# Samba (winbind) integration into an Active Directory domain

## MasterC

Hello,

I have an existing Active Directory domain with a couple hundred users.  I am trying to setup our Linux (Gentoo specifically) servers to allow "seamless" login integration at the console, via ssh and possibly using smbmount.

I think I've got it pretty close, but seem to be missing something.  When my test user logs in at the console, a home directory is created for them, the console throws up the last login information, and then immediately logs them back out.

(I can't paste the console output) but...

via ssh:

```

user@server-gentoo ~ $ ssh -l ctest 155.98.115.163

Password: 

Last login: Wed Sep 26 11:34:02 2007 from 155.98.115.235

Connection to 155.98.115.163 closed.

user@server-gentoo ~ $ 

```

I've searched the log files (messages, log.smbd/nmbd/winbind) but don't see anything blatently obvious.  I followed the Samba docs, and have since tried variations that are abundant around the web.

Technical bits:

I'm authenticating via kerberos using winbind against an Active Directory implementation on top of a Windows 2003-r2 server.  I'm running a fresh up-to-date (as of today) install of gentoo (not ~x86, just x86) 2.6.22-r5, samba 3.0.24-r3, pam 0.78-r5

My

smb.conf is:

```

[global]

workgroup = MYDOMAIN

realm = MYDOMAIN.COM

security = ADS

password server = MYACTIVEDIRECTORYSERVER.MYDOMAIN.COM

log level = 2

idmap uid = 10000-20000

idmap gid = 10000-20000

winbind separator = +

winbind enum users = yes

winbind enum groups = yes

winbind use default domain = yes

```

A snippet from my log file, first I log in as a domain user, then I log in as a local user:

```

(user login)

Sep 26 11:28:22 gentoo-AD pam_winbind[28497]: user 'ctest' granted access

Sep 26 11:28:22 gentoo-AD pam_winbind[28497]: user 'ctest' OK

Sep 26 11:28:22 gentoo-AD pam_winbind[28497]: user 'ctest' granted access

Sep 26 11:28:22 gentoo-AD login[28497]: pam_unix(login:session): session opened for user ctest by root(uid=0)

Sep 26 11:28:22 gentoo-AD login[28497]: pam_unix(login:session): session closed for user ctest

(root login)

Sep 26 11:28:28 gentoo-AD pam_winbind[28509]: request failed: No such user, PAM error was User not known to the underlying authentication module (10), NT error was NT_STATUS_NO_SUCH_USER

Sep 26 11:28:28 gentoo-AD login[28509]: pam_tally(login:auth): unknown option: no_magic_root

Sep 26 11:28:31 gentoo-AD pam_winbind[28509]: request failed: No such user, PAM error was User not known to the underlying authentication module (10), NT error was NT_STATUS_NO_SUCH_USER

Sep 26 11:28:34 gentoo-AD pam_winbind[28509]: request failed, but PAM error 0!

Sep 26 11:28:34 gentoo-AD pam_winbind[28509]: internal module error (retval = 3, user = `root')

Sep 26 11:28:34 gentoo-AD login[28509]: pam_tally(login:account): option deny=0 

allowed in auth phase only

Sep 26 11:28:34 gentoo-AD login[28509]: pam_tally(login:account): unknown option: no_magic_root

Sep 26 11:28:34 gentoo-AD login[28509]: pam_tally(login:setcred): unknown option: no_magic_root

Sep 26 11:28:34 gentoo-AD login[28509]: pam_unix(login:session): session opened for user root by ctest(uid=0)

Sep 26 11:28:34 gentoo-AD login[28516]: ROOT LOGIN  on 'tty3'

```

As you can see, PAM is pretty pissed off at that local user, but seems fairly happy with the domain user, but immediately logs them off.  The local user (I chose root) actually has to provide their password thrice in order to be logged in, but they actually get a prompt after the three-time password log in.

Here's my other files of interest

pam.d/login

```

#%PAM-1.0

auth       required     pam_securetty.so

auth       sufficient   pam_winbind.so

auth       required     pam_tally.so file=/var/log/faillog onerr=succeed no_magic_root

auth       required     pam_shells.so

auth       required     pam_nologin.so

auth       include      system-auth

account    required     pam_access.so

account    include      system-auth

account    required     pam_tally.so deny=0 file=/var/log/faillog onerr=succeed no_magic_root

password   include      system-auth

session    required     pam_env.so

session    optional     pam_lastlog.so

session    optional     pam_motd.so motd=/etc/motd

session    optional     pam_mail.so

session    include      system-auth

```

pam.d/system-auth

```

#%PAM-1.0

auth       required     pam_env.so

auth       sufficient   pam_winbind.so

auth       sufficient   pam_unix.so likeauth nullok

auth       required     pam_deny.so

account    sufficient   pam_winbind.so

account    required     pam_unix.so

# This can be used only if you enabled the cracklib USE flag

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3

# This can be used only if you enabled the cracklib USE flag

password   sufficient   pam_unix.so try_first_pass use_authtok nullok md5 shadow

# This can be used only if you enabled the !cracklib USE flag

# password   sufficient pam_unix.so try_first_pass nullok md5 shadow

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so

```

nsswitch.conf

```

passwd:      compat winbind

shadow:      compat

group:       compat winbind

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns wins

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files

```

Any help is much appreciated.  I'm trying to understand PAM as it seems that is where my real "problem" lies...

Thanks!

-Chad

----------

## hexstar

Hello, I recommend reading this: http://www.wlug.org.nz/ActiveDirectorySamba and/or this: http://www.enterprisenetworkingplanet.com/netos/article.php/3487081 ...more reading here: http://www.google.com/search?hl=en&q=samba+active+directory&btnG=Google+Search  :Smile: 

----------

## MasterC

Thanks for the links, I'll check em out!

-Chad

----------

## bgregorcy

http://wiki.samba.org/index.php/Samba_&_Active_Directory#Advanced_Configuration

----------

## hexstar

 *MasterC wrote:*   

> Thanks for the links, I'll check em out!
> 
> -Chad

 You're quite welcome  :Smile: 

----------

