[Samba] PAM winbind authentication problem NT domain
Martin Vuille
martin at jpmvrealtime.com
Sun Apr 10 08:34:55 MDT 2011
I have Samba Version 3.5.8-74.fc13 (Fedora 13) set up as the PDC for an NT
domain.
I have several Windows XP Pro and Windows 7 Ultimate workstations as
domain members and everything is working fine. Domain users can log-in
at the workstations, access shares on the Samba server and the other
workstations, etc.
I am in the process of adding Samba Version 3.5.8-76.fc14 (Fedora 14) as an
additional
domain member. x86_64 arch, if that matters. So far I have joined it to the
domain, other workstations can see it and can access its shares. With
smbclient
I can access shares on other domain members.
I want to enable authentication via PAM and winbind (Version 3.5.8-74.fc14).
I have things set-up to the point where "wbinfo -u", "wbinfo -g", "getent
passwd"
and "getent group" are all showing the lists of domain users and groups. PAM
has been configured as well.
But here's the rub: authentication of domain users on this workstation is
failing.
When I try to login using domain credentials, this fails with the error
NT_STATUS_NO_SUCH_USER.
If I use "wbinfo -a user%password", I get the following results:
plaintext password authentication failed
Could not authenticate user%password with plaintext password
challenge/response authentication succeeded
In the logs, I see the error NT_STATUS_NO_SUCH_USER.
At this point, I'm not sure how to proceed. Should I be investigating why
plaintext
authentication is failing and trying to fix it, or should I be trying to get
pam_winbind to use challenge/response authentication instead, since that
works?
I am under the impression that plaintext authentication is obsolete and
insecure
(I have "encrypt passwords = yes" configured in smb.conf on both PDC and
workstation),
so my inclination is towards the latter.
smb.conf from workstation (manually retyped, might have minor typos, names
and
addresses changed):
netbios name = NAME
server string =
workgroup = DOMAIN
security = domain
password server = *
encrypt passwords = yes
wins server = 66.67.68.69
winbind separator = .
idmap uid = 500-599
idmap gid = 500-599
idmap backend = tdb
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%u
template shell = /bin/bash
winbind rpc only = yes
winbind offline logon = yes
winbind normalize names = yes
Any suggestions or advice for investigating deeper would be greatly
appreciated.
(Could the version difference between samba-winbind and the other parts of
samba
be the problem? I had to manually download the rpm and force an install.
Trying
to install with yum did not work as the x86_64 samba-winbind seemed to
require
i686 dependencies instead of using the corresponding x86_64 packages I
already had.)
MV
More information about the samba
mailing list