W2K Domain Login Problem with 2.2.0
PeRcY YuEn
percy at py.dhs.org
Mon Apr 23 20:14:06 GMT 2001
Andrew,
Finally got some time to make some more tests. First, smbclient works
perfectly fine with both plaintext or encrypted password.
I want to see the debug messages fro PAM very much as well - but I am
still unable to tame the ancient Solaris PAM stuff to give me some. I have
tried addeding "debug" to pam.conf as well as tweaking some syslog.conf
settings, but still no luck.
As for other PAM apps, I have openssh running perfectly on that machine.
And BTW, the machine is running NIS+ (slave). So I assume the pam_unix.so
works with fine with NIS+. I also tried radiusd-cistron which provides me
with some sucessful messages like:
# /usr/local/sbin/radiusd -x
Starting - reading configuration files ...
Ready to process requests.
radrecv: Request from host 127.0.0.1 code=1, id=54, length=89
User-Name = "percy"
.....
pam_pass: using pamauth string <radius> for pam.conf lookup
pam_pass: function pam_start succeeded for <percy>
pam_pass: function pam_authenticate succeeded for <percy>
pam_pass: function pam_acct_mgmt succeeded for <percy>
I actually don't have the service "radius" configured for PAM. My
"other" service lines are quite standard on Solaris:
other auth required /usr/lib/security/pam_unix.so.1
other account required /usr/lib/security/pam_unix.so.1
other session required /usr/lib/security/pam_unix.so.1
other password required /usr/lib/security/pam_unix.so.1
It looks like something's wrong inside the samba code.
Regards,
Percy
On Sun, 22 Apr 2001, Andrew Bartlett wrote:
> Try enabling and logging into SWAT, or enabling plaintext passwords and
> using smbclient. See if you can login. That will tell us if your
> passing PAMs account test normally. Also add 'debug' to the pam config
> lines. There may be some weird problem where an account that hasn't
> passed password authtication can't pass account managment. Do you run
> OpenSSH on your machine? Does it login (using PAM, using rsa keys)?
>
> What other apps do you run that you KNOW use PAM?
>
> Just trying to correlate some data, I'd like to get to the bottom of
> this.
>
> Andrew Bartlett
>
> PeRcY YuEn wrote:
> >
> > Steve and Andrew,
> >
> > My /etc/pam.conf has entries:
> > samba auth required /usr/lib/security/pam_unix.so.1
> > samba account required /usr/lib/security/pam_unix.so.1
> >
> > My log at debuglevel=4 shows:
> > [2001/04/22 13:03:26, 4] passdb/pampass.c:proc_pam_start(160)
> > PAM: Init user: percy
> > [2001/04/22 13:03:26, 4] passdb/pampass.c:proc_pam_start(173)
> > PAM: setting rhost to: pc06.domain
> > [2001/04/22 13:03:26, 4] passdb/pampass.c:proc_pam_start(181)
> > PAM: setting tty
> > [2001/04/22 13:03:26, 4] passdb/pampass.c:proc_pam_start(188)
> > PAM: Init passed for user: percy
> > [2001/04/22 13:03:26, 4] passdb/pampass.c:pam_account(246)
> > PAM: Account Management for User: percy
> > [2001/04/22 13:03:26, 0] passdb/pampass.c:pam_account(262)
> > PAM: User "percy" is NOT known to account management
> > [2001/04/22 13:03:26, 2] passdb/pampass.c:pam_error_handler(66)
> > PAM: Account Check Failed : No account present for user
> > [2001/04/22 13:03:26, 4] passdb/pampass.c:proc_pam_end(144)
> > PAM: PAM_END OK.
> > [2001/04/22 13:03:26, 0] passdb/pampass.c:pam_accountcheck(381)
> > PAM: Account Validation Failed - Rejecting User!
> >
> > User "percy" is a valid account on the machine running samba. Logon to
> > W2K workstations worked fine When samba was configured NOT to use PAM. I
> > have tested getpwnam() on the samba machine using the following short
> > program:
> >
> > #include <pwd.h>
> > main(){
> > struct passwd *p = getpwnam("percy");
> > if (p) printf("%d\n",p->pw_uid);
> > }
> >
> > and I think getpwnam() works fine as well. Maybe have I screwed up with
> > the pam.conf lines? Any idea?
> >
> > Regards,
> > Percy
> >
> > On Sat, 21 Apr 2001, Steve Langasek wrote:
> >
> > > On Sun, 22 Apr 2001, Andrew Bartlett wrote:
> > >
> > > > Samba now checks with pam's account management facility as to the
> > > > validity of usernames, even if it is using encrypted passwords. This
> > > > was added just before release.
> > >
> > > Yes, which is why it's important to see what the pam config says. Surely,
> > > 'PAM_USER_UNKNOWN' is a strange error to suddenly have appear when everything
> > > worked well before; Samba is notoriously unforgiving of usernames which don't
> > > map to something that can be resolved with getpwnam(). Either the improved
> > > PAM support in Samba 2.2.0 has uncovered a bug in the Solaris defaults, or
> > > vice-versa.
> > >
> > > Steve Langasek
> > > postmodern programmer
> > >
>
>
More information about the samba-technical
mailing list