[Samba] Winbind & Wrong Password - PAM Issue?

Eisenstein, Doug Doug.Eisenstein at geodecapital.com
Mon Jan 12 14:06:26 GMT 2004


Good Morning,

I have been a user of winbind and Samba for about a year now. It's been
working well for me on Red Hat v. 8.0 and 9.0. 

Recently I purchased and installed Red Hat Enterprise Linux WS 3.0 and
configured winbind and samba the same way I normally do. However when I
attempt to authenticate to the Linux workstation before I am even prompted
to enter my password, winbind submits a rogue password to the Windows NT
Domain Controller causing a "NT_STATUS_WRONG_PASSWORD" error to show up in
the /var/log/messages log file and after a few attempts, lock out my windows
account.

Excerpt of /var/log/messages (BEFORE PROMPT FOR PASSWORD):
-----------------------------------------------
Jan 12 08:59:59 localhost pam_winbind[1045]: request failed: Wrong Password,
PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD
Jan 12 08:59:59 localhost pam_winbind[1045]: user `doug' denied access
(incorrect password)
Jan 12 08:59:59 localhost sshd(pam_unix)[1045]: check pass; user unknown
Jan 12 08:59:59 localhost sshd(pam_unix)[1045]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=host1.host.com
-----------------------------------------------

Excerpt of /var/log/messages (AFTER PROMPT FOR PASSWORD):
-----------------------------------------------
Jan 12 09:02:26 localhost pam_winbind[1053]: user 'doug' granted acces
Jan 12 09:02:26 localhost pam_winbind[1053]: user 'doug' granted acces
Jan 12 09:02:26 localhost sshd[1053]: Accepted password for doug from
1.1.1.1 port 3970
Jan 12 09:02:26 localhost sshd(pam_unix)[1055]: session opened for user doug
by (uid=10000)
-----------------------------------------------

***NOTE: If I do this several times my windows NT account "doug" will be
locked out!

/etc/pam.d/system-auth:
-----------------------------------------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
-----------------------------------------------

/etc/pam.d/sshd:
-----------------------------------------------
#%PAM-1.0
auth       required     /lib/security/pam_listfile.so item=group sense=allow
file=/etc/security/sshd_allow.conf onerr=fail
auth       sufficient   /lib/security/pam_winbind.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
account    sufficient   /lib/security/pam_winbind.so
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so
-----------------------------------------------

Any suggestions are greatly appreciated.

Thank you,

Doug E.




More information about the samba mailing list