SDB:Gnyers/InteropDemo/SambaAsMemeberServer

Jump to: navigation, search
Icon-cleanup.png This article is in need of attention because it does not follow our wiki guidelines.
If you want to contribute, please read the rules for this wiki and if you have any questions, don't hesitate to contact the wiki team, we are more then willing to help you! :-)


Tested on openSUSE Recommended articles Related articles
Icon-checked.png

Icon-manual.png Icon-help.png

Integrating with Active Directory as authentication and authorization source is a frequent use case in mixed Linux and Windows environments. Winbind, a component of Samba, provides not only the necessary integration with AD but also a PAM module to authenticate and authorize Linux users

This HOWTO uses Samba 3.6


Work in Progress

This article is not yet ready



Authentication using Active Directory and Winbind

Configuring Winbind on SLES

Restrict shell access to a specific group

The YaST *Windows Domain Membership* module is not yet capable of configuring restrictions to shell access based on an Active Directory group. To achive this, the ``require_membership_of`` parameter must be manually set in ``/etc/security/pam_winbind.conf``.

Allow only members of the group "SLES Shell Users"::

# egrep -v "^[;#]|^$" /etc/security/pam_winbind.conf   
[global]
  cached_login = yes
  krb5_auth = yes
  krb5_ccache_type = FILE
  debug = yes
  cached_login = yes
  require_membership_of = "SLES Shell Users"


Testing pam_winbind authentication

Without restricitions on shell access::

Oct 28 21:08:18 interop02 login[7814]: pam_winbind(login:auth): getting password (0x00000390)
Oct 28 21:08:18 interop02 login[7814]: pam_winbind(login:auth): pam_get_item returned a password
Oct 28 21:08:18 interop02 login[7814]: pam_winbind(login:auth): user 'interop\demo' granted access
Oct 28 21:08:18 interop02 login[7814]: pam_winbind(login:account): user 'demo' granted access

After activating restrictions to allow shell access only to the members of AD group "SLES Shell Users"::

Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): [pamh: 0x60b020] ENTER: pam_sm_authenticate (flags: 0x0000)
Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): getting password (0x000003d1)
Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): pam_get_item returned a password
Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): Verify user 'interop\demo'
Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): CONFIG file: require_membership_of 'SLES Shell Users'
Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): CONFIG file: krb5_ccache_type 'FILE'
Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): enabling krb5 login flag
Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): enabling cached login flag
Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): enabling request for a FILE krb5 ccache
Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): no sid given, looking up: SLES Shell Users
Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: Logon failure
Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): user 'interop\demo' denied access (incorrect password or invalid membership)
Oct 28 21:11:48 interop02 login[7887]: pam_winbind(login:auth): [pamh: 0x60b020] LEAVE: pam_sm_authenticate returning 7 (PAM_AUTH_ERR)

Confirmation of restricted access: login with a user that is member of the AD group "SLES Shell Users"::

Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): [pamh: 0x60b020] ENTER: pam_sm_authenticate (flags: 0x0000)
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): getting password (0x000003d1)
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): pam_get_item returned a password
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): Verify user 'interop\administrator'
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): CONFIG file: require_membership_of 'SLES Shell Users'
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): CONFIG file: krb5_ccache_type 'FILE'
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): enabling krb5 login flag
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): enabling cached login flag
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): enabling request for a FILE krb5 ccache
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): no sid given, looking up: SLES Shell Users
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): request wbcLogonUser succeeded
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): user 'interop\administrator' granted access
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): request returned KRB5CCNAME: FILE:/tmp/krb5cc_10001
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): Returned user was 'administrator'
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:auth): [pamh: 0x60b020] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:account): [pamh: 0x60b020] ENTER: pam_sm_acct_mgmt (flags: 0x0000)
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:account): user 'administrator' granted access
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:account): [pamh: 0x60b020] LEAVE: pam_sm_acct_mgmt returning 0 (PAM_SUCCESS)
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:setcred): [pamh: 0x60b020] ENTER: pam_sm_setcred (flags: 0x0002)
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:setcred): PAM_ESTABLISH_CRED not implemented
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:setcred): [pamh: 0x60b020] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:session): [pamh: 0x60b020] ENTER: pam_sm_open_session (flags: 0x0000)
Oct 28 21:12:55 interop02 login[7905]: pam_winbind(login:session): [pamh: 0x60b020] LEAVE: pam_sm_open_session returning 0 (PAM_SUCCESS)

Generic testing of winbind

Get the domain controller for domain INTEROP::

# wbinfo --getdcname=interop
WIN200864

Test the availability of the domain controller::

# wbinfo --ping-dc
checking the NETLOGON dc connection succeeded

Successfull login attempt::

# wbinfo --pam-logon=Administrator%Suse123.
plaintext password authentication succeeded

Login attempt with an unknown user::

# wbinfo --pam-logon=Admin%Suse123.
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error message was: No such user
pam_logon failed for gnyers%asdfsadf

Login attempt with an incorrect password::

# wbinfo --pam-logon=Administrator%Suse123.
plaintext password authentication failed
error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
error message was: Wrong Password
pam_logon failed for Administrator%asdfsadf

References