_domain = stanford.edu } UTORONTO.CA = { kdc = kerberos1.utoronto.ca kdc = kerberos2.utoronto.ca kdc = kerberos3.utoronto.ca admin_server = kerberos1.utoronto.ca default_domain = utoronto.ca } A.NET = { admin_server = dc.a.net kdc = dc.a.net } B.NET = { admin_server = dc.b.net kdc = dc.b.net } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .slac.stanford.edu = SLAC.STANFORD.EDU .toronto.edu = UTORONTO.CA .utoronto.ca = UTORONTO.CA a.net = A.NET .a.net = A.NET b.net = B.NET .b.net = .B.NET [login] krb4_convert = true krb4_get_tickets = false /etc/nsswitch.conf passwd: compat winbind group: compat winbind shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis Most of the modification are based on these instructions, though I added the domain b to krb5.conf: https://docs.citrix.com/en-us/linux-virtual-delivery-agent/7-15-ltsr/installation-overview/ubuntu.html I have tried the following wbinfo commands: **wbinfo --online-status** shows domain A online, but domain B offline. **wbinfo -n B\\administrator** returns a SID and wbinfo -s SID returns the name **wbinfo -m** BUILTIN MYLINUX A B **wbinfo -K B\\user%password** returns the following error message: wbcLogonUser(B\user): error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error message was: No logon servers are currently available to service the logon request. Could not authenticate user [B\user%password] with Kerberos (ccache: FILE) I would really appreciate if someone could help me to solve this. How would I start to troubleshoot this issue?

I've got an AD domain joined Ubuntu 22.04 server. I need to be able to logon to it using credentials from a trusted domain that is attached to the AD domain that the server is a member of. Logon is not working using the trusted domain credentials. The following packages are installed: winbind, krb5-user, sssd-ad, samba The domains are domain1.org and domain2.local. domain1.org is the domain that my server is joined to, and domain2.local is the trusted domain. I can log on using domain1.org creds, and all the following commands work: ping domain1.org ping domain2.local id someuser@domain1.org id someuser@domain2.local wbinfo -i someuser@domain1.org wbinfo -i someuser@domain2.local wbinfo -n someuser@domain2.local net cache flush wbinfo --sid-to-uid I am not able to logon to this Ubuntu server using domain2.local creds. I do have a Rocky Linux server that is set up pretty much the same way as this one, and I *am* able to logon using domain2.local creds. Here are the samba, sssd, nsswitch, and krb5 configs: /etc/samba/smb.conf [global] workgroup = DOMAIN1 realm = DOMAIN1.ORG netbios name = MYTEST security = ads server signing = mandatory client signing = mandatory client lanman auth = no min protocol = SMB2 client min protocol = SMB2 client max protocol = SMB3 restrict anonymous = 2 os level = 0 preferred master = no local master = no domain master = no kerberos method = secrets and keytab load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes template homedir = /home/%D/%U template shell = /bin/bash map acl inherit = yes nt acl support = yes inherit acls = Yes acl group control = yes log level = 10 max log size = 10 log file = /var/log/samba/samba.log winbind use default domain = yes idmap config * : range = 1100-65534 idmap config * : backend = tdb idmap config * : backend = autorid idmap config * : range = 1000000-999999999 /etc/sssd/conf.d/sssd.conf [sssd] config_file_version = 2 domains = DOMAIN1.ORG reconnection_retries = 3 services = nss, pam, ssh, autofs [domain/DOMAIN1.ORG] #debug_level = 9 ad_hostname = mytest.domain1.org id_provider = ad auth_provider = ad access_provider = ad override_homedir = /home/%d/%u default_shell = /bin/bash cache_credentials = True krb5_store_password_if_offline = True krb5_realm = DOMAIN1.ORG fallback_homedir = /home/%u/%d ad_domain = domain1.org use_fully_qualified_names = False case_sensitive = False ad_gpo_ignore_unreadable = True dyndns_update = true dyndns_refresh_interval = 43200 ad_update_samba_machine_account_password = True [nss] filter_users = root [pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5 /etc/nsswitch.conf passwd: files winbind systemd sss group: files winbind systemd sss shadow: files sss gshadow: files hosts: files resolve dns networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss automount: sss /etc/krb5.conf [logging] default = FILE:/var/log/krb5.log [libdefaults] default_realm = DOMAIN1.ORG dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true udp_preference_limit = 1 I appreciate any and all comments and/or assistance. Thanks!

We have a pretty mixed environment in terms of operating systems. Suse 12/15, Oracle Linux 6/7/8, Redhat 6/7/8 and a few others. We've been using Active Directory authentication for some time. For Linux clients, this authentication is done primarily using two type of integration: - Most older systems use --> Samba + Winbind + NSCD - Newer systems use --> Samba + SSSD (no NSCD here) We've had issue with dns caching and nscd was blamed for the problem. My question is: Do we really need NSCD? What are the best practices for dns cache? Our environment has around 4000 VMs (between windows and unix-like systems)

I have installed samba and winbind in rhel8. I was trying to automate the domain join process as well. But when try it manually it is working as expected when we enter the password manually for "**service-user-account**" for domain join. But I don't see any command to automate with the password. I have tried with one of the below command, but it is giving an error. **Command:** net ads join -U $ad_user%$password but I am getting below error. I have put the *service account user and password in variable*. **error:** Failed to join domain: failed to lookup DC info for domain 'example.com' over rpc: The attempted logon is invalid. This is either due to a bad username or authentication information. **Kindly help me to automate this step**. Appreciate your kind support!. Thanks Uma

Occasionally, a systemd unit using a pam module that uses pam_winbind logs a users password. Systemd unit log: Mar 25 15:47:41 display-server node: pam_succeed_if(grooming:auth): requirement "user ingroup marketing department" not met by user "dispatch1" Mar 25 15:47:41 display-server node: pam_succeed_if(grooming:auth): requirement "user ingroup dispatch users" was met by user "dispatch1" Mar 25 15:47:41 display-server node: pam_winbind(grooming:auth): getting password (0x00004288) Mar 25 15:47:41 display-server node: pam_winbind(grooming:auth): user 'dispatch1' granted access Mar 25 15:47:41 display-server node: pam_winbind(grooming:auth): Received [] reply from application. PAM module: #%PAM-1.0 auth [success=3 default=ignore] pam_succeed_if.so user ingroup [marketing department] auth [success=2 default=ignore] pam_succeed_if.so user ingroup [dispatch users] auth [success=1 default=ignore] pam_succeed_if.so user ingroup [it department] auth requisite pam_deny.so auth [success=1 default=ignore] pam_localuser.so auth [success=2 default=die] pam_winbind.so auth [success=1 default=die] pam_unix.so nullok auth requisite pam_deny.so auth optional pam_permit.so auth required pam_env.so account required pam_unix.so account [success=1 default=ignore] pam_localuser.so account required pam_winbind.so account optional pam_permit.so account required pam_time.so password [success=1 default=ignore] pam_localuser.so password [success=2 default=die] pam_winbind.so password [success=1 default=die] pam_unix.so sha512 shadow password requisite pam_deny.so password optional pam_permit.so session required pam_limits.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_unix.so session [success=1 default=ignore] pam_localuser.so session required pam_winbind.so session optional pam_permit.so Is this an issue with my pam module, an issue with pam_winbind, or something I should fix by adding silent = yes to pam_winbind.conf?

I have a "working" Samba4 enviroment. I use the old good method of Winbind, works fine but sometimes(after Samba upgrade version for example) the cache become "corrupt" and my user disappear. wbinfo -i pinuser failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user pinuser If I delete the cache files the user magically appear find /var/lib/samba/ /var/cache/samba/ -name gencache.tdb -exec rm -vf {} \; systemctl restart winbind.service wbinfo -i pinuser pinuser:*:10005:10016::/home/pinuser:/bin/bash What can cause the cache corruption?

I want winbind auth in AIX. Samba works fine: wbinfo -g cert publishers dnsadmins domain guests group policy creator owners domain computers allowed rodc password replication group domain controllers domain users ras and ias servers denied rodc password replication group read-only domain controllers domain admins enterprise read-only domain controllers schema admins enterprise admins dnsupdateproxy Also wbinfo -i user works wbinfo -i myuser myuser:*:10003:10000::/home/myuser:/opt/freeware/bin/bash I have configured the auth in this way i modify the file /etc/security/users in this way system = "compat or WINBIND" I have modified also /usr/lib/security/methods.cfg WINBIND: program = /opt/freeware/lib/WINBIND.so program_64 = /opt/freeware/lib/WINBIND.so NIS: program = /usr/lib/security/NIS program_64 = /usr/lib/security/NIS_64 DCE: program = /usr/lib/security/DCE All commands works(ssh,lsuser,id,etc) but in the shell prompt I get for non winbind user nonwinbinduser@aix:~$ for winbind user I have no name!@aix:~$ What I miss?

Since updating my CentOS 7 and RHEL 7 systems I am no longer able to use AD group names in my pam_winbind.conf. I am only able to use SIDS. The package version samba-winbind-4.10.4-11.el7_8:0. I am unable to find any information indicating this was an expected change or any work arounds/config changes to make it work again. Does anyone know a way to fix this so I don't need to reconfigure all of the systems in my entire environment? Thanks Jun 1 04:01:05 gmfl1-pv-intr01 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=USERNAME rhost=x.x.x.x user=USERNAME Jun 1 04:01:05 gmfl1-pv-intr01 vsftpd: pam_winbind(vsftpd:auth): getting password (0x00000050) Jun 1 04:01:05 gmfl1-pv-intr01 vsftpd: pam_winbind(vsftpd:auth): pam_get_item returned a password Jun 1 04:01:05 gmfl1-pv-intr01 vsftpd: pam_winbind(vsftpd:auth): could not lookup name: GROUPNAME1 Jun 1 04:01:05 gmfl1-pv-intr01 vsftpd: pam_winbind(vsftpd:auth): cannot convert group GROUPNAME1 to sid, check if group GROUPNAME1 is valid group. Jun 1 04:01:05 gmfl1-pv-intr01 vsftpd: pam_winbind(vsftpd:auth): could not lookup name: GROUPNAME2 Jun 1 04:01:05 gmfl1-pv-intr01 vsftpd: pam_winbind(vsftpd:auth): cannot convert group GROUPNAME2 to sid, check if group GROUPNAME2 is valid group. Jun 1 04:01:05 gmfl1-pv-intr01 vsftpd: pam_winbind(vsftpd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: The attempted logon is invalid. This is either due to a bad username or authentication information. Jun 1 04:01:05 gmfl1-pv-intr01 vsftpd: pam_winbind(vsftpd:auth): user 'USERNAME' denied access (incorrect password or invalid membership)

While using Debian and Windows in mixed environments for a huge amount of time now I am stuck on trying to use cached credentials for logging in within a domain environment. Once I used the credentials to login, I still want to login when the machine isn't connected to the domain controller anymore. This behaviour is implemented by Windows clients, so that a laptop user can still login. Only mount points can't be used unless a connection is there. I want to achieve the same on my Debian/GNU Linux client. --- **Further explanation** The workstation is using Debian Buster with GUI (Xorg, XFCE, LightDM) and Samba (Winbind). It's a pretty much default installation.

:~$ uname -a
Linux client-ph-wkst 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux
:~$ sudo samba -V
Version 4.9.5-Debian

The workstation is sucessfully connected to a domain controller (Samba 4). Everything is working fine. I'm using this setup since Jessie and it's nice. All domain users can login on that machine, are having an auto-created home directory and so on. The only exception to that is the missing offline authentication. According to the Samba Wiki (https://wiki.samba.org/index.php/PAM_Offline_Authentication) the smb.conf has been modified to contain winbind offline logon = yes. While testing this it works as expected. When setting winbind to offline manually(sudo smbcontrol winbind offline), I can verify that PAM is using cached credentials. Even by unplugging the cable physically I can achieve the same. **Problem** But when I unplug the cable and reboot the system, I can't login. It hangs on LightDM logon screen. I can switch to console by pressing Ctrl+Alt+F1. I can logon with the system's root account, because this doesn't request the domain controller. When I look into the services with root I can see, that nmbd is not running. By examining it's logs with journalctl -xe I see, that it's not starting because of *No local IPv4 non-loopback interfaces available*. The default network configuration tool in Debian's GUI installation is NetworkManager. With nmcli general I can see that I'm __not__ connected. **Solution quick-and-dirty** Without plugging in the cable physically I manually activate the interface by entering nmcli connection up pewpewdefaultconnection. I restart samba and nmbd service. Voilà! It's working. I can enter my credentials, even restart lightdm service and enter everything with my cached credentials. **Solution nice and clean to be found** Since I don't want such an ugly solution as described before I am asking you to help me. Is there anyone who as accomplished this in a clean way? I would really appreciate any help. I don't want to setup a script that makes the calls, that I described before, since they seem to be ugly. I'd like to prefer something in a configuration style if possible. Note: I tried to use auto eth0 in network interfaces and make it being grabbed by NetworkManager's configuration file with managed=true. This doesn't show any improvement.

I am a new system administrator at an organization looking to understand the process flow of authentication in regards to how NSS, PAM and WINBIND work together. We've been having winbind related problems, and I'd like to try and improve our configuration. Here are some key configuration files. Note I only copied small parts for the sake of brevity. **/etc/ssh/sshd_config** UsePAM yes **/etc/nsswitch.conf** passwd: files ldap winbind shadow: files ldap winbind group: files ldap winbind services: files ldap **/etc/pam.d/ssh** auth required pam_env.so auth sufficient pam_winbind.so auth sufficient pam_krb5.so auth sufficient pam_unix.so nullok auth required pam_deny.so As an example, lets say I try to SSH into a Linux system using an account that is in an AD domain. The Linux system is using winbind to interface with AD. Below is the flow of how **I think** this would work: 1. SSH service receives a request to access it through port 22. User enters in their credentials. 2. Since the SSH service is configured to use PAM for authentication, it will reference "/etc/pam.d/ssh" to see what PAM modules are to be used. 3. In PAM, SSH is configured to try the 'pam_winbind.so' module first. This module's function is to query AD for authentication. If it is successful, that is sufficient enough to satisfy PAM, so it grants the user access. Otherwise, it continues down the list. Where does NSS fit in on this process? I'm having a hard time understanding what NSS actually does. I thought it was a system which tells the OS leverages to look for certain "names". For example, if looking for a user account (using the nsswitch.conf file above), it will first look at the local "files". If the account information can't be found there, it will look to a "ldap" server, and then finally "winbind". But isn't this what PAM is doing? PAM is utilizing the 'pam_winbind.so' library to authenticate with what ever domain controller winbind is configured for. Why do we need "winbind" listed in NSS? Perhaps this is for services that don't use PAM? Is it usually one or the other? Any transfer of knowledge here would be very appreciated!

I've configured my Debian9 with Kerberus5, Samba and Winbind to login on a windows domain, all the configuration is already set and I've already tested it (it works!), but when I try to realize my login as a domain user, I cannot connect on the machine. I've tried these ways to login: IMPD\murilo.melo IMPD.LOCAL\murilo.melo murilo.melo murilo.melo@IMPD murilo.melo@IMPD.LOCAL My relevant confs are: nsswitch.conf passwd: compat winbind group: compat winbind krb5.conf [libdefaults] default_realm = IMPD.LOCAL [realms] IMPD.LOCAL = { kdc = srvdc01.impd.local default_domain = impd.local admin_server = srvdc01.impd.local } [domain_realm] .impd.local = IMPD.LOCAL impd.local = IMPD.LOCAL [login] krb4_convert = true krb4_get_tickets = false ntp.conf #Controlador de domínio server 10.100.0.1 restrict 10.100.0.1 hosts 127.0.0.1 debian.impd.local debsede localhost 127.0.1.1 debian 10.100.0.1 srvdc01.impd.local srvdc01 common-session session required pam_unix.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel session optional pam_winbind.so smb.conf [global] workgroup = IMPD.LOCAL server string = DEBSEDE01 netbios name = DEBSEDE realm = IMPD.LOCAL security = ads ## Browsing/Identification ### # Change this to the workgroup/NT-domain name your Samba server will part of workgroup = IMPD resolv.conf # Generated by NetworkManager search IMPD.LOCAL nameserver 10.100.0.1 nameserver 10.100.0.2 nameserver 8.8.8.8 My problem is just the logon action in my domain, my Debian says: > "Sorry, this isn't working. Please try again" *I've already tried to use another users, like the user I used to login on ldap with net ads join Login Report (with auditd) ============================================ # date time auid host term exe success event ============================================ 1. 25-06-2019 11:53:42 murilo.melo ? ? /usr/lib/gdm3/gdm-session-worker no 10 2. 25-06-2019 11:53:56 IMPD\murilo.melo ? ? /usr/lib/gdm3/gdm-session-worker no 12 3. 25-06-2019 11:54:10 IMPD.LOCAL\murilo.melo ? ? /usr/lib/gdm3/gdm-session-worker no 14 4. 25-06-2019 11:54:24 murilo.melo ? ? /usr/lib/gdm3/gdm-session-worker no 16 5. 25-06-2019 11:54:36 murilo.melo@IMPD ? ? /usr/lib/gdm3/gdm-session-worker no 18

This is being tried onDebian stretch referred to as 9.6 in /etc/debian_version I'm in a Windows Domain environment with two 2012R2 controllers that have IDMU/Unix Attributes. Other versions of stuff: Samba version 4.5.12-Debian winbindd version 4.5.12-Debian Also installed: krb5-user libnss-winbind libpam-winbind oddjob-mkhomedir I'm hoping I can log in with domain users at default console user credential prompt. I've been trying ALL SORTS of stuff, but can't seem to get it to work. I think my issue is that kerberos keytabs aren't persistent after reboot? I followed this guide on the official Wiki: https://wiki.samba.org/index.php/PAM_Offline_Authentication I tried it with the default setting of /tmp/krb5cc but no luck - thought process is that this location is not persistent after reboot? So then I thought maybe I could get the keytab to save in another location besides /tmp so I set KRB5CACHE environment variable to a folder that's persistent - and I can get kinit to save there But I can't get the /etc/security/pam_winbind.conf user keytab info to save in a different folder Even if I change krb5_ccache_type = FILE:/my/persistent/location/krb5cc but it still always saves it as /tmp/krb5cc when I invoke: # wbinfo -K DOMAIN\\username%password I CAN get the response of: plaintext kerberos password authentication for [WEBTOOL\avery%Person01] succeeded (requesting cctype: FILE) user_flgs: NETLOGON_CACHED_ACCOUNT credentials were put in: FILE:/tmp/krb5cc_0 but when I reboot it doesn't matter -- and ONLY if I invoke smbcontrol winbind offline - /etc/samba/smb.conf param winbind offline logon = yes does not seem to work, even though it's set. (and yes, I have reset samba and winbind using /etc/init.d and systemctl after editing .conf files, not to mention rebooting over and over again to try the offline winbind login) I even tried giving my domain user a UNIX passwd. Not even that worked. So what's up ? Anybody have login for domain users after reboot?

I'm using a Debian 8 server at work. Recently, I used Samba and Winbind to join it to the domain. This domain is managed by Active Directory on a Windows Server machine. This all works: domain users can SSH into the server with their AD passwords, wbinfo gives me domain groups or users, and so on. I even get domain groups when I use the "groups" command on local Debian users who also have domain accounts. Here's the problem. When I set all this up, I thought I wanted to put all newcomers to the server in /home/domain/username, so I set up my smb.conf file accordingly. Now, though, I've changed my mind thanks to an Nginx setup I won't go into here. I want users to go to /home/username instead. I've updated smb.conf, but my new setting won't take effect. The first user I've been testing all this on is me, but I'm an admin for the domain. I needed a non-admin user, so chose someone who works just down the hall. She logged in before I made the change, and, as you'd expect, was given a /home/domain/username folder. Now that I've decided not to use the domain folder for home directories, though, I want to move her home folder to /home/username. The Nginx thing makes it important that this happens. I also want this to happen for all future users who get on the server, but everyone is currently stuck in /home/domain/username instead. I've so far tried usermod, but that fails because, as a domain user, this test user is not in the local system at all, so there's no entry in /etc/passwd. I've tried username, domain\\username, domain\\\\username, and other variants. My winbind separator is indeed backslash. I knew none of this would work, since passwd has no record of this user at all, but I tried just the same. I've also tried moving the user's home folder where I want it, so her old folder is gone, then having her log in. I hoped Samba would find no home folder, see my new template telling it where to place users, and go to /home/username. Instead, it created /home/domain/username again, and put her in there. I'm having her log in over SSH. When I run getent passwd I get all the domain users and groups, but all of them show home folders of /home/domain/username instead of /home/username. Yet, in smb.conf, I have this in the [globals] section: template homedir = /home/%U I've restarted Samba several times. I've even made these changes to sssd and restarted that, although I'm not using sssd. I restarted ssh just to be sure. I now know why my test user won't move, but that only showed me that all users will have this problem. Indeed, when I had a second user log in over SSH using domain credentials, she, too, went to /home/domain/username. Nothing has worked so far. I don't know what else I should try in order to get the home folder setting how I want it. Can anyone spot anything I might have missed: a setting, something to restart, anything? I'm new to using Linux on a domain, so have cobbled my current setup together from many online articles and forums. It works, but I don't know enough about it to troubleshoot extensively. If I've missed telling you any important details, let me know.

I really don't understand the translation of Active Directory UIDs Mapping to Unix UIDs. When a person logs in with their AD credentials how does winbind understand that it needs to map that AD UID to a specific Unix UID, which is tied to a home directory and their personal files. All I see in config files is that winbind specifies a range of UIDs that can be used, and that's about it.

This is my scenario: I have a CentOS 7.5 server which must act as a file server and allow AD-integrated authentication for Samba access, without the need to create local users with smbpasswd. Samba Version 4.7.1 SSSD Version 1.16.0 What I've done so far: Joined my linux server to my AD domain using realmd(client-software=sssd) and configured Samba to serve shares. Upon completing these steps, I have the following problem: Can't authenticate domain users accessing Samba shares because Samba logs complain that it "Failed to fetch domain SID for MYDOMAIN". net getdomainsid shows SID for local machine, but also reports that "Could not fetch domain SID". I found a workaround to solve this by either: 1. Leaving the domain then joining again with realmd (but this time with client-software=winbind); 2. Manually setting the SID with net setdomainsid Both approaches will set the domain SID for Samba and allow me to use AD authentication. So, I would like to know why is it that joining the domain with client-software=winbind sets this domain SID, while joining with client-software=sssd doesn't. And finally: **is there a way to make sssd automatically set this domain SID for Samba while joining the domain?**

I've searched several videos on Youtube, articles in other Stack Exchange sites, and some blogs.. but I couldn't make this done yet.. My environment is Windows Server 2012 RC and CentOS7.

1. I succeeded to make an Active Directory and promoted it to Domain Controller.
2. I created a user and a group in Active Directory and set up the Unix Attributes for UID and GID.
3. I can send a ping to the domain controller from the linux.
4. I succeeded to join the realm of the domain controller.(Use realm join command)
5. Also, I can see the realm list.
6. I can see the kerberos ticket with "klist" command.
7. I installed the DNS in the domain controller as well and can see the result from nslookup.
8. I can see the linux hostname in the Active Directory Users and Computers tab.
9. I succeeded to match the time of linux with the one of windows by ntpdate command.

I followed almost all the information I could find, but still I can't search the Active Directory user from my Linux machine..

[root@test1 ~] su - pamtest@korea.com
su: user pamtest@korea.com does not exist

[root@test1 ~]# id pamtest
id: pamtest: no such user

[root@test1 ~]# id pamtest@korea.com
id: pamtest@korea.com: no such user

What do I have to do to solve this.. I'm using sssd instead of winbind. I didn't touch any configuration on Linux such as sssd.conf It's really difficult for me to solve this.. Just please let me know something you might doubt from the list I did..

I'm trying to figure out how to integrate Linux environment authentication system to Windows server 2012, and I found a way using winbind. I've searched Google and there are several pages that introduce how to do it from synchronizing the time to configuring some config files. I set the hostname and hosts in Linux such as following.

[/etc/hosts]
192.168.XXX.XX1 test1.example.com example ## Windows IP
192.168.XXX.XX2 test1 ## Linux IP

[/etc/hostname]
test1

I set up an Active Directory which has the following properties, and there are two accounts.

Computer name : TEST1
Domain        : example.com
Account1      : Administrator
Account2      : tester1

So, I set the Linux environment DNS to AD's IP address. Can check the info in the "resolv.conf".

[root ~]# nslookup example.com
Server:		192.168.xxx.xx1
Address:	192.168.xxx.xx1#53

Name:	example.com
Address: 192.168.xxx.xxx

In "nsswitch.conf", I added the 'winbind' word only next to 'files'.

passwd:     files winbind
shadow:     files sss winbind
group:      files winbind

In "krb5.conf", I changed the lookup part and default realm.

[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
default_realm = EXAMPLE.COM
[realms]
DOMAIN.COM = {
  kdc = example.com
  admin_server = example.com
}
[domain_realm]
.domain.com = EXAMPLE.COM
domain.com = EXAMPLE.COM

And finally, I set up smb.conf. However, there are lots of different way to set this up, so I'm not sure. Just selected one of the Google pages. When I tried to connect to Windows Server with "administrator" id, it shows the following error:

[root ~]# net ads join -U Administrator
gse_get_client_auth_token: gss_init_sec_context failed with [Unspecified GSS failure.  Minor code may provide more information: Message stream modified](2529638953)
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/test1.example.com with user[Administrator] realm[EXAMPLE.COM]: The attempted logon is invalid. This is either due to a bad username or authentication information.
Failed to join domain: failed to connect to AD: The attempted logon is invalid. This is either due to a bad username or authentication information.

I'm stuck in this step, and I can't find the way how to solve it in Google. Do I need to edit some files in /etc/pam.d? After use the tool 'testparm' about smb.conf, finally I can't find any problems, but now it shows the following message when I use "net ads testjoin".

ads_connect: No logon servers are currently available to service the logon request.