Author Topic: incorrect password client user login  (Read 2159 times)

jandoe

  • Zen Apprentice
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
incorrect password client user login
« on: September 26, 2016, 11:48:35 am »
Hello

Client users cannot login. They get the message "incorrect password" on the Xubuntu 16.04 login (lightdm-gtk-greeter).

I set the Xubuntu client up as follows:

Installed the packages
Code: [Select]
apt-get install samba-common smbclient krb5-user krb5-config libpam-heimdal libpam-winbind libnss-winbind winbind

Copied the krb5.conf from the Zentyal 4.1 Server
Code: [Select]
[libdefaults]
    default_realm = SCHOOL.ZONE
    dns_lookup_kdc = true
    dns_lookup_realm = false
    rdns = no

Configured the smb.conf
Code: [Select]
[global]
workgroup = SCHOOL
realm = SCHOOL.ZONE
security = ADS
encrypt passwords = Yes

idmap config *:backend = rid
idmap config *:range = 10000-20000

winbind use default domain = Yes
winbind refresh tickets = Yes
winbind enum users = Yes
winbind enum groups = Yes

template shell = /bin/bash

Configured the /etc/hosts
Code: [Select]
127.0.0.1 localhost
#127.0.1.1 pc4-students.school.zone pc4-students

192.168.20.104 pc4-students.school.zone pc4-students

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

configured /etc/nsswitch.conf
Code: [Select]
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind
gshadow:        files

#hosts:          files mdns4_minimal [NOTFOUND=return] dns
hosts: files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

installed the packages
Code: [Select]
apt-get install cifs-utils libpam-mount

configured /etc/security/pam_mount.conf.xml
Code: [Select]
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->

<pam_mount>

<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->

<debug enable="0" />

<!-- Volume definitions -->

<volume
fstype="cifs"
server="srv1-server.school.zone"
path="%(USER)"
mountpoint="/home/SCHOOL/%(USER)"
user="*"
options="sec=krb5,cruid=%(USERUID),domain={full domain},uid=%(USERUID),gid=%(USERGID),rw"
/>

<!-- pam_mount parameters: General tunables -->

<umount>umount -l %(MNTPT)</umount>

<!--
<luserconf name=".pam_mount.conf.xml" />
-->

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />

<logout wait="0" hup="0" term="0" kill="0" />


<!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />


</pam_mount>

stopped the services
Code: [Select]
systemctl stop winbind
systemctl stop smbd
systemctl stop nmbd

Joined the client to the Zentyal 4.1 server
Code: [Select]
net ads join -U administrator

started the services again
Code: [Select]
systemctl start winbind
systemctl start smbd
systemctl start nmbd

made some tests
Code: [Select]
root@pc4-students:~# wbinfo -u
dns-srv1-server
administrator
jandoe
jodoe
krbtgt
guest

root@pc4-students:~# wbinfo -u
dns-srv1-server
administrator
jandoe
jodoe
krbtgt
guest
root@pc4-students:~# wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins

root@pc4-students:~# kinit administrator@SCHOOL.ZONE
Password for administrator@SCHOOL.ZONE:
root@pc4-students:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@SCHOOL.ZONE

Valid starting       Expires              Service principal
2016-09-26T17:29:49  2016-09-27T03:29:49  krbtgt/SCHOOL.ZONE@SCHOOL.ZONE
renew until 2016-09-27T17:29:44

root@pc4-students:~# getent passwd jodoe
jodoe:*:11105:10513:John Doe:/home/SCHOOL/jodoe:/bin/bash

So, for me as a newbie everything seems fine. But when I try to login as jodoe - of which the password I of course know. The login page says "incorrect password".

I also checked time/date on the client and the server. they seem to be in sync.

So, any hints are welcome!!

Kind regards, Roland

jandoe

  • Zen Apprentice
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: incorrect password client user login
« Reply #1 on: September 26, 2016, 11:51:24 am »
I forget to say, that I can resolve the hosts using nslookup from IP to FQDN and from FQDN to IP.

gabriel.gheorghiu@abt.ro

  • Guest
Re: incorrect password client user login
« Reply #2 on: September 27, 2016, 08:15:14 pm »
Hi,

I had the same issue.

I had installed Zentyal more than one year ago and the password for the samba admin has expired.

I read somewhere how to change the expiration period to "never expire" with samba admin tools, if I remember well, and it worked.
I think is written also here, on this forum.

But Google search will help you.

Gabriel

PS

 https://forum.zentyal.org/index.php/topic,26766.msg98404.html#msg98404