HOWTO: NT Domain Authentication

**clemix** · May 21st, 2008

hi
I tried the tutorial, and it does not work...

when i type: wbinfo -u
I see all the users...
but when i type wbinfo -g
I see only:

Code:

BUILTIN+administrators
BUILTIN+users

but there are much more groups... does anybody know a solution?

**pigna** · April 30th, 2009

I changed the configuration of pam to authenticate in the domain with winbind and I have enabled caching of user and password of the domain, I log the domain user (both online and offline) and mount the shared, but I have a problem when Working offline and use of certain programs that require user authentication to be run.

Example: When I try to launch the System -> Admin -> Users and Group " from local user and I click Unlock I request the password, but when I enter the program freezes for a few minutes and then tells me:

HTML Code:

Unable to authenticate
An unexpected error occurred

And in the file auth.log I appear the following messages:

HTML Code:

dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.29" (uid=1001 pid=4573 comm="/usr/lib/indicator-applet/indicator-applet --oaf-a") interface="org.freedesktop.DBus.Properties" member="Get" error name="(unset)" requested_reply=0 destination=":1.91" (uid=1000 pid=6714 comm="/usr/lib/policykit-gnome/polkit-gnome-manager "))
dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.59" (uid=1000 pid=5593 comm="/usr/lib/indicator-applet/indicator-applet --oaf-a") interface="org.freedesktop.DBus.Properties" member="Get" error name="(unset)" requested_reply=0 destination=":1.91" (uid=1000 pid=6714 comm="/usr/lib/policykit-gnome/polkit-gnome-manager "))
dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.29" (uid=1001 pid=4573 comm="/usr/lib/indicator-applet/indicator-applet --oaf-a") interface="org.freedesktop.DBus.Properties" member="Get" error name="(unset)" requested_reply=0 destination=":1.92" (uid=1000 pid=6715 comm="/usr/lib/policykit/polkit-grant-helper 6706 org.fr"))
dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.59" (uid=1000 pid=5593 comm="/usr/lib/indicator-applet/indicator-applet --oaf-a") interface="org.freedesktop.DBus.Properties" member="Get" error name="(unset)" requested_reply=0 destination=":1.92" (uid=1000 pid=6715 comm="/usr/lib/policykit/polkit-grant-helper 6706 org.fr"))
dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.29" (uid=1001 pid=4573 comm="/usr/lib/indicator-applet/indicator-applet --oaf-a") interface="org.freedesktop.DBus.Properties" member="Get" error name="(unset)" requested_reply=0 destination=":1.93" (uid=1000 pid=6718 comm="/usr/lib/policykit/polkit-grant-helper 6706 org.fr"))
dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.59" (uid=1000 pid=5593 comm="/usr/lib/indicator-applet/indicator-applet --oaf-a") interface="org.freedesktop.DBus.Properties" member="Get" error name="(unset)" requested_reply=0 destination=":1.93" (uid=1000 pid=6718 comm="/usr/lib/policykit/polkit-grant-helper 6706 org.fr"))
polkit-grant-helper-pam[6721]: pam_mount(rdconf1.c:667): path to luserconf set to /home/user1/.pam_mount.conf.xml 
polkit-grant-helper-pam[6721]: pam_winbind(polkit:auth): getting password (0x00000010)
polkit-grant-helper-pam[6721]: pam_winbind(polkit:auth): pam_get_item returned a password
polkit-grant-helper-pam[6721]: pam_winbind(polkit:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHINFO_UNAVAIL (9), NTSTATUS: NT_STATUS_NO_LOGON_SERVERS, Error message was: No logon servers
polkit-grant-helper-pam[6721]: pam_winbind(polkit:auth): internal module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'user1')
polkit-grant-helper-pam[6721]: pam_unix(polkit:auth): authentication failure; logname= uid=1000 euid=0 tty= ruser=user1 rhost=  user=user1

And if you use a domain user I have these messages appear:

HTML Code:

dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.52" (uid=1001 pid=4575 comm="/usr/lib/indicator-applet/
indicator-applet --oaf-a") interface="org.freedesktop.DBus.Properties" member="Get" error name="(unset)" requested_reply=0 destination=":1.
57" (uid=1001 pid=4645 comm="users-admin "))
dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.52" (uid=1001 pid=4575 comm="/usr/lib/indicator-applet/
indicator-applet --oaf-a") interface="org.freedesktop.DBus.Properties" member="Get" error name="(unset)" requested_reply=0 destination=":1.
58" (uid=0 pid=4648 comm="/usr/bin/perl /usr/share/system-tools-backends-2.0"))
dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.52" (uid=1001 pid=4575 comm="/usr/lib/indicator-applet/
indicator-applet --oaf-a") interface="org.freedesktop.DBus.Properties" member="Get" error name="(unset)" requested_reply=0 destination=":1.
59" (uid=0 pid=4654 comm="/usr/bin/perl /usr/share/system-tools-backends-2.0"))
dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.52" (uid=1001 pid=4575 comm="/usr/lib/indicator-applet/
indicator-applet --oaf-a") interface="org.freedesktop.DBus.Properties" member="Get" error name="(unset)" requested_reply=0 destination=":1.
60" (uid=0 pid=4656 comm="/usr/bin/perl /usr/share/system-tools-backends-2.0"))
dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.52" (uid=1001 pid=4575 comm="/usr/lib/indicator-applet/
indicator-applet --oaf-a") interface="org.freedesktop.DBus.Properties" member="Get" error name="(unset)" requested_reply=0 destination=":1.
61" (uid=0 pid=4658 comm="/usr/bin/perl /usr/share/system-tools-backends-2.0"))
dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.52" (uid=1001 pid=4575 comm="/usr/lib/indicator-applet/
indicator-applet --oaf-a") interface="org.freedesktop.DBus.Properties" member="Get" error name="(unset)" requested_reply=0 destination=":1.
62" (uid=1001 pid=4666 comm="/usr/lib/policykit-gnome/polkit-gnome-manager "))
dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.52" (uid=1001 pid=4575 comm="/usr/lib/indicator-applet/
indicator-applet --oaf-a") interface="org.freedesktop.DBus.Properties" member="Get" error name="(unset)" requested_reply=0 destination=":1.
63" (uid=1001 pid=4667 comm="/usr/lib/policykit/polkit-grant-helper 4645 org.fr"))
dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.52" (uid=1001 pid=4575 comm="/usr/lib/indicator-applet/
indicator-applet --oaf-a") interface="org.freedesktop.DBus.Properties" member="Get" error name="(unset)" requested_reply=0 destination=":1.
64" (uid=1001 pid=4670 comm="/usr/lib/policykit/polkit-grant-helper 4645 org.fr"))
polkit-grant-helper-pam[4673]: pam_mount(rdconf1.c:667): path to luserconf set to /home/user2/.pam_mount.conf.xml
polkit-grant-helper-pam[4673]: pam_winbind(polkit:auth): getting password (0x00000210)
polkit-grant-helper-pam[4673]: pam_winbind(polkit:auth): pam_get_item returned a password
polkit-grant-helper-pam[4673]: pam_winbind(polkit:auth): user 'user2' granted access
polkit-grant-helper-pam[4673]: pam_winbind(polkit:account): user 'user2' granted access

This is my configuration files:

Code:

[common-account]
account sufficient pam_winbind.so
account required pam_unix.so

[common-auth]
auth required pam_mount.so
auth sufficient pam_winbind.so use_first_pass
#auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass

[common-password]
password sufficient pam_winbind.so use_authtok
#password sufficient pam_winbind.so
password required pam_unix.so nullok obscure min=4 max=9 md5

[common-session]
session required pam_unix.so nullok_secure
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_mount.so

[pam_winbind.conf]
[global]
#debug
cached_login = yes

[smb.conf]
workgroup = DOM1
server string = %h
security = domain
encrypt passwords = true
wins server = xxx.xxx.xxx.xxx
password server = *
domain master = false
preferred master = false
local master = no
lm announce = false
hosts allow = xxx.xxx.xxx.xxx, 127.0.0.1
hosts deny = all
socket options = TCP_NODELAY IPTOS_LOWDELAY
log file = /var/log/samba/log.%U
log level = 2
pam password change = yes
interfaces = eth0, lo
winbind uid = 1000-10000
winbind gid = 1000-10000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind cache time = 15
winbind offline logon = yes
template shell = /bin/bash
template homedir = /home/%U

Suggestions?

**Patophe** · November 11th, 2010

Hi,
I tried this method on my server and I'm now kicked out from is as root!!!!

After rebooting, no more root account was accessible!!! I can't roll back without admin priviledge!! I had a ssh secure key set and it does'nt work anymore.

This changed the root account to another!!

Some major help please!!

I need a way to recover this server!!

**Patophe** · November 11th, 2010

I booted in recovery mode and rolled back.

It's done.

Originally Posted by Patophe

Hi,
I tried this method on my server and I'm now kicked out from is as root!!!!

After rebooting, no more root account was accessible!!! I can't roll back without admin priviledge!! I had a ssh secure key set and it does'nt work anymore.

This changed the root account to another!!

Some major help please!!

I need a way to recover this server!!

**cucu007** · November 11th, 2010

Thank you for this contribution, I have been thinking about migrating all my server from Windows Server to Linux due to the high cost of licensing but I am still a little afraid about doing it since I might loose some functionality. I am still evaluating the possibility and this serve as a good start.

**pigna** · November 12th, 2010

Originally Posted by cucu007

Thank you for this contribution, I have been thinking about migrating all my server from Windows Server to Linux due to the high cost of licensing but I am still a little afraid about doing it since I might loose some functionality. I am still evaluating the possibility and this serve as a good start.

Hi cucu007, i have the 80% of Servers with Linux (CentOS and Debian) and 20% with Windows (because some applications require Windows as SO).

Linux servers provide:

Domain autentication (Samba)
File Server (Samba)
Mail (imap, pop, smtp)
Groupware (with SOGo)
Fax server
Datawarehouse
VPN
Firewalling
DB Server

and more...

In linux the cost of licensing is very cheap but in some cases the implementation requires more effort on the part of the System Administrators.

**divyabdasar** · July 7th, 2011

I am trying to connect ubuntu 11.04 to windows 2003 server domain. I followed all the configuration steps as told.

After rebooting the machine i am unable to login. This is the first time i am trying to connect to windows domain.

Any help will be of great importance.