[Samba] Winbindd+W2K+NT+Pam+Samba 2.2.3a+Solaris

Gerald Carter jerry at samba.org
Thu May 16 05:27:03 GMT 2002

On Tue, 14 May 2002, Adcock, Christine M. wrote:

> accounts if we can help it. When I read through the man pages and HowTo
> documentation it at first seemed that this was possible using Winbindd and
> PAM. Upon closer investigation it looks like the users must have UNIX
> accounts and smbpasswd accounts to enable the challenge/response
> authentication - is this true? 

No.  Winbind's PAM and NSS module will take care this for you.

> I am also confused as to whether PAM is relevant since the majority of
> documentation states that it only works with clear-text passwords and
> W2K and NT require passwords to be encrypted. Can someone elaborate on
> this relationship please? I am about ready to give up and say that this
> cannot be done.

If Samba authenticates a user via PAM, then clear text passwords must be 
used.  However, the pam_winbind module is for use by applications
other than Samba so you can safely use "encryt passwords = yes".

> BTW - I can run through the DIAGNOSIS.txt tests successfully up to Test 7
> and the user accounts I am testing with are valid in AD. In addition, I have
> read through many of the mailing list postings and the error I get back on
> test seven is the same as many others - NT_STATUS_LOGON_FAILURE, the log
> says  - auth2 challenge failed - NT_STATUS_ACCESS_DENIED.

Did you add the Samba box to the domain?  Ahh...You should probably
try 2.2.4 since there was a related big-endian related bug fixed
between 2.2.3a and 2.2.4 related to joining a domain.

cheers, jerry
 Hewlett-Packard                                     http://www.hp.com
 SAMBA Team                                       http://www.samba.org
 --                                            http://www.plainjoe.org
 "Sam's Teach Yourself Samba in 24 Hours" 2ed.      ISBN 0-672-32269-2
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--

More information about the samba mailing list