[Samba] PAM Error 9

richard at net-solutions.net.nz richard at net-solutions.net.nz
Thu Nov 11 02:10:28 GMT 2004 

John
Thanks for your reply.  winbind authentication is working fine. I am using 
pam_winbind.so for POP3 authentication. getent passwd also returns all the 
users with no problems. If I run 'wbinfo -a username%password for a user 
on the Windows DC, all works fine.

Richard

> Richard,
> 
> What entries did you put in /etc/nsswitch.conf?
> Does 'getent passwd' return the ADS user info?
> 
> - John T.
> 
> On Tuesday 09 November 2004 12:45, Richard Greaney wrote:
> > Hi all
> > I have set my Samba server up to join an AD realm. Winbind is working
> > fine and I am able to use it for authentication as needed. When I try 
to
> > connect to one of my shares via a Windows client, I get the following
> > error:
> >
> > [2004/11/04 11:57:54, 0] auth/pampass.c:smb_pam_account(573)
> >    smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account 
Management
> > for User: MYDOMAIN+room1
> > [2004/11/04 11:57:54, 2] auth/pampass.c:smb_pam_error_handler(73)
> >    smb_pam_error_handler: PAM: Account Check Failed : Authentication
> > service cannot retrieve authentication info.
> > [2004/11/04 11:57:54, 0] auth/pampass.c:smb_pam_accountcheck(781)
> >    smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting 
User
> > MYDOMAIN+room1!
> > [2004/11/04 11:57:54, 2] auth/auth.c:check_ntlm_password(312)
> >    check_ntlm_password:  Authentication for user [room1] -> [room1] 
FAILED
> > with error NT_STATUS_LOGON_FAILURE
> >
> >
> > My smb.conf file looks something like this:
> >
> > [global]
> >
> > winbind separator = +
> > winbind uid = 10000-20000
> > winbind gid = 10000-20000
> > winbind cache time = 15
> > winbind enum users = yes
> > winbind enum groups = yes
> > template homedir = /home/%U
> > template shell = /bin/false
> > winbind use default domain = yes
> >
> >     panic action = /usr/share/samba/panic-action %d
> > #       passwd program = /usr/bin/passwd %u
> >          printing = bsd
> >          netbios name = proxy
> >          dns proxy = no
> >          syslog only = no
> >          name resolve order = lmhosts host wins bcast
> >          encrypt passwords = true
> > #   passdb backend = smbpasswd guest
> >   socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096 
SO_RCVBUF=4096
> >          short preserve case = yes
> >          printcap name = /etc/printcap
> >          invalid users = root
> >          max log size = 1000
> >          obey pam restrictions = yes
> > #       passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> > Retype\snew\sUNIX\spassword:* %n\n .
> >          security = ads
> >          password server = DC1
> >          realm = MYDOMAIN.BLAH
> >          preserve case = yes
> >          unix password sync = false
> >          workgroup = MYDOMAIN
> >          server string = %h server (Samba %v)
> >          syslog = 0;
> >          guest account = nobody
> >          load printers = yes
> >
> >
> > For what it's worth, my /etc/pam.d/samba file is as follows:
> > auth        required      /lib/security/pam_env.so
> > auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> > auth        sufficient    /lib/security/pam_winbind.so use_first_pass
> > auth        required      /lib/security/pam_deny.so
> >
> > account     required      /lib/security/pam_unix.so
> > account     sufficient    /lib/security/pam_winbind.so use_first_pass
> >
> > password    required      /lib/security/pam_cracklib.so retry=3 type=
> > # Note: The above line is complete. There is nothing following the '='
> > password    sufficient    /lib/security/pam_unix.so \
> >                                               nullok use_authtok md5 
shadow
> > password    sufficient    /lib/security/pam_winbind.so use_first_pass
> > password    required      /lib/security/pam_deny.so
> >
> > session     required      /lib/security/pam_limits.so
> > session     sufficient    /lib/security/pam_unix.so
> > session     sufficient    /lib/security/pam_winbind.so use_first_pass`
> >
> >
> > Interestingly enough, if I connect using smbclient and force it to use
> > kerberos with the -k option, I am able to connect. It's not until I try
> > to use NTLM that I receive the error.
> >
> > Any suggestions?
> > Cheers
> > Richard
> 
> -- 
> John H Terpstra
> Samba-Team Member
> Phone: +1 (650) 580-8668
> 
> Author:
> The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
> Samba-3 by Example, ISBN: 0131472216
> Hardening Linux, ISBN: 0072254971
> Other books in production.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba


------------------------------------------------
This message was sent using InSPire Net Webmail.
http://www.inspire.net.nz

More information about the samba mailing list