[Samba] Samba/winbind with Active Directory auth

Frank Gruman fgatwork at verizon.net
Mon Jan 18 10:48:42 MST 2010 

On Mon, 2010-01-18 at 16:33 +0100, Kris Kaido wrote:

> Hi List,
> 
> I'm installing a Samba server with the intended purpose of serving files to
> Windows users with seamless authentication on the smb server.
> For that, I've been reading and following every single google search result
> regarding the subject, but it seems I'm stuck at some point where other
> people are not blocked ...
> 
> To summarize, I have these commands OK:
> # kinit admin_user at DOMAIN.EXAMPLE.COM
> # klist (ticket ok)
> # net join ads -S server -U admin_user
> # wbinfo -u and -g (both showing "DOMAIN\...")
> # wbinfo -t (succeeded)
> 
> I configured PAM to use winbind, and to test it I'm using ssh with the same
> config as I will for samba
> 
> Here's what I get when I try to ssh into my smb server using my AD
> credentials:
> Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): getting password
> (0x00000000)
> Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): request failed:
> Named pipe dicconnected, PAM error was System error (4), NT error was
> NT_STATUS_PIPE_DISCONNECTED
> Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): internal module
> error (retval = 4, user = 'DOMAIN\myusername')
> Jan 18 15:34:18 smb sshd[9157]: pam_unix(sshd:auth): authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.6
>  user= DOMAIN\myusername
> Jan 18 15:34:20 smb sshd[9157]: Failed password for DOMAIN\myusername from
> 192.168.5.6 port 50872 ssh2
> 
> Any idea on what this error (NT_STATUS...) means ?
> 
> Also when trying this I get an error:
> smb:~# wbinfo -a admin_user%admin_pwd
> plaintext password authentication failed
> Could not authenticate user henry_admin with plaintext password
> challenge/response password authentication failed
> error code was NT_STATUS_PIPE_DISCONNECTED (0xc00000b0)
> error messsage was: Named pipe dicconnected
> Could not authenticate user admin_user with challenge/response
> smb:~#
> 
> Here's my PAM config:
> auth    sufficient      pam_winbind.so
> auth    required        pam_unix.so use_first_pass
> account sufficient      pam_winbind.so
> account required        pam_unix.so
> session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
> session sufficient      pam_winbind.so
> session required        pam_unix.so
> password        requisite       pam_cracklib.so retry=3 type=
> password        sufficient      pam_unix.so nullok use_authtok md5 shadow
> password        sufficient      pam_winbind.so use_first_pass
> password        required        pam_deny.so
> 
> Any help would be greatly appreciated.
> 
> Thanks,
> 
> k.



Two things.

1 - make sure nscd is disabled (not just stopped - disable it to prevent
restarting on the next reboot)
2 - I found that using "winbind use default domain = yes" caused a lot
of my default authentication issues to go away.  I only have one domain
and so I don't need the extra information / complexity of having to
specify domains.

Regards,
Frank

More information about the samba mailing list