[Samba] Winbind & Wrong Password - PAM Issue?
Eisenstein, Doug
Doug.Eisenstein at geodecapital.com
Mon Jan 12 14:06:26 GMT 2004
Good Morning,
I have been a user of winbind and Samba for about a year now. It's been
working well for me on Red Hat v. 8.0 and 9.0.
Recently I purchased and installed Red Hat Enterprise Linux WS 3.0 and
configured winbind and samba the same way I normally do. However when I
attempt to authenticate to the Linux workstation before I am even prompted
to enter my password, winbind submits a rogue password to the Windows NT
Domain Controller causing a "NT_STATUS_WRONG_PASSWORD" error to show up in
the /var/log/messages log file and after a few attempts, lock out my windows
account.
Excerpt of /var/log/messages (BEFORE PROMPT FOR PASSWORD):
-----------------------------------------------
Jan 12 08:59:59 localhost pam_winbind[1045]: request failed: Wrong Password,
PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD
Jan 12 08:59:59 localhost pam_winbind[1045]: user `doug' denied access
(incorrect password)
Jan 12 08:59:59 localhost sshd(pam_unix)[1045]: check pass; user unknown
Jan 12 08:59:59 localhost sshd(pam_unix)[1045]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=host1.host.com
-----------------------------------------------
Excerpt of /var/log/messages (AFTER PROMPT FOR PASSWORD):
-----------------------------------------------
Jan 12 09:02:26 localhost pam_winbind[1053]: user 'doug' granted acces
Jan 12 09:02:26 localhost pam_winbind[1053]: user 'doug' granted acces
Jan 12 09:02:26 localhost sshd[1053]: Accepted password for doug from
1.1.1.1 port 3970
Jan 12 09:02:26 localhost sshd(pam_unix)[1055]: session opened for user doug
by (uid=10000)
-----------------------------------------------
***NOTE: If I do this several times my windows NT account "doug" will be
locked out!
/etc/pam.d/system-auth:
-----------------------------------------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
-----------------------------------------------
/etc/pam.d/sshd:
-----------------------------------------------
#%PAM-1.0
auth required /lib/security/pam_listfile.so item=group sense=allow
file=/etc/security/sshd_allow.conf onerr=fail
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
account sufficient /lib/security/pam_winbind.so
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_limits.so
session optional /lib/security/pam_console.so
-----------------------------------------------
Any suggestions are greatly appreciated.
Thank you,
Doug E.
More information about the samba
mailing list