SOLVED winbind, Activie Directory, graphical logon: GUIDE INSIDE

[Stratus_ss]

ok so here is the deal.
I currently have a few boxes which authenticate against a W2k3 AD server
SSH and local shell logons work as well as "su'ing" to different users.

Home directories are created etc etc all that good stuff.

The problem is I can't get graphical logons working properly.
The user can boot into a shell and then "startx" and all is jim-dandy
however having it boot into X prevents all users from logging in at all (except root) through the GUI

I guess it has something to do with permissions? maybe? But I cant tell.
There wasnt anything telling that I could find in /var/log/auth or /var/log/messages
but I dont know where else I would look

Distros are Ubuntu Server 10.10 and OpenSuse 11.3.

smb.conf:

#======================= Global Settings =======================

[global]

security = ads
realm = AD.SERVER
password server = 192.168.56.200
workgroup = AD
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords =yes
winbind use default domain = yes
restrict anonymous = 2


#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
;   interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
;   bind interfaces only = yes



#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Cap the size of the individual log files (in KiB).
   max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
#   syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
   syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
#   security = user

# You may wish to use password encryption.  See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
   encrypt passwords = true

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.  
   passdb backend = tdbsam

   obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<[email protected]> for
# sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
   pam password change = yes

# This option controls how unsuccessful authentication attempts are mapped 
# to anonymous connections
   map to guest = bad user

########## Domains ###########

# Is this machine able to authenticate users. Both PDC and BDC
# must have this setting enabled. If you are the BDC you must
# change the 'domain master' setting to no
#
;   domain logons = yes
#
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of the user's profile directory
# from the client point of view)
# The following required a [profiles] share to be setup on the
# samba server (see below)
;   logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
#   logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
;   logon drive = H:
#   logon home = \\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
;   logon script = logon.cmd

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe.  The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

# This allows machine accounts to be created on the domain controller via the 
# SAMR RPC pipe.  
# The following assumes a "machines" group exists on the system
; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u

# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.  
; add group script = /usr/sbin/addgroup --force-badname %g

########## Printing ##########

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
#   load printers = yes

# lpr(ng) printing. You may wish to override the location of the
# printcap file
;   printing = bsd
;   printcap name = /etc/printcap

# CUPS printing.  See also the cupsaddsmb(8) manpage in the
# cupsys-client package.
;   printing = cups
;   printcap name = cups

############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Most people will find that this option gives better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html
# for details
# You may want to add the following on a Linux system:
#         SO_RCVBUF=8192 SO_SNDBUF=8192
#   socket options = TCP_NODELAY

# The following parameter is useful only if you have the linpopup package
# installed. The samba maintainer and the linpopup maintainer are
# working to ease installation and configuration of linpopup and samba.
;   message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &

# Domain Master specifies Samba to be the Domain Master Browser. If this
# machine will be configured as a BDC (a secondary logon server), you
# must set this to 'no'; otherwise, the default behavior is recommended.
#   domain master = auto

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
;   idmap uid = 10000-20000
;   idmap gid = 10000-20000
;   template shell = /bin/bash

# The following was the default behaviour in sarge,
# but samba upstream reverted the default because it might induce
# performance issues in large organizations.
# See Debian bug #368251 for some of the consequences of *not*
# having this setting and smb.conf(5) for details.
;   winbind enum groups = yes
;   winbind enum users = yes

# Setup usershare options to enable non-root users to share folders
# with the net usershare command.

# Maximum number of usershare. 0 (default) means that usershare is disabled.
;   usershare max shares = 100

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
   usershare allow guests = yes

#======================= Share Definitions =======================

# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares.  This will share each
# user's home directory as \\server\username
;[homes]
;   comment = Home Directories
;   browseable = no

# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
;   read only = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
;   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
;   directory mask = 0700

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.  Un-comment the following parameter
# to make sure that only "username" can connect to \\server\username
# This might need tweaking when using external authentication schemes
;   valid users = %S

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
;   comment = Network Logon Service
;   path = /home/samba/netlogon
;   guest ok = yes
;   read only = yes
;   share modes = no

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
;   comment = Users profiles
;   path = /home/samba/profiles
;   guest ok = no
;   browseable = no
;   create mask = 0600
;   directory mask = 0700

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
;   write list = root, @lpadmin

# A sample share for sharing your CD-ROM with others.
;[cdrom]
;   comment = Samba server's CD-ROM
;   read only = yes
;   locking = no
;   path = /cdrom
;   guest ok = yes

# The next two parameters show how to auto-mount a CD-ROM when the
#	cdrom share is accesed. For this to work /etc/fstab must contain
#	an entry like this:
#
#       /dev/scd0   /cdrom  iso9660 defaults,noauto,ro,user   0 0
#
# The CD-ROM gets unmounted automatically after the connection to the
#
# If you don't want to use auto-mounting/unmounting make sure the CD
#	is mounted on /cdrom
#
;   preexec = /bin/mount /cdrom
;   postexec = /bin/umount /cdrom

pam.d/common-account

# here are the per-package modules (the "Primary" block)
#account	[success=2 new_authtok_reqd=done default=ignore]	pam_unix.so 
#account	[success=1 new_authtok_reqd=done default=ignore]	pam_winbind.so 

account	sufficient	pam_winbind.so
account	required	pam_unixl.so

# here's the fallback if no module succeeds
account	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

pam.d/lxde

#%PAM-1.0
auth sufficient	pam_winbind.so
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth    optional        pam_gnome_keyring.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required        pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional        pam_gnome_keyring.so auto_start
@include common-password

pam.d/common-sessions

# here are the per-package modules (the "Primary" block)
session	[default=1]			pam_permit.so
# here's the fallback if no module succeeds
session	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
session	required	pam_unix.so 
session	optional			pam_winbind.so 
session	optional	pam_mount.so 
session	optional			pam_ck_connector.so nox11
# end of pam-auth-update config

session required pam_mkhomedir.so	umask=0022	skel=/etc/skel

Anyone who can point me in the right direction would be my hero

 

[Stratus_ss]

I figured i would post a followup in case anyone coming behind me has troubles.

So first of all I rolled out gnome instead of lxde for the purposes of getting everything working based on what I had read on the web.

Conventions used

This guide assumes you already have a basic Active Directory server installed and that it is running DNS.

It also assumes you understand things like DNS, hostnames, basic AD management.

Further, it assumes you have installed some form of linux, and if you are using a different distro other than SuSe of Ubuntu, you know how to translate this information into your own distribution.

Finally in order to avoid confusion I omit specific examples because some people have a hard time transfering specific examples to their own situation. Values which are customizable will be inclosed in brackets ()

Systems
All of these are multi-homed and all 3 of the linux boxes were fresh installs and are using the "manual method" instead of built in tools such as Likewise Open or SuSe's "Windows Domain Membership"

Using Windows 2k3
openSuSe 11.3 (X 2)
Ubuntu 10.04


Step 1 - Install the Packages

for ubuntu you need

krb5-user, winbind, samba

for open suse you need
krb5-client, samba-winbind, samba

On SuSe you may need to make winbind start with the computer

use

chkconfig |grep winbind

to see if it is set to "on". If it isn't simply issue

chkconfig winbind on

and re-run the chkconfig command again to make sure it has indeed been switched to "on"
The ubuntu systems seem to start this daemon by default


Step 2 - Setup Samba and nsswitch

The smb.conf file should look something like the following (there are obvious ommissions as this example do not cover samba
configuration of shares)

/etc/samba/smb.conf

security = ads
        realm = (your domain IN CAPITAL LETTERS)
        password server = (your AD server ip)
        workgroup = (the first part of your fully qualified domain name in CAPITALS)
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = (if you wish to map to your home/domain/user use /home/%D/%U  otherwise this is customizable)
        template shell = (/bin/bash recommended but not required... use your favorite shell)
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2

the /etc/nsswitch.conf file tells the computer which programs to allow access to which files

of note the nsswitch.conf file should contain the following

passwd:         compat winbind
group:          compat winbind
shadow:         compat

**In some cases shadow: compat may also need to be changed to shadow: compat winbind


Step 3 - Setup your DHCP mapping (optional for single nics, required for multi-homed environments

This step is important if you are in a multi-homed environment (2 or more nics living on different networks)

In order to properly search your AD domain I have found that you need to edit:

SuSe
/etc/dhclient.conf

ubuntu 10.04 and above
/etc/dhcp3/dhclient.conf

You will see the following lines commented out

#supersede domain-name "example.com";
#prepend domain-name-servers 127.0.0.1;

Uncomment these lines and change the values to your domain name and your dns server address.
This way your resolv.conf will always have the correct information to find your AD server


Step 4 - Testing your changes so far and join the domain

You need to stop winbind, restart samba, then start winbind in order for the changes to take effect

sudo /etc/init.d/winbind stop
sudo /etc/init.d/smbd restart
sudo /etc/init.d/winbind start

Next we are going to ask Kerberos to get a new "ticket" from the server

kinit user@REALM

the important thing here is that you use a user that has proper rights on the server as best practices.
Also of note, this is a realm and not a domain. The main difference is that a realm must be
entered in CAPITALS where as a domain is in lower case

If this success you will not receive any feedback. If it fails you will see either

kinit: Client not found in Kerberos database while getting initial credentials

which means that the username is incorrect.
Or you will see

kinit: Preauthentication failed while getting initial credentials

meaning that the password authentication has failed.

Assuming that the authentication has succeeded, issue the following command

net ads join -U (domain admin user)

It is important to use an Active Directory Domain Administrator account here as winbind is attempting
to add an entry into AD.

You may see the following:

Failed to join domain: failed to find DC for domain

This means that either your DNS has failed to propogate (thus server@domain does not resolve)
Or you have an addressing problem in your DNS entries.
If you are sure that your DNS is set correctly, start by looking in /etc/resolv.conf
Your domain DNS should be the first (nameserver) entry as well as your (search ) parameter should
also have your domain first

EX:
/etc/resolv.conf

search ad.server some.other.domain
nameserver 192.168.56.200  < -- your AD DNS server
nameserver 192.xxx.xxx.xxx
nameserver 192.xxx.xxx.xxx

After making these changes, try to ping your server by its dns name. If that fails, ping it by its IP
If that fails, there is a networking issue which is beyond the scope of this document.

At this point if you have successfully joined the domain via

net ads join

command, you can querry the AD server for a list of users to ensure that everything is working fine

wbinfo -u

will return the list of users in the Active Directory server.
Another check you can do is

getent group

which will display the combine groups on the linux computer as well as the AD server

You will probably see things like
"domain users" "group policy creator" etc.
All of which are coming from the AD server as *nix do not use spaces in their groups


Step 5 - working with PAM

Pam can be a bit funny to work with from time to time so I suggest always having a session
logged in on a different terminal to be on the safe side as adjusting PAM can prevent you from logging in.

For first time configuration editors always make a copy of the ORIGINAL pam file

The following PAM files will need to be altered (all are located in /etc/pam.d/)

common-account
common-auth
common-session
sudo (if you use sudo to administer your system)
gdm (if you use gdm, substitute for your desktop manager)
login

NOTE THESE ARE ADDENDUMS NOT THE ENTIRE FILE


common-account

account sufficient pam_winbind.so
account required pam_unix.so

common-auth

auth sufficient pam_winbind.so use_first_pass
auth sufficient pam_unix.so nullok_secure
auth required pam_deny.so

common-session

session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

sudo

auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required pam_deny.so

gdm
session required pam_mkhomedir.so skel=/etc/skel

login
session required pam_mkhomedir.so skel=/etc/skel


At this point everything should be working. Of note: on SuSe boxes the changes to Pam seem to have been dynamic
meaning a reboot wasn't required. Ubuntu however, would not accept logins until a reboot had happened.

If you want to test before rebooting simply attempt to "su" into a user that only resides on the AD server

Finally, both SuSe and ubuntu have their "quirks" I have found that SuSe takes a lot longer to boot and even once
you get to the login screen it is still running its network checks etc. Until these services finish loading
you will not be able to login. Be patient, get a coffee or a water or something and come back and try again.

Ubuntu on the other hand, at least on 2 fresh installs will not let you log in the first time. If you input the
same AD user and password twice, the login works just fine. The /var/log/auth log shows success but still remains
at the start screen.

Other that that, you are now up and running with AD authentication. The more advanced tasks of drive mapping etc
are for another time.

Good luck!

 

[mbentley]

one fun thing that i have in my smb.conf that you might want to use is:

idmap backend = rid:MBENTLEY=10000-20000

this will make it so that the uid and gid are consistent across multiple systems. you just need to replace 'MBENTLEY' with your realm. this is a lifesaver if you use nfs at all.

 

[GailH]

winbindd: "Invalid request size received" - help

Hi experts: I am happy I've found this thread. I hope you can help me.

I am trying to resolve Windows host names (aka Netbios names, aka "UNC names) from a Linux box. (I don't need domain users authentication).

I added "dns wins" to the "hosts" line at /etc/nsswitch.conf, and installed samba 3.2.2 and ran "winbindd -D".

Now, when I go: "wbinfo -N venus" (where venus is a Windows UNC pc host name on the LAN), it responds: "192.168.0.12" (which is venus' IP address). But, when I go: "ping venus", it says: "ping: bad address: venus", and in the log file: ffp/var/log/samba/log.winbindd it says:
"winbindd/winbindd.c:request_len_recv(616)
request_len_recv: Invalid request size received: 1844 (expected 2096)"

When I try to copy a file from the Windows PC to the Linux box, going:
rsync -v "venus:e/my Documents/Temp/a.txt" . (where a.txt is the file I'd like to copy), it says:
"ssh: Could not resolve hostname venus: Name or service not known",
and in: ffp/var/log/samba/log.winbindd it says again:
"winbindd/winbindd.c:request_len_recv(616)
request_len_recv: Invalid request size received: 1844 (expected 2096)".

More info: I am running a Linux system whose kernel version is: "2.6.12.6-arm1". It's a D-Link DNS-323 NAS box with an ARM processor.

Your help will be appreciated. Thanks in advance - Gail

 

[Stratus_ss]

Hi Gail,

There are a few things you can do. One workaround is to manually add your ips into the the /etc/hosts file

I suspect part of the problem is with nsswitch as this designates which files (and in what order) the computer looks for resolution information.

adding "wins" to the line

hosts:  	files dns

should allow you to access winbind for netbios names. ORDER is important, do NOT add wins to the start of the line, it will cause either slow or non-responsive boots

Be default nsswitch has only files and dns (at least on the system I am currently on)... so if you dont have a dns server and you dont have it in your host files linux will not know where the host you are looking for is located

 

[GailH]

winbindd: "Invalid request size received" - help

Stratus_ss: I had added "wins" to the "hosts" line in nsswich.conf, before reporting the problem.

Please note the following: when I go:
1. "wbinfo -N venus" (where venus is a Windows UNC pc host name on the LAN), it responds: "192.168.0.12" (which is venus' IP address). This is fine.
2. "net lookup venus" returns: 192.168.0.12 - which is fine, too.

The problem is, I need that general shell commands resolve the netbios name, and when I go: "ping venus" or "rsync venus::directory/file etc." they say "cannot resolve name", and the log.winbindd file gets new entries which say: "winbindd/winbindd.c:request_len_recv(616): Invalid request size received: 1844 (expected 2096)".
I read somewhere that this may be caused by version mismatch in libraries. Here is the output from ldd:

/etc # ldd /ffp/sbin/winbindd
ldd: can't open cache '/ffp/etc/ld.so.cache'
        libcrypt.so.0 => /ffp/lib/libcrypt.so.0 (0x4000e000)
        libresolv.so.0 => /ffp/lib/libresolv.so.0 (0x4002b000)
        libdl.so.0 => /ffp/lib/libdl.so.0 (0x40035000)
        libiconv.so.2 => /ffp/lib/libiconv.so.2 (0x40040000)
        libtalloc.so.1 => /ffp/lib/libtalloc.so.1 (0x40127000)
        libtdb.so.1 => /ffp/lib/libtdb.so.1 (0x40139000)
        libwbclient.so.0 => /ffp/lib/libwbclient.so.0 (0x40150000)
        libc.so.0 => /ffp/lib/libc.so.0 (0x40164000)
        ld-uClibc.so.0 => /ffp/lib/ld-uClibc.so.0 (0x40000000)

Can you help?

Thanks in advance - Gail