[Samba] SUMMARY: winbind NT_STATUS_INVALID_PARAMETER
LAUTIER Sabrina
slautier at lavache.com
Fri Jun 7 03:23:03 GMT 2002
I solved my issue by simply login as "DOMAIN+toto" and not only as
"toto" !
---------------------------------------
lima login: DOMAIN+toto
password:
Last login: Fri Jun 7 09;53:01 on tty1
bash-2.05$
---------------------------------------
As my linux box was part of the win2k domain and the local linux
account didn't exist I thought that I didn't have to specify the
domain name before the win2k account.
So both samba and PAM were well configured.
Cheers,
Sab
> ---------------- Beginning of the original message
------------------
> Hi,
>
> I'm running a linux RedHat 7.2 box with samba 2.2.4.
> I want to use winbind for authentification.
> The samba server is a member server in a W2K domain.
> I followed the steps in the winbind help which comes with the
> samba
> distribution (http://localhost:901/swat/help/winbind.html).
> Joining the domain was successfull:
> $ smbpasswd -j DOMAIN -r PDC -U toto
> | INFO: Debug class all level = 100 (pid 3643 from pid 3643)
> | Password:
> | Joined domain DOMAIN.
>
> and wbinfo -t returnes secret is good:
> $ wbinfo -t
> | Secret is good
>
> wbinfo -u and wbinfo -g shows the domain users and groups.
> getent passwd and getent group show both local and win2k unix
> users
> and
> groups.
>
> When I try to log into the linux samba box with a valid win2k
> account
> I get the following error in log file /var/log/messages:
> | Jun 5 11:36:34 lima pam_winbind[15139]: request failed, PAM
> error
> was 4, NT error was
> | NT_STATUS_INVALID_PARAMETER
> | Jun 5 11:36:34 lima pam_winbind[15139]: internal module
> error
> (retval = 4, user =
> | `toto'
> | Jun 5 11:36:34 lima login(pam_unix)[15139]: check pass;
> user
> unknown
> | Jun 5 11:36:34 lima login(pam_unix)[15139]: authentication
> failure;
> logname=LOGIN
> | uid=0 euid=0 tty=tty1 ruser= rhost=
> | Jun 5 11:36:40 lima login(pam_unix)[15139]: check pass;
> user
> unknown
> | Jun 5 11:36:42 lima login[15139]: FAILED LOGIN 1 FROM
> (null) FOR
> toto,
> | Authentication failure
>
> $ wbinfo -a stoto%passworrd
> | plaintext password authentication failed
> | error code was NT_STATUS_INVALID_PARAMETER (0xc000000d)
> | Could not authenticate user toto%password with plaintext
> password
> | challenge/response password authentication succeeded
> | error code was NT_STATUS_OK (0x0)
>
> $ tail -f log.winbind
> | [2002/06/05 12:12:56, 2]
> nsswitch/winbindd_pam.c:winbindd_pam_auth(118)
> | Plain-text authenticaion for user toto returned
> NT_STATUS_INVALID_PARAMETER | (PAM: 4)
>
> My smb.conf file contains the following lines:
>
---------------------------------------------------------------------------------
> [global]
> workgroup = DOMAIN
> netbios name = LIMA
> server string = Linux with Samba (%v) on %L
> wins server = x.x.x.x
> security = domain
> password server = PDC
> message command = csh -c 'xedit %s; rm %s' &
> # password
> encrypt passwords = Yes
> unix password sync = Yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *new*password* %n\n *new*password* %n\n
> *success*
> passwd chat debug = Yes
> # users
> invalid users = root bin daemon adm sync shutdown \
> halt mail news uucp operator gother
> #
> # winbind
> #
> # separate domain and username with '+', like
> DOMAIN+username
> winbind separator = +
> # use uids from 10000 to 20000 for domain users
> winbind uid = 10000-20000
> # use gids from 10000 to 20000 for domain groups
> winbind gid = 10000-20000
> # allow enumeration of winbind users and groups
> winbind enum users = yes
> winbind enum groups = yes
> # give winbind users a real shell (only needed if they
> have
> telnet access)
> template homedir = /home/win2k/%D/%U
> template shell = /bin/bash
> #
> # log config
> #
> log level = 2
> log file = /var/log/samba.log
>
---------------------------------------------------------------------------------
>
> As you can see, the 'encrypt passwords' option is set to yes.
>
> Here is the /etc/pam.d/login file content:
>
---------------------------------------------------------------------------------
> #%PAM-1.0
> auth required /lib/security/pam_securetty.so
> auth sufficient /lib/security/pam_winbind.so
> auth sufficient /lib/security/pam_unix.so
> use_first_pass
> auth required /lib/security/pam_stack.so
> service=system-auth
> auth required /lib/security/pam_nologin.so
> account sufficient /lib/security/pam_winbind.so
> account required /lib/security/pam_stack.so
> service=system-auth
> password required /lib/security/pam_stack.so
> service=system-auth
> session required /lib/security/pam_stack.so
> service=system-auth
> session optional /lib/security/pam_console.so
>
---------------------------------------------------------------------------------
>
> I've compiled samba with the following options:
> --with-smbwrapper --with-automount --with-smbmount
> --with-pam --with-pam_smbpass --with-ssl
> --with-quotas
> --with-acl-support --with-ldapsam --with-syslog
>
> Any idea about how to solve this issue ?
>
> Any help would be greatly appreciated.
>
> Thanks.
>
> Sabrina
> IT engineer
> France
---------------------------------------------
Powered by Alinto (http://www.alinto.net)
for lavache.com (http://www.lavacheautomatique.com)
More information about the samba
mailing list