W2K Domain Login Problem with 2.2.0
abartlet at pcug.org.au
Sun Apr 22 07:17:58 GMT 2001
Try enabling and logging into SWAT, or enabling plaintext passwords and
using smbclient. See if you can login. That will tell us if your
passing PAMs account test normally. Also add 'debug' to the pam config
lines. There may be some weird problem where an account that hasn't
passed password authtication can't pass account managment. Do you run
OpenSSH on your machine? Does it login (using PAM, using rsa keys)?
What other apps do you run that you KNOW use PAM?
Just trying to correlate some data, I'd like to get to the bottom of
PeRcY YuEn wrote:
> Steve and Andrew,
> My /etc/pam.conf has entries:
> samba auth required /usr/lib/security/pam_unix.so.1
> samba account required /usr/lib/security/pam_unix.so.1
> My log at debuglevel=4 shows:
> [2001/04/22 13:03:26, 4] passdb/pampass.c:proc_pam_start(160)
> PAM: Init user: percy
> [2001/04/22 13:03:26, 4] passdb/pampass.c:proc_pam_start(173)
> PAM: setting rhost to: pc06.domain
> [2001/04/22 13:03:26, 4] passdb/pampass.c:proc_pam_start(181)
> PAM: setting tty
> [2001/04/22 13:03:26, 4] passdb/pampass.c:proc_pam_start(188)
> PAM: Init passed for user: percy
> [2001/04/22 13:03:26, 4] passdb/pampass.c:pam_account(246)
> PAM: Account Management for User: percy
> [2001/04/22 13:03:26, 0] passdb/pampass.c:pam_account(262)
> PAM: User "percy" is NOT known to account management
> [2001/04/22 13:03:26, 2] passdb/pampass.c:pam_error_handler(66)
> PAM: Account Check Failed : No account present for user
> [2001/04/22 13:03:26, 4] passdb/pampass.c:proc_pam_end(144)
> PAM: PAM_END OK.
> [2001/04/22 13:03:26, 0] passdb/pampass.c:pam_accountcheck(381)
> PAM: Account Validation Failed - Rejecting User!
> User "percy" is a valid account on the machine running samba. Logon to
> W2K workstations worked fine When samba was configured NOT to use PAM. I
> have tested getpwnam() on the samba machine using the following short
> #include <pwd.h>
> struct passwd *p = getpwnam("percy");
> if (p) printf("%d\n",p->pw_uid);
> and I think getpwnam() works fine as well. Maybe have I screwed up with
> the pam.conf lines? Any idea?
> On Sat, 21 Apr 2001, Steve Langasek wrote:
> > On Sun, 22 Apr 2001, Andrew Bartlett wrote:
> > > Samba now checks with pam's account management facility as to the
> > > validity of usernames, even if it is using encrypted passwords. This
> > > was added just before release.
> > Yes, which is why it's important to see what the pam config says. Surely,
> > 'PAM_USER_UNKNOWN' is a strange error to suddenly have appear when everything
> > worked well before; Samba is notoriously unforgiving of usernames which don't
> > map to something that can be resolved with getpwnam(). Either the improved
> > PAM support in Samba 2.2.0 has uncovered a bug in the Solaris defaults, or
> > vice-versa.
> > Steve Langasek
> > postmodern programmer
abartlet at pcug.org.au
More information about the samba-technical