[Samba] Samba as domain member server cannot authenticate users

Breno Moiana bm.lists at gmail.com
Tue Apr 26 12:50:54 GMT 2005

This problem was already described on a very similar way in Oct 2004
on the following message:
As no solution was found so far, I am re-posting it on the hope that
somebody can help.

- A windows2000 domain with active directory up and running.
- A Samba server with fileshares and printers. Debian Sarge, Samba 3.0.10
- Windows clients

- To have windows users being able to transparently map fileshares on
the linux server, and to print to these linux printers without having
to enter a separate password for the linux shares/printers. The linux
server should accept the windows logged-in user.

What I have accomplished:
Installed samba, it worked fine with local authentication.
Changed the samba configuration and installed winbind, and changed the
/etc/nsswitch.conf, /etc/pam.d/login, so I could log in to the linux
machine using the windows AD authentication.
With those changes, I can successfully log in to the linux server with
a windows user.

What is missing:
With this setup, I can't access the fileshares when I try to map them
from a windows client. The linux server requests the password, and I
try to enter "username", "domain\username", "username at domain",
"\\domain\username", "DOMAIN\username", and nothing works.

When I try to access a share from a windows machine, the
/var/log/samba/log.machinename reports this:

[2005/04/25 18:51:13, 0] auth/pampass.c:smb_pam_accountcheck(781)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting
User MYDOMAIN\username!

However, if I log on locally, the user MYDOMAIN\username is a valid one!

I have stripped out the comments, and post my my smb.conf
below(mydomain being my domain, and username# being valid usernames):

   workgroup = mydomain
   server string = %h server (Samba %v)
   include = /etc/samba/dhcp.conf
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

   security = domain
   password server = *

   encrypt passwords = true
   passdb backend = tdbsam guest

   obey pam restrictions = yes

   guest account = nobody
   invalid users = root
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .

   SO_RCVBUF=8192 SO_SNDBUF=8192
   socket options = TCP_NODELAY

domain master = no
local master = no
preferred master = no

   idmap uid = 10000-20000
   idmap gid = 10000-20000
   template shell = /bin/bash

    comment = Testing share
    writable = yes
    path = /fileshare/testshare
    write list = username1,username2
    force create mode = 0775
    force directory mode = 6775


Something is wrong, I just couldnt figure out what. I believe it to be
something to make samba "talk" to winbindd, identifying the users.
If I find out the answer, will post it here.

Thanks very much for the attention!

Best Regards!

Breno Moiana.

More information about the samba mailing list