Unable to authenticate users from PDC using winbind

Mark Cooke mark at mmebs.co.uk
Thu Jan 3 03:19:02 GMT 2002

Sorry If this has been asked before, but I cannot seem to find any 
reference in the archives.

Ive Installed samba-2.2.2-6 built from RedHat Rawhide on a RH 7.1 
system,and we are running an
NT  primary domain controller for the user authentication
We wish to use winbind to authencate users when they login on our linux
boxs,so if they have an account on the PDC then providing that service is
setup with pam to use windbind, then they can log into the Linux box's
using their NT passwds (as this will make setting up and looking after
passwords easier for ftp, ssh , mail users etc..)

The Story so far

Winbind can talk to the pdc (Primary Domain Controller) as it can list all
the users on the domain using: getent passwd & getent groups, eg:

MMEBS+tempuserx1011210000Temporay User/home/MMEBS/tempuser/bin/bash

and Ive copied all the correct pam modules over for winbind and set up the
smb.conf file as below, and also started smb and winbindd.

Below are extracts from what I presume would be the relevent sections of my 
/etc/samba/smb.conf file:



    winbind separator = +
    winbind cache time = 10
    template shell = /bin/bash
    template homedir = /home/%D/%U
    winbind uid = 10000-20000
    winbind gid = 10000-20000

# workgroup = NT-Domain-Name or Workgroup-Name
    workgroup = MMEBS

# server string is the equivalent of the NT Description field
    server string = Samba Winbind Server

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
    hosts allow =

# Security mode. Most people will want user level security. See
# security_level.txt for details.
    security = domain
# Use password server option only with security = server
    password server = ODIN, ODDJOB


"winbind" is also listed in /etc/nsswitch.conf on the "passwd", "group", 
and "shadow" lines.
heres my login pam file as well:

auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_stack.so service=system-auth
auth       sufficient   /lib/security/pam_winbind.so
auth       required     /lib/security/pam_deny.so

Iam at present just playing with local login direct at the pc itsself and I
can login if the user is already in the Linux system (ie useradd user-name)
etc.., but if its trying to get it from the primary domain controller, it
keeps failing with various login failed messages in /var/log/secure and

Jan  3 092232 scaramanga login(pam_unix)[883] check pass; user unknown
Jan  3 092232 scaramanga login(pam_unix)[883] authentication failure; 
logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
Jan  3 092239 scaramanga login[883] FAILED LOGIN 1 FROM (null) FOR 
MMEBS+tempuser, Authentication failure

but Iam still unable to login in using any user from the DOMAIN+username,

This may help, but it keeps asking for the passwd twice before denying my login

login MMEBS+tempuser


Having read all the winbind howto's and faq's I can find Iam still no
nearer being able to use winbind, than when I started,
could anyone with some experience in setting up winbind on Linux point me
in the right direction or advise me where I may be going wrong..

Thanks in advance.


Mark Cooke
Internet Operations Technician
MM Group Ltd
Tel: 8141 (Internal)
Tel: (0117) 9168141 (External)
Email: mark at mmebs.co.uk

More information about the samba-ntdom mailing list