W2K Domain Login Problem with 2.2.0

Steve Langasek vorlon at netexpress.net
Sun Apr 22 15:10:41 GMT 2001

On Sun, 22 Apr 2001, Jeremy Allison wrote:

> On Sun, Apr 22, 2001 at 06:41:06PM +1000, Andrew Bartlett wrote:

> > There seems to be a bug in the interaction between Win2k domain logons
> > and PAM account managment.  It is not present for my NT4 (no SP) VMware
> > session.

> > I currently don't have access to a Win2k machine, so can't particuarly
> > test any further.  I suspect that the username being passed to PAM is in
> > some way slightly malformed, such that the account management fails.

> I have a w2k vmware session and can test that at home
> tomorrow (it's very late here California time). Are
> you meaning setting up Samba as a PDC configured as
> --with-pam ? If so I'll test that tomorrow....

> I'm running on RedHat 6.2, without the pam_stack modile.
> My current pam.d/samba file looks like :

> auth            required        /lib/security/pam_pwdb.so nullok shadow
> account         required        /lib/security/pam_pwdb.so
> session         required        /lib/security/pam_pwdb.so
> password        required        /lib/security/pam_pwdb.so

> - is this enough to reproduce it, or do I need to use
> the pam_stack stuff ?

That should be enough to let you debug and determine why we're getting a
PAM_USER_UNKNOWN error, unless it's a problem specifically with Solaris's
pam_unix module.  I wouldn't recommend the above configuration on a production
system, though; pam_pwdb is abysmally slow.

pam_stack isn't needed.  Well, I'd argue that pam_stack is never needed, and
RedHat should've addressed the issue by setting sane defaults for the 'other'
service, but that's another tale for another time.

Steve Langasek
postmodern programmer

More information about the samba-technical mailing list