Ooops. I've broken my command line.

[Kent West]

chris harrison wrote:

>I seem to have broken the cardinal rule of tinkering - I'm not
>able to back out the change because I'm not sure what I've broken.
>
>I've been trying to configure my machine (woody) to authenticate
>with the PDC on the local win2k network, using samba, winbind and
>pam.
>
>

Without accounts on the local machine?! Oh, man, if you get this done,
write up a how-to. Please. Seriously.

>All's been going reasonably smoothly, I can mount windows shares
>on to my machine, although the other direction was not so easy.
>Sometimes I could see the linux machine from the windows net,
>sometimes not.
>
>Then something seriously broke. I would try to login and nothing
>would happen. After a while I realised (through trawling through
>/var/log/auth.log) that it wasn't a problem logging in, it was
>what happened next.
>
>Nothing. That's what happens next. It doesn't matter if I login,
>su, ssh or even try to create a new xterm, each time it gives me
>a login prompt and authenticates ... but then hangs. Nothing.
>
>

What happens if you try to log in with single-user mode?

Maybe boot off another system (Knoppix CD, mount the Debian system and
restore any pam files you may have changed back to their originals.

>What happens next? I'm a relatively newbie to this level of admin,
>so any pointers would be gratefully received. Even pointers at
>the manual I've obviously not been able to find so as to be able
>to read!
>
>
>Many thanks.
>
>
>
>
>
>
>

--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Kent West]

Mark Roach wrote:

>On Tue, 2003-08-05 at 12:01, Kent West wrote:
>
>

>>chris harrison wrote:
>>
>>

>[...]
>
>

>>>I've been trying to configure my machine (woody) to authenticate
>>>with the PDC on the local win2k network, using samba, winbind and
>>>pam.
>>>
>>>
>>>
>>>

>>Without accounts on the local machine?! Oh, man, if you get this done,
>>write up a how-to. Please. Seriously.
>>
>>

>
>It's really not that unusual a thing since winbind came out, there is
>already plenty of good documentation, like here for starters
>[url]http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection.html#WINBIND[/url]
>
>and especially in the winbindd man page
>
>winbind provides both nss and pam functionality so you can make any
>service that uses pam use windows domain authentication I frequently
>"ssh -l domain\\username linuxserver"
>
>-Mark
>
>
>
>

For the past couple of years, each year I spend a week or so at the
beginning of the university school year trying to get this figured out.
Last year I got close, but I could never get the students' home
directories to mount. I tinkered and tinkered and finally had PAM so
confused that nothing worked.

A lot of the problem is that the documents you mention above are now out
of date. For example, the command "smbpasswd -j DOMAIN -r PDC -U
Administrator" results in:

See 'net join' for this functionality

and last year, I could find none, nada, zilch documentation on this "net
join" command. I see that now, a year later, there's a man page for
"net", but it didn't exist last year. I also believe the "winbind uid"
type entries in smb.conf have now been deprecated; I vaguely remember
seeing something to that effect on a recent apt-get dist-upgrade to sid
on one of my boxes.

So in short, whereas these documents are very good for laying the
goundwork, I'm a firm believer in reading three or four books on a topic
before believing that I've started to get a grasp of the material,
because each author will come at it from a slightly different
perspective or say things in a slightly different manner, etc, and it's
the differences that teach the similarities. Using these documents
you've mentioned, I've never been able to accomplish what I want to do.
I appreciate you pointing them out to me, but I'm just saying that for
this dumb guy, they're not enough.

--
Kent



--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Kent West]

Kent West wrote:

> Mark Roach wrote:
>

>> On Tue, 2003-08-05 at 12:01, Kent West wrote:
>>
>>

>>> chris harrison wrote:
>>>

>>
>> [...]
>>
>>

>>>> I've been trying to configure my machine (woody) to authenticate
>>>> with the PDC on the local win2k network, using samba, winbind and
>>>> pam.
>>>>
>>>>
>>>
>>> Without accounts on the local machine?! Oh, man, if you get this
>>> done, write up a how-to. Please. Seriously.
>>>

>>
>>
>> It's really not that unusual a thing since winbind came out, there is
>> already plenty of good documentation, like here for starters
>> [url]http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection.html#WINBIND[/url]
>> <snip>
>>

>
>
> A lot of the problem is that the documents you mention above are now
> out of date. For example, the command "smbpasswd -j DOMAIN -r PDC -U
> Administrator" has been replaced by the "net join" command. I also
> believe the "winbind uid" type entries in smb.conf have now been
> deprecated

Yep.

westk[@agclub03]:/home/westk> sudo net join member -U westk
[2003/08/06 09:45:07, 1] param/loadparm.c:lp_do_parameter(3114)
WARNING: The "winbind uid" option is deprecated
[2003/08/06 09:45:07, 1] param/loadparm.c:lp_do_parameter(3114)
WARNING: The "winbind gid" option is deprecated

And, even so, I still can't get it to work:
westk[@agclub03]:/home/westk> sudo net join member -U westk
westk password:
[2003/08/06 09:45:53, 1] libsmb/clikrb5.c:ads_krb5_mk_req(267)
krb5_cc_get_principal failed (No credentials cache found)
ads_join_realm: organizational unit member does not exist
(dn:ou=member,dc=CAMPUS,dc=ACU,dc=EDU)
ADS join did not work, trying RPC...
[2003/08/06 09:45:54, 1] utils/net.c:net_find_server(243)
no server to connect to

Unable to find a suitable server
[2003/08/06 09:45:54, 1] utils/net.c:net_find_server(243)
no server to connect to

Unable to find a suitable server


This may be because we've switched over to ActiveDirectory, and perhaps
Samba/winbind hasn't yet caught up?

--
Kent




--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Kent West]

Kent West wrote:

>
>
> And, even so, I still can't get it to work:
> westk[@agclub03]:/home/westk> sudo net join member -U westk
> westk password:
> [2003/08/06 09:45:53, 1] libsmb/clikrb5.c:ads_krb5_mk_req(267)
> krb5_cc_get_principal failed (No credentials cache found)
> ads_join_realm: organizational unit member does not exist
> (dn:ou=member,dc=CAMPUS,dc=ACU,dc=EDU)
> ADS join did not work, trying RPC...
> [2003/08/06 09:45:54, 1] utils/net.c:net_find_server(243)
> no server to connect to
>
> Unable to find a suitable server
> [2003/08/06 09:45:54, 1] utils/net.c:net_find_server(243)
> no server to connect to
>
> Unable to find a suitable server

I just tried a more simplified command which worked to add the machine
to the domain.

> westk[@agclub03]:/home/westk> sudo net join -U westk
> westk password:
> [2003/08/06 09:54:28, 1] libsmb/clikrb5.c:ads_krb5_mk_req(267)
> krb5_cc_get_principal failed (No credentials cache found)
> Joined 'AGCLUB03' to realm 'CAMPUS.ACU.EDU'

This allowed me to login with an NT domain account that does not have a
corresponding local account:

> agclub03 login: acu+snert
> Password:
> Linux agclub03 2.4.21-3-686 #1 Sun Jul 20 16:11:09 EST 2003 i686
> GNU/Linux
>
> The programs included with the Debian GNU/Linux system are free
> software;
> the exact distribution terms for each program are described in the
> individual files in /usr/share/doc/*/copyright.
>
> Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
> permitted by applicable law.
> No directory, logging in with HOME=/
> ACU+Snert@agclub03:/$

Whoo-hoo! Now if I can just figure out how to map the home directory in
the NT domain as the home directory locally.

--
Kent








--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]