[Samba] Problem with pam_winbind

Oliver Thinnes O.Thinnes at pulsaar.de
Mon Jun 3 23:09:02 GMT 2002

I have the same situation as you have (redhat 7.2, samba 2.2.4 compiled 
with winbind, acl support and as a member of a NT 4 domain).

I did not change /etc/pam.d/system-auth.

I configured /etc/nsswitch.conf like this:
passwd:     files winbind nisplus
shadow:     files winbind nisplus
group:      files winbind nisplus

After compiling I had noticed with ftp login that the file 
"/lib/security/pam_winbind.so" was missing. This isn't created when doing 
make && make install

I had to do
# cd samba/source
# make nsswitch/pam_winbind.so
# cp nsswitch/pam_winbind.so /lib/security

Besides the login shell is per default "/bin/false" in smb.conf. This has 
to be changed. Also the home dir.
template homedir = /home/%D/%U/
template shell = /bin/bash

Here's my configuration for SSH, SU, FTP login as a NT user:
-- /etc/pam.d/sshd --
auth       sufficient   /lib/security/pam_winbind.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so
-- /etc/pam.d/sshd --

-- /etc/pam.d/ftp --
auth     sufficient     /lib/security/pam_winbind.so
auth       required     /lib/security/pam_listfile.so item=user sense=deny 
file=/etc/ftpusers onerr=succeed
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_shells.so
auth     sufficient     /lib/security/pam_winbind.so
account    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
-- /etc/pam.d/ftp --

Works fine.

There's something to know about winbindd.

When rebooting the linux box the mapping of NT users to UNIX user ids has 
changed after reboot. Only for NT users, not for NT groups. Thus before 
reboot a NT user has i.e uid 10000 and after reboot 10013 and therefore he 
can't access his files. After the reboot the NT users seem to be ordered in 
alphabetical order and the numbering begins with the winbind uid configured 
in smb.conf.

I tar the two tdb files

before reboot, extract them after reboot and restart winbindd.

-----Original Message-----
From:	John McCawley [SMTP:jmccawley at worleyco.com]
Sent:	Tuesday, June 04, 2002 1:26 AM
To:	samba at lists.samba.org
Subject:	[Samba] Problem with pam_winbind

I'm on a redhat 7.2 box, and I am trying to configure PAM to use winbind
 to authenticate against an NT4 PDC.  I followed the instructions I
found at:

I compiled the 2.2.4 source and have tried several permutations of the
setup they suggest, and have tried many solutions I've seen suggested on
different mailing lists, but nothing seems to work.

I have smb.conf setup as suggested in the document, and have succeeded
in joining my NT domain with smbpasswd.  The command 'getent passwd'
properly returns the list of users on my PDC.  The problem comes in when
I try to use the pam_winbind.so module for logins or ssh (I have not
tried anything else)  My current configuration is this:

auth        sufficient    /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_winbind.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     sufficient    /lib/security/pam_winbind.so use_first_pass

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

passwd:     files nisplus winbind
shadow:     files nisplus
group:      files nisplus winbind

If I login as:

It fails.  My Linux system log reports: (machine names changed)

Jun  3 16:12:42 casey pam_winbind[11588]: request failed, PAM error was
Jun  3 16:12:42 casey pam_winbind[11588]: internal module error (retval
= 4, user = `mydomain+username'

My NT PDC reports:
The session setup from the computer CASEY failed because there is no
trust account in the security database for this computer.  The name of
the account referenced in the security database is CASEY$.

Note that I had originally put the reference to pam_winbind in the login
file, but put in in system-auth after that didn't work.  Note also that
I tried it with pam_env and pam_unix both set to required.

I have tried removing and re-adding casey from the PDC, I have tried
adding at the PDC first, and then using smbpasswd.  I've tried this in
reverse order.  I've tried only using smbpasswd, I've tried only adding
it at the PDC.  I've tried deleting the /etc/samba/secrets.tdb file and

The only odd thing about my setup is that I installed from source over
the redhat RPM install, and the files are a little messy.  I've tried to
go through and make sure all of the stuff in /usr/sbin and /usr/bin are
symlinks to the stuff in /usr/local/samba/bin, but I may have missed
something.  At any rate I don't think that's the problem.

Any ideas?

To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list