[Samba] PAM Error 9
richard at net-solutions.net.nz
richard at net-solutions.net.nz
Thu Nov 11 02:10:28 GMT 2004
John
Thanks for your reply. winbind authentication is working fine. I am using
pam_winbind.so for POP3 authentication. getent passwd also returns all the
users with no problems. If I run 'wbinfo -a username%password for a user
on the Windows DC, all works fine.
Richard
> Richard,
>
> What entries did you put in /etc/nsswitch.conf?
> Does 'getent passwd' return the ADS user info?
>
> - John T.
>
> On Tuesday 09 November 2004 12:45, Richard Greaney wrote:
> > Hi all
> > I have set my Samba server up to join an AD realm. Winbind is working
> > fine and I am able to use it for authentication as needed. When I try
to
> > connect to one of my shares via a Windows client, I get the following
> > error:
> >
> > [2004/11/04 11:57:54, 0] auth/pampass.c:smb_pam_account(573)
> > smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account
Management
> > for User: MYDOMAIN+room1
> > [2004/11/04 11:57:54, 2] auth/pampass.c:smb_pam_error_handler(73)
> > smb_pam_error_handler: PAM: Account Check Failed : Authentication
> > service cannot retrieve authentication info.
> > [2004/11/04 11:57:54, 0] auth/pampass.c:smb_pam_accountcheck(781)
> > smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting
User
> > MYDOMAIN+room1!
> > [2004/11/04 11:57:54, 2] auth/auth.c:check_ntlm_password(312)
> > check_ntlm_password: Authentication for user [room1] -> [room1]
FAILED
> > with error NT_STATUS_LOGON_FAILURE
> >
> >
> > My smb.conf file looks something like this:
> >
> > [global]
> >
> > winbind separator = +
> > winbind uid = 10000-20000
> > winbind gid = 10000-20000
> > winbind cache time = 15
> > winbind enum users = yes
> > winbind enum groups = yes
> > template homedir = /home/%U
> > template shell = /bin/false
> > winbind use default domain = yes
> >
> > panic action = /usr/share/samba/panic-action %d
> > # passwd program = /usr/bin/passwd %u
> > printing = bsd
> > netbios name = proxy
> > dns proxy = no
> > syslog only = no
> > name resolve order = lmhosts host wins bcast
> > encrypt passwords = true
> > # passdb backend = smbpasswd guest
> > socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096
SO_RCVBUF=4096
> > short preserve case = yes
> > printcap name = /etc/printcap
> > invalid users = root
> > max log size = 1000
> > obey pam restrictions = yes
> > # passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> > Retype\snew\sUNIX\spassword:* %n\n .
> > security = ads
> > password server = DC1
> > realm = MYDOMAIN.BLAH
> > preserve case = yes
> > unix password sync = false
> > workgroup = MYDOMAIN
> > server string = %h server (Samba %v)
> > syslog = 0;
> > guest account = nobody
> > load printers = yes
> >
> >
> > For what it's worth, my /etc/pam.d/samba file is as follows:
> > auth required /lib/security/pam_env.so
> > auth sufficient /lib/security/pam_unix.so likeauth nullok
> > auth sufficient /lib/security/pam_winbind.so use_first_pass
> > auth required /lib/security/pam_deny.so
> >
> > account required /lib/security/pam_unix.so
> > account sufficient /lib/security/pam_winbind.so use_first_pass
> >
> > password required /lib/security/pam_cracklib.so retry=3 type=
> > # Note: The above line is complete. There is nothing following the '='
> > password sufficient /lib/security/pam_unix.so \
> > nullok use_authtok md5
shadow
> > password sufficient /lib/security/pam_winbind.so use_first_pass
> > password required /lib/security/pam_deny.so
> >
> > session required /lib/security/pam_limits.so
> > session sufficient /lib/security/pam_unix.so
> > session sufficient /lib/security/pam_winbind.so use_first_pass`
> >
> >
> > Interestingly enough, if I connect using smbclient and force it to use
> > kerberos with the -k option, I am able to connect. It's not until I try
> > to use NTLM that I receive the error.
> >
> > Any suggestions?
> > Cheers
> > Richard
>
> --
> John H Terpstra
> Samba-Team Member
> Phone: +1 (650) 580-8668
>
> Author:
> The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
> Samba-3 by Example, ISBN: 0131472216
> Hardening Linux, ISBN: 0072254971
> Other books in production.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
------------------------------------------------
This message was sent using InSPire Net Webmail.
http://www.inspire.net.nz
More information about the samba
mailing list