W2K Domain Login Problem with 2.2.0

PeRcY YuEn percy at py.dhs.org
Mon Apr 23 20:14:06 GMT 2001


Andrew,

  Finally got some time to make some more tests. First, smbclient works
perfectly fine with both plaintext or encrypted password.

  I want to see the debug messages fro PAM very much as well - but I am
still unable to tame the ancient Solaris PAM stuff to give me some. I have
tried addeding "debug" to pam.conf as well as tweaking some syslog.conf
settings, but still no luck.

  As for other PAM apps, I have openssh running perfectly on that machine.
And BTW, the machine is running NIS+ (slave). So I assume the pam_unix.so
works with fine with NIS+. I also tried radiusd-cistron which provides me
with some sucessful messages like:

# /usr/local/sbin/radiusd -x
Starting - reading configuration files ...
Ready to process requests.
radrecv: Request from host 127.0.0.1 code=1, id=54, length=89
    User-Name = "percy"
    .....
pam_pass: using pamauth string <radius> for pam.conf lookup
pam_pass: function pam_start succeeded for <percy>
pam_pass: function pam_authenticate succeeded for <percy>
pam_pass: function pam_acct_mgmt succeeded for <percy>

  I actually don't have the service "radius" configured for PAM. My
"other" service lines are quite standard on Solaris:
other	auth required	/usr/lib/security/pam_unix.so.1
other	account required	/usr/lib/security/pam_unix.so.1
other	session required	/usr/lib/security/pam_unix.so.1
other	password required	/usr/lib/security/pam_unix.so.1

  It looks like something's wrong inside the samba code.

  Regards,
  Percy

On Sun, 22 Apr 2001, Andrew Bartlett wrote:

> Try enabling and logging into SWAT, or enabling plaintext passwords and
> using smbclient.  See if you can login.  That will tell us if your
> passing PAMs account test normally.  Also add 'debug' to the pam config
> lines.  There may be some weird problem where an account that hasn't
> passed password authtication can't pass account managment.  Do you run
> OpenSSH on your machine?  Does it login (using PAM, using rsa keys)?
>
> What other apps do you run that you KNOW use PAM?
>
> Just trying to correlate some data, I'd like to get to the bottom of
> this.
>
> Andrew Bartlett
>
> PeRcY YuEn wrote:
> >
> > Steve and Andrew,
> >
> >   My /etc/pam.conf has entries:
> > samba   auth required   /usr/lib/security/pam_unix.so.1
> > samba   account required        /usr/lib/security/pam_unix.so.1
> >
> >   My log at debuglevel=4 shows:
> > [2001/04/22 13:03:26, 4] passdb/pampass.c:proc_pam_start(160)
> >   PAM: Init user: percy
> > [2001/04/22 13:03:26, 4] passdb/pampass.c:proc_pam_start(173)
> >   PAM: setting rhost to: pc06.domain
> > [2001/04/22 13:03:26, 4] passdb/pampass.c:proc_pam_start(181)
> >   PAM: setting tty
> > [2001/04/22 13:03:26, 4] passdb/pampass.c:proc_pam_start(188)
> >   PAM: Init passed for user: percy
> > [2001/04/22 13:03:26, 4] passdb/pampass.c:pam_account(246)
> >   PAM: Account Management for User: percy
> > [2001/04/22 13:03:26, 0] passdb/pampass.c:pam_account(262)
> >   PAM: User "percy" is NOT known to account management
> > [2001/04/22 13:03:26, 2] passdb/pampass.c:pam_error_handler(66)
> >   PAM: Account Check Failed : No account present for user
> > [2001/04/22 13:03:26, 4] passdb/pampass.c:proc_pam_end(144)
> >   PAM: PAM_END OK.
> > [2001/04/22 13:03:26, 0] passdb/pampass.c:pam_accountcheck(381)
> >   PAM: Account Validation Failed - Rejecting User!
> >
> >   User "percy" is a valid account on the machine running samba. Logon to
> > W2K workstations worked fine When samba was configured NOT to use PAM. I
> > have tested getpwnam() on the samba machine using the following short
> > program:
> >
> > #include <pwd.h>
> > main(){
> > struct passwd *p = getpwnam("percy");
> > if (p) printf("%d\n",p->pw_uid);
> > }
> >
> >   and I think getpwnam() works fine as well. Maybe have I screwed up with
> > the pam.conf lines? Any idea?
> >
> >   Regards,
> >   Percy
> >
> > On Sat, 21 Apr 2001, Steve Langasek wrote:
> >
> > > On Sun, 22 Apr 2001, Andrew Bartlett wrote:
> > >
> > > > Samba now checks with pam's account management facility as to the
> > > > validity of usernames, even if it is using encrypted passwords.  This
> > > > was added just before release.
> > >
> > > Yes, which is why it's important to see what the pam config says.  Surely,
> > > 'PAM_USER_UNKNOWN' is a strange error to suddenly have appear when everything
> > > worked well before; Samba is notoriously unforgiving of usernames which don't
> > > map to something that can be resolved with getpwnam().  Either the improved
> > > PAM support in Samba 2.2.0 has uncovered a bug in the Solaris defaults, or
> > > vice-versa.
> > >
> > > Steve Langasek
> > > postmodern programmer
> > >
>
>





More information about the samba-technical mailing list