[Samba] Problem using winbind and pam to auth win2k Domain Users

Goodrich, Wayne GoodrichWay at mhs.medserv.net
Tue Apr 16 12:08:02 GMT 2002

When I try to log on as a domain user after joining the domain and verifying
the users with wbinfo -u, I get "Authentication service cannot retrieve
authentication info." I'm using DOMAIN+user and entering the correct
password. When I use a bogus password, I just get "Login failed" as

Debian Linux / Samba 2.2.3a-6


# The PAM configuration file for the Shadow `login' service
# NOTE: If you use a session module (such as kerberos or NIS+)
# that retains persistent credentials (like key caches, etc), you

# auth       required   pam_issue.so issue=/etc/issue

auth       required    pam_securetty.so
auth	   sufficient  pam_winbind.so

auth       required    pam_nologin.so

auth       required   pam_env.so

auth       required   pam_unix.so use_first_pass nullok

# auth       optional   pam_group.so

# account    requisite  pam_time.so

# account  required       pam_access.so

# Standard Un*x account and session
account    required    pam_unix.so
account	   sufficient  pam_winbind.so
session    required    pam_unix.so

# session    required   pam_limits.so

session    optional   pam_lastlog.so

session    optional   pam_motd.so

session    optional   pam_mail.so standard noenv

password   required   pam_unix.so nullok obscure min=4 max=8 md5

# password required       pam_cracklib.so retry=3 minlen=6 difok=3
# password required       pam_unix.so use_authtok nullok md5


auth		required	/lib/security/pam_winbind.so
auth 		required	pam_unix.so nullok
account	required	/lib/security/pam_winbind.so
account	required	pam_unix.so
session	required	/lib/security/pam_mkhomedir.so
session 	required	/lib/security/pam_winbind.so
session	required	pam_unix.so
password	required	/lib/security/pam_winbind.so
password	required	pam_unix.so


#======================= Global Settings =======================


# Change this for the workgroup/NT-domain name your Samba server will part
   workgroup = MCCLELLAN

# server string is the equivalent of the NT Description field
   server string = %h server (Samba %v)

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
;   load printers = yes

# You may wish to override the location of the printcap file
;   printcap name = /etc/printcap

# 'printing = cups' works nicely
;   printing = bsd

;   guest account = nobody
   invalid users = root

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 1000

# If you want Samba to log though syslog only then set the following
# parameter to 'yes'. Please note that logging through syslog in
# Samba is still experimental.
;   syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smb,nmb} instead. If you want to log
# through syslog you should set the following parameter to something higher.
   syslog = 0

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# security_level.txt for details.
   security = domain

# You may wish to use password encryption. Please read ENCRYPTION.txt,
# Win95.txt and WinNT.txt in the Samba documentation. Do not enable this
# option unless you have read those documents
   encrypt passwords = true 

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
# You may want to add the following on a Linux system:
#         SO_RCVBUF=8192 SO_SNDBUF=8192
   socket options = TCP_NODELAY

Thanks in advance for any suggestions.


More information about the samba mailing list