[Samba] Problem with pam_winbind
John McCawley
jmccawley at worleyco.com
Mon Jun 3 14:37:19 GMT 2002
I'm on a redhat 7.2 box, and I am trying to configure PAM to use winbind
to authenticate against an NT4 PDC. I followed the instructions I
found at:
http://de.samba.org/samba/ftp/docs/htmldocs/Samba-HOWTO-Collection.html#WINBIND
I compiled the 2.2.4 source and have tried several permutations of the
setup they suggest, and have tried many solutions I've seen suggested on
different mailing lists, but nothing seems to work.
I have smb.conf setup as suggested in the document, and have succeeded
in joining my NT domain with smbpasswd. The command 'getent passwd'
properly returns the list of users on my PDC. The problem comes in when
I try to use the pam_winbind.so module for logins or ssh (I have not
tried anything else) My current configuration is this:
/etc/pam.d/system-auth
-----------------------------
auth sufficient /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_winbind.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_winbind.so use_first_pass
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
-----------------------------
/etc/nsswitch.conf
-----------------------------
passwd: files nisplus winbind
shadow: files nisplus
group: files nisplus winbind
-----------------------------
If I login as:
mydomain+username
It fails. My Linux system log reports: (machine names changed)
Jun 3 16:12:42 casey pam_winbind[11588]: request failed, PAM error was
4, NT error was NT_STATUS_NO_TRUST_SAM_ACCOUNT
Jun 3 16:12:42 casey pam_winbind[11588]: internal module error (retval
= 4, user = `mydomain+username'
My NT PDC reports:
The session setup from the computer CASEY failed because there is no
trust account in the security database for this computer. The name of
the account referenced in the security database is CASEY$.
Note that I had originally put the reference to pam_winbind in the login
file, but put in in system-auth after that didn't work. Note also that
I tried it with pam_env and pam_unix both set to required.
I have tried removing and re-adding casey from the PDC, I have tried
adding at the PDC first, and then using smbpasswd. I've tried this in
reverse order. I've tried only using smbpasswd, I've tried only adding
it at the PDC. I've tried deleting the /etc/samba/secrets.tdb file and
re-adding.
The only odd thing about my setup is that I installed from source over
the redhat RPM install, and the files are a little messy. I've tried to
go through and make sure all of the stuff in /usr/sbin and /usr/bin are
symlinks to the stuff in /usr/local/samba/bin, but I may have missed
something. At any rate I don't think that's the problem.
Any ideas?
More information about the samba
mailing list