[Samba] Problem with pam_winbind

John McCawley jmccawley at worleyco.com
Mon Jun 3 14:37:19 GMT 2002 

I'm on a redhat 7.2 box, and I am trying to configure PAM to use winbind 
 to authenticate against an NT4 PDC.  I followed the instructions I 
found at:
http://de.samba.org/samba/ftp/docs/htmldocs/Samba-HOWTO-Collection.html#WINBIND

I compiled the 2.2.4 source and have tried several permutations of the 
setup they suggest, and have tried many solutions I've seen suggested on 
different mailing lists, but nothing seems to work.

I have smb.conf setup as suggested in the document, and have succeeded 
in joining my NT domain with smbpasswd.  The command 'getent passwd' 
properly returns the list of users on my PDC.  The problem comes in when 
I try to use the pam_winbind.so module for logins or ssh (I have not 
tried anything else)  My current configuration is this:

/etc/pam.d/system-auth
-----------------------------
auth        sufficient    /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_winbind.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     sufficient    /lib/security/pam_winbind.so use_first_pass

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok 
md5 shadow
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
-----------------------------

/etc/nsswitch.conf
-----------------------------
passwd:     files nisplus winbind
shadow:     files nisplus
group:      files nisplus winbind
-----------------------------

If I login as:
mydomain+username

It fails.  My Linux system log reports: (machine names changed)

Jun  3 16:12:42 casey pam_winbind[11588]: request failed, PAM error was 
4, NT error was NT_STATUS_NO_TRUST_SAM_ACCOUNT
Jun  3 16:12:42 casey pam_winbind[11588]: internal module error (retval 
= 4, user = `mydomain+username'

My NT PDC reports:
The session setup from the computer CASEY failed because there is no 
trust account in the security database for this computer.  The name of 
the account referenced in the security database is CASEY$.



Note that I had originally put the reference to pam_winbind in the login 
file, but put in in system-auth after that didn't work.  Note also that 
I tried it with pam_env and pam_unix both set to required.

I have tried removing and re-adding casey from the PDC, I have tried 
adding at the PDC first, and then using smbpasswd.  I've tried this in 
reverse order.  I've tried only using smbpasswd, I've tried only adding 
it at the PDC.  I've tried deleting the /etc/samba/secrets.tdb file and 
re-adding.

The only odd thing about my setup is that I installed from source over 
the redhat RPM install, and the files are a little messy.  I've tried to 
go through and make sure all of the stuff in /usr/sbin and /usr/bin are 
symlinks to the stuff in /usr/local/samba/bin, but I may have missed 
something.  At any rate I don't think that's the problem.

Any ideas?

More information about the samba mailing list