Linux machine is in a windows domain, but domain logon isn't working

Question

We have a small network in our department

• 2 Win Server 2008 Domain Controller
• 1 debian webserver
• a number of win7 Clients

My predecssor tried to add the webserver to our domain in order to login there with user accounts from our domain (mostly for file transfers onto the webserver). I worked for some time, but since an unidentified point in time it doesn't work anymore.

So I've read some tutorials on samba and looked over the configurations files but couldn't find the problem. Now I'm seeking your help.

auth.log after trying to login with a "domain user" :

Mar 13 17:04:33 linuxwebserver login[22754]: pam_winbind(login:auth): getting password (0x00000000)
Mar 13 17:04:35 linuxwebserver login[22754]: pam_winbind(login:auth): user '<domain-username>' granted access
Mar 13 17:04:35 linuxwebserver login[22754]: pam_unix(login:account): could not identify user (from getpwnam(<domain-username>))
Mar 13 17:04:35 linuxwebserver login[22754]: User not known to the underlying authentication module

auth.log after trying to login with a "domain"\"domain user" :

Mar 13 17:06:29 linuxwebserver login[22762]: pam_winbind(login:auth): getting password (0x00000000)
Mar 13 17:06:32 linuxwebserver login[22762]: pam_winbind(login:auth): request failed: No such user, PAM error was Benutzer bei zu Grunde liegendem Authentifizierungsmodul nicht bekannt (10), NT error was NT_STATUS_NO_SUCH_USER
Mar 13 17:06:32 linuxwebserver login[22762]: pam_unix(login:auth): check pass; user unknown
Mar 13 17:06:32 linuxwebserver login[22762]: pam_unix(login:auth): authentication failure; logname=root uid=0 euid=0 tty=pts/3 ruser= rhost=
Mar 13 17:06:34 linuxwebserver login[22762]: FAILED LOGIN (1) on 'pts/3' FOR `UNKNOWN', User not known to the underlying authentication module

It seems to me, that the webserver is correctly in the domain, but there are some problems with how linux checks the validity of the accounts.

smb.conf : http://pastebin.com/nXdZUEbn

nsswitch.conf :

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind

hosts:          files dns wins
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

wbinfo -u gives me a correct list of all accounts in our domain (without "DOMAIN\" in front of the names)

wbinfo -g gives me a correct list of the groups in our domain (without "DOMAIN\" in front of the names)

getent passwd gives me a list of the local (unix-)accounts on our webserver (no domain users)

getent group gives me a list of the local (unix-)groups on our webserver (no domain users)

# wbinfo -p
Ping to winbindd succeeded

My idea: Linux uses the information from passwd to check whether an account is valid or not, but it doesn't check th einformation from wbinfo to it. I thought I resolved this with adding winbind to the nsswitch.conf but the problem stayed.

---

EDIT:

/etc/pam.d/common-auth

auth sufficient pam_winbind.so
auth    required        pam_unix.so nullok_secure use_first_pass

/etc/pam.d/common-account

account sufficient      pam_winbind.so
account required        pam_unix.so

/etc/pam.d/common-password

password   required   pam_unix.so nullok obscure md5

---

EDIT2: /etc/krb5.conf

[libdefaults]
    default_realm = <DOMAIN>.LOCAL

# The following krb5.conf variables are only for MIT Kerberos.
    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#   default_tgs_enctypes = des3-hmac-sha1
#   default_tkt_enctypes = des3-hmac-sha1
#   permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
    v4_instance_resolve = false
    v4_name_convert = {
        host = {
            rcmd = host
            ftp = ftp
        }
        plain = {
            something = something-else
        }
    }
    fcc-mit-ticketflags = true

[realms]
    <DOMAIN>.LOCAL = {
        kdc = <WIN DOMAIN CONTROLLER>.<DOMAIN>.local
        admin_server = <WIN DOMAIN CONTROLLER>.<DOMAIN>.local
    }


[domain_realm]
    .<DOMAIN>.local = <DOMAIN>.LOCAL

[login]
    krb4_convert = true
    krb4_get_tickets = false

Answer 1

Try changing in your smb.conf:

idmap backend = ad

for:

idmap backend = rid

And restart your samba services (winbind mainly). If it still doesn't work, try this:

1. Stop samba services
2. Delete samba database and cache files (usually under /var/lib/samba, tdb files).
3. Run net ads join again
4. Start samba services

Which samba version are you using?

Answer 2

I don't have enough rating to post a comment, but I seem to recall needing to use two slashes during login to a windows domain. I believe that was with BeyondTrust, i know in Quest i did not need to use two slashes...

DOMAIN\\user