[Samba] ADS Domain Member Server + PAM problem
richard at net-solutions.net.nz
richard at net-solutions.net.nz
Wed Nov 3 23:17:00 GMT 2004
Hi all
I have set my Samba server up to join an AD realm. Winbind is working fine
and I am able to use it for authentication as needed. When I try to connect
to one of my shares via a Windows client, I get the following error:
[2004/11/04 11:57:54, 0] auth/pampass.c:smb_pam_account(573)
smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for
User: MYDOMAIN+room1
[2004/11/04 11:57:54, 2] auth/pampass.c:smb_pam_error_handler(73)
smb_pam_error_handler: PAM: Account Check Failed : Authentication service
cannot retrieve authentication info.
[2004/11/04 11:57:54, 0] auth/pampass.c:smb_pam_accountcheck(781)
smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
MYDOMAIN+room1!
[2004/11/04 11:57:54, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [room1] -> [room1] FAILED
with error NT_STATUS_LOGON_FAILURE
My smb.conf file looks something like this:
[global]
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind cache time = 15
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/false
winbind use default domain = yes
panic action = /usr/share/samba/panic-action %d
# passwd program = /usr/bin/passwd %u
printing = bsd
netbios name = proxy
dns proxy = no
syslog only = no
name resolve order = lmhosts host wins bcast
encrypt passwords = true
# passdb backend = smbpasswd guest
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096
short preserve case = yes
printcap name = /etc/printcap
invalid users = root
max log size = 1000
obey pam restrictions = yes
# passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
Retype\snew\sUNIX\spassword:* %n\n .
security = ads
password server = DC1
realm = MYDOMAIN.BLAH
preserve case = yes
unix password sync = false
workgroup = MYDOMAIN
server string = %h server (Samba %v)
syslog = 0;
guest account = nobody
load printers = yes
For what it's worth, my /etc/pam.d/samba file is as follows:
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_winbind.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_winbind.so use_first_pass
password required /lib/security/pam_cracklib.so retry=3 type=
# Note: The above line is complete. There is nothing following the '='
password sufficient /lib/security/pam_unix.so \
nullok use_authtok md5 shadow
password sufficient /lib/security/pam_winbind.so use_first_pass
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session sufficient /lib/security/pam_unix.so
session sufficient /lib/security/pam_winbind.so use_first_pass`
Interestingly enough, if I connect using smbclient and force it to use
kerberos with the -k option, I am able to connect. It's not until I try to
use NTLM that I receive the error.
Any suggestions?
Cheers
Richard
------------------------------------------------
This message was sent using InSPire Net Webmail.
http://www.inspire.net.nz
More information about the samba
mailing list