LAUTIER Sabrina slautier at lavache.com
Wed Jun 5 03:40:02 GMT 2002


I'm running a linux RedHat 7.2 box with samba 2.2.4.
I want to use winbind for authentification.
The samba server is a member server in a W2K domain. 
I followed the steps in the winbind help which comes with the samba
distribution (http://localhost:901/swat/help/winbind.html). 
Joining the domain was successfull:
$ smbpasswd -j DOMAIN -r PDC -U toto
| INFO: Debug class all level = 100   (pid 3643 from pid 3643)
| Password:
| Joined domain DOMAIN.

and wbinfo -t returnes secret is good:
$ wbinfo -t
| Secret is good

wbinfo -u and wbinfo -g shows the domain users and groups.
getent passwd and getent group show both local and win2k unix users

When I try to log into the linux samba box  with a valid win2k account
I get the following error in log file /var/log/messages:
| Jun  5 11:36:34 lima pam_winbind[15139]: request failed, PAM error
was 4, NT error was
| Jun  5 11:36:34 lima pam_winbind[15139]: internal module error
(retval = 4, user =
| `toto'
| Jun  5 11:36:34 lima login(pam_unix)[15139]: check pass; user
| Jun  5 11:36:34 lima login(pam_unix)[15139]: authentication failure;
| uid=0 euid=0 tty=tty1 ruser= rhost=
| Jun  5 11:36:40 lima login(pam_unix)[15139]: check pass; user
| Jun  5 11:36:42 lima login[15139]: FAILED LOGIN 1 FROM (null) FOR
| Authentication failure

$ wbinfo -a stoto%passworrd
| plaintext password authentication failed
| error code was NT_STATUS_INVALID_PARAMETER (0xc000000d)
| Could not authenticate user toto%password with plaintext password
| challenge/response password authentication succeeded
| error code was NT_STATUS_OK (0x0)

$ tail -f log.winbind
| [2002/06/05 12:12:56, 2]
|   Plain-text authenticaion for user toto returned

My smb.conf file contains the following lines:
        workgroup = DOMAIN
        netbios name = LIMA
        server string = Linux with Samba (%v) on %L
        wins server = x.x.x.x
        security = domain
        password server = PDC
        message command = csh -c 'xedit %s; rm %s' &
        # password
        encrypt passwords = Yes
        unix password sync = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *new*password* %n\n *new*password* %n\n
        passwd chat debug = Yes
        # users
        invalid users = root bin daemon adm sync shutdown \
                        halt mail news uucp operator gother
        # winbind
        # separate domain and username with '+', like DOMAIN+username
        winbind separator = +
        # use uids from 10000 to 20000 for domain users
        winbind uid = 10000-20000
        # use gids from 10000 to 20000 for domain groups
        winbind gid = 10000-20000
        # allow enumeration of winbind users and groups
        winbind enum users = yes
        winbind enum groups = yes
        # give winbind users a real shell (only needed if they have
telnet access)
        template homedir = /home/win2k/%D/%U
        template shell = /bin/bash
        # log config
        log level = 2
        log file = /var/log/samba.log

As you can see, the 'encrypt passwords' option is set to yes.

Here is the /etc/pam.d/login file content:
auth       required     /lib/security/pam_securetty.so
auth       sufficient   /lib/security/pam_winbind.so
auth       sufficient   /lib/security/pam_unix.so use_first_pass
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    sufficient   /lib/security/pam_winbind.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so

I've compiled samba with the following options:
--with-smbwrapper --with-automount  --with-smbmount
--with-pam             --with-pam_smbpass --with-ssl --with-quotas
--with-acl-support --with-ldapsam --with-syslog

Any idea about how to solve this issue ?

Any help would be greatly appreciated.


IT engineer

Powered by Alinto (http://www.alinto.net)
        for lavache.com (http://www.lavacheautomatique.com)

More information about the samba mailing list