[Samba] PAM Error 9
John H Terpstra
jht at Samba.Org
Tue Nov 9 20:07:18 GMT 2004
Richard,
What entries did you put in /etc/nsswitch.conf?
Does 'getent passwd' return the ADS user info?
- John T.
On Tuesday 09 November 2004 12:45, Richard Greaney wrote:
> Hi all
> I have set my Samba server up to join an AD realm. Winbind is working
> fine and I am able to use it for authentication as needed. When I try to
> connect to one of my shares via a Windows client, I get the following
> error:
>
> [2004/11/04 11:57:54, 0] auth/pampass.c:smb_pam_account(573)
> smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management
> for User: MYDOMAIN+room1
> [2004/11/04 11:57:54, 2] auth/pampass.c:smb_pam_error_handler(73)
> smb_pam_error_handler: PAM: Account Check Failed : Authentication
> service cannot retrieve authentication info.
> [2004/11/04 11:57:54, 0] auth/pampass.c:smb_pam_accountcheck(781)
> smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
> MYDOMAIN+room1!
> [2004/11/04 11:57:54, 2] auth/auth.c:check_ntlm_password(312)
> check_ntlm_password: Authentication for user [room1] -> [room1] FAILED
> with error NT_STATUS_LOGON_FAILURE
>
>
> My smb.conf file looks something like this:
>
> [global]
>
> winbind separator = +
> winbind uid = 10000-20000
> winbind gid = 10000-20000
> winbind cache time = 15
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /home/%U
> template shell = /bin/false
> winbind use default domain = yes
>
> panic action = /usr/share/samba/panic-action %d
> # passwd program = /usr/bin/passwd %u
> printing = bsd
> netbios name = proxy
> dns proxy = no
> syslog only = no
> name resolve order = lmhosts host wins bcast
> encrypt passwords = true
> # passdb backend = smbpasswd guest
> socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096
> short preserve case = yes
> printcap name = /etc/printcap
> invalid users = root
> max log size = 1000
> obey pam restrictions = yes
> # passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> Retype\snew\sUNIX\spassword:* %n\n .
> security = ads
> password server = DC1
> realm = MYDOMAIN.BLAH
> preserve case = yes
> unix password sync = false
> workgroup = MYDOMAIN
> server string = %h server (Samba %v)
> syslog = 0;
> guest account = nobody
> load printers = yes
>
>
> For what it's worth, my /etc/pam.d/samba file is as follows:
> auth required /lib/security/pam_env.so
> auth sufficient /lib/security/pam_unix.so likeauth nullok
> auth sufficient /lib/security/pam_winbind.so use_first_pass
> auth required /lib/security/pam_deny.so
>
> account required /lib/security/pam_unix.so
> account sufficient /lib/security/pam_winbind.so use_first_pass
>
> password required /lib/security/pam_cracklib.so retry=3 type=
> # Note: The above line is complete. There is nothing following the '='
> password sufficient /lib/security/pam_unix.so \
> nullok use_authtok md5 shadow
> password sufficient /lib/security/pam_winbind.so use_first_pass
> password required /lib/security/pam_deny.so
>
> session required /lib/security/pam_limits.so
> session sufficient /lib/security/pam_unix.so
> session sufficient /lib/security/pam_winbind.so use_first_pass`
>
>
> Interestingly enough, if I connect using smbclient and force it to use
> kerberos with the -k option, I am able to connect. It's not until I try
> to use NTLM that I receive the error.
>
> Any suggestions?
> Cheers
> Richard
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.
More information about the samba
mailing list