I was on Ubuntu desktop 12.04 and had it joined to the domain using samba/winbind/krb5 – worked great without any issues, I could log onto my comptuer using my active directory account. I upgraded to 14.40 and it seems to have broken. It seems that 14.04 has upgraded to Samba4 and I'm not sure if that is the issue or not. I made a few changes to my smb.conf file that appear to be Samba4 changes – and that allows me to join to the domain using net ads join -U username – works fine…my computer is joined to the domain – and I can get a ticket using kerberos and see that it is valid. However when I log out of my local account and try to log back in using my domain account, it always tells me invalid password. any ideas? after running testparm on my smb.conf file, it told me idmap uid and idmap gid are no longer used….and it also told me that "security=ads" combined with "password server" should not be combined. I'm wondering if that is the issue.
edit: possibly has something to do with my pam.d files – i just did a clean installation of 14.04 and am unable to log in….it doesn't even ask me for my password…which goes away if i go back to the default pam files – here is what i have
/etc/pam.d/common-account:
account sufficient pam_winbind.so
account required pam_unix.so
/etc/pam.d/common-auth:
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
/etc/pam.d/common-password:
password required pam_unix.so nullok obscure min=4 max=50 md5
/etc/pam.d/common-session:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
here is my test /etc/samba/smb.conf:
[global]
workgroup = MYDOMAIN
security = ADS
realm = MYDOMAIN.COM
netbios name = trusty
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:range = 500-40000
winbind nss info = rfc2307
[test]
path = /srv/samba/test
read only = no
and here is my /etc/krb5.conf
[libdefaults]
default_realm = MYDOMAIN.COM
ticket_lifetime = 24000
allow_weak_crypto = yes
[realms]
MYDOMAIN.COM = {
kdc = my.domain.com
admin_server = my.domain.com
default_domain = MYDOMAIN.COM
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[login]
krb4_convert = true
krb4_get_tickets = false
/etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files mdns4_minimal [NOTFOUND=return] dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
edit: one last thing…..I noticed if I type pam-auth-update, I don't see the ability to enable a pam profile for active directory or ldap…i swear that was there in 12.04…?
Best Answer
Does
Return anything?
How about
I am working on the same thing and for me wbinfo -u worked but getent passwd did not. I was able to get getent passwd to work by adding these packages.
Once getent passwd returned domain users I was able to ssh into the machine with my domain cred.