[Samba] SUMMARY: winbind NT_STATUS_INVALID_PARAMETER

LAUTIER Sabrina slautier at lavache.com
Fri Jun 7 03:23:03 GMT 2002 

I solved my issue by simply login as "DOMAIN+toto" and not only as
"toto" !
---------------------------------------
lima login: DOMAIN+toto
password: 
Last login: Fri Jun 7 09;53:01 on tty1
bash-2.05$ 
---------------------------------------
As my linux box was part of the win2k domain and the local linux
account didn't exist I thought that I didn't have to specify the
domain name before the win2k account.

So both samba and PAM were well configured.

Cheers,

Sab

> ---------------- Beginning of the original message
------------------
> Hi,
> 
> I'm running a linux RedHat 7.2 box with samba 2.2.4.
> I want to use winbind for authentification.
> The samba server is a member server in a W2K domain. 
> I followed the steps in the winbind help which comes with the
> samba
> distribution (http://localhost:901/swat/help/winbind.html). 
> Joining the domain was successfull:
> $ smbpasswd -j DOMAIN -r PDC -U toto
> | INFO: Debug class all level = 100   (pid 3643 from pid 3643)
> | Password:
> | Joined domain DOMAIN.
> 
> and wbinfo -t returnes secret is good:
> $ wbinfo -t
> | Secret is good
> 
> wbinfo -u and wbinfo -g shows the domain users and groups.
> getent passwd and getent group show both local and win2k unix
> users
> and
> groups.
> 
> When I try to log into the linux samba box  with a valid win2k
> account
> I get the following error in log file /var/log/messages:
> | Jun  5 11:36:34 lima pam_winbind[15139]: request failed, PAM
> error
> was 4, NT error was
> | NT_STATUS_INVALID_PARAMETER
> | Jun  5 11:36:34 lima pam_winbind[15139]: internal module
> error
> (retval = 4, user =
> | `toto'
> | Jun  5 11:36:34 lima login(pam_unix)[15139]: check pass;
> user
> unknown
> | Jun  5 11:36:34 lima login(pam_unix)[15139]: authentication
> failure;
> logname=LOGIN
> | uid=0 euid=0 tty=tty1 ruser= rhost=
> | Jun  5 11:36:40 lima login(pam_unix)[15139]: check pass;
> user
> unknown
> | Jun  5 11:36:42 lima login[15139]: FAILED LOGIN 1 FROM
> (null) FOR
> toto,
> | Authentication failure
> 
> $  wbinfo -a  stoto%passworrd
> | plaintext password authentication failed
> | error code was NT_STATUS_INVALID_PARAMETER (0xc000000d)
> | Could not authenticate user toto%password with plaintext
> password
> | challenge/response password authentication succeeded
> | error code was NT_STATUS_OK (0x0)
> 
> $ tail -f log.winbind
> | [2002/06/05 12:12:56, 2]
> nsswitch/winbindd_pam.c:winbindd_pam_auth(118)
> |   Plain-text authenticaion for user toto returned
> NT_STATUS_INVALID_PARAMETER | (PAM: 4)
> 
> My smb.conf file contains the following lines:
>
--------------------------------------------------------------------------------- 
> [global]
>         workgroup = DOMAIN
>         netbios name = LIMA
>         server string = Linux with Samba (%v) on %L
>         wins server = x.x.x.x
>         security = domain
>         password server = PDC
>         message command = csh -c 'xedit %s; rm %s' &
>         # password
>         encrypt passwords = Yes
>         unix password sync = Yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *new*password* %n\n *new*password* %n\n
> *success*
>         passwd chat debug = Yes
>         # users
>         invalid users = root bin daemon adm sync shutdown \
>                         halt mail news uucp operator gother
>         #
>         # winbind
>         #
>         # separate domain and username with '+', like
> DOMAIN+username
>         winbind separator = +
>         # use uids from 10000 to 20000 for domain users
>         winbind uid = 10000-20000
>         # use gids from 10000 to 20000 for domain groups
>         winbind gid = 10000-20000
>         # allow enumeration of winbind users and groups
>         winbind enum users = yes
>         winbind enum groups = yes
>         # give winbind users a real shell (only needed if they
> have
> telnet access)
>         template homedir = /home/win2k/%D/%U
>         template shell = /bin/bash
>         #
>         # log config
>         #
>         log level = 2
>         log file = /var/log/samba.log
>
---------------------------------------------------------------------------------
> 
> As you can see, the 'encrypt passwords' option is set to yes.
> 
> Here is the /etc/pam.d/login file content:
>
---------------------------------------------------------------------------------
> #%PAM-1.0
> auth       required     /lib/security/pam_securetty.so
> auth       sufficient   /lib/security/pam_winbind.so
> auth       sufficient   /lib/security/pam_unix.so
> use_first_pass
> auth       required     /lib/security/pam_stack.so
> service=system-auth
> auth       required     /lib/security/pam_nologin.so
> account    sufficient   /lib/security/pam_winbind.so
> account    required     /lib/security/pam_stack.so
> service=system-auth
> password   required     /lib/security/pam_stack.so
> service=system-auth
> session    required     /lib/security/pam_stack.so
> service=system-auth
> session    optional     /lib/security/pam_console.so
>
---------------------------------------------------------------------------------
> 
> I've compiled samba with the following options:
> --with-smbwrapper --with-automount  --with-smbmount
> --with-pam             --with-pam_smbpass --with-ssl
> --with-quotas
> --with-acl-support --with-ldapsam --with-syslog
> 
> Any idea about how to solve this issue ?
> 
> Any help would be greatly appreciated.
> 
> Thanks.
> 
> Sabrina
> IT engineer
> France

---------------------------------------------
Powered by Alinto (http://www.alinto.net)
        for lavache.com (http://www.lavacheautomatique.com)

More information about the samba mailing list