W2K Domain Login Problem with 2.2.0

Steve Langasek vorlon at netexpress.net
Mon Apr 23 14:38:56 GMT 2001

On Tue, 24 Apr 2001, Andrew Bartlett wrote:

> I 100% disagree.  It is fundamentally broken to allow a user to access a
> server's resources if the admin has specifically banned them from doing
> just that.  Every other authentication service on the server obeys this
> directive, just not samba.  Added to that, samba claims to have pam
> support, and admins expect that to be implemented properly.  (Hence much
> of my hard work over the last little while, and I have more PAM patches
> waiting for submission).

> What we need is documentation. (I wrote a change for one of the
> manpages, but I think it got left/stuck on tridge's computer).

> We have only had 3 cases so far (that I have seen), and it only affected
> domain logons - they were marked as experimental anyway, and only from
> Win2k.  I think there might be some small weird interaction in the
> presentation of the username to PAM in that case, but I haven't got to
> the bottom of it.

The logfile snippets Percy provided clearly show that the username being
rejected by PAM is the correct username (unless you're proposing that Win2k
has mangled the name in such a way that there are trailing invisible garbage
chars in the username string, which don't show up in the logfile and don't
prevent Samba from authenticating it, but which do prevent PAM from resolving
the username?

If you change the line

samba   account required        /usr/lib/security/pam_unix.so.1

in your /etc/pam.conf to read

samba   account required        /usr/lib/security/pam_permit.so.1

instead, does this give better results?  Theoretically, this change should
restore Samba's previous behavior as of 2.0.7.  (Assuming that you have
/usr/lib/security/pam_permit.so.1 on your system; I admit that I'm rather
ignorant of what modules Solaris includes.)

Steve Langasek
postmodern programmer

More information about the samba-technical mailing list