[Samba] ssh + pam_winbind error 'incorrect password or invaid membership'

jstile john at stilen.com
Fri May 20 21:27:57 GMT 2005 

Configuration: 
Samba 3.0.14a-1 (on debian 3.1) +  winbind 3.0.14a-1 + krb5-user 1.3.6-2

I need help debugging pam_winbind.so in /etc/pam.d/ssh on debian.

Samba is a member of an AD domain, authenticating access to shares via
winbind+nsswitch.conf.  Authentication to shares works great.  Now I
want winbind to authenticate ssh users as a pam module and it's failing.
Below I show the output of an ssh attempt with the auth.log and winbind
(in debug 3). If you see any problems with the configs/logs below, our
you need any other confgs/logs,  please let me know.  Thank you very
much.

No problem with any of the following tests:
  smbd -b |egrep 'KRB|LDAP' # Shows Samba has needed Libs.
  wbinfo -u                  # Shows winbind is doing lookups from ADS
	johns
  wbinfo -g                  # Shows winbind is doing lookups from ADS
  getent passwd          # Shows nsswitch is correct, to resolve
ADSusers.
	johns:x:10000:10000:John Stile:/home/MS/johns:/usr/local/bin/bash
  getent group            # Shows nsswitch is correct, to resolve ADS
groups.
  net ads info              # Show AD info
	LDAP server: 192.168.50.42
	LDAP server name: stan
	Realm: MS.STILEN.COM
	Bind Path: dc=MS,dc=STILEN,dc=COM
	LDAP port: 389
	Server time: Fri, 20 May 2005 21:15:29 GMT
	KDC server: 192.168.50.42
	Server time offset: 0
  net ads join -Ujohns%passwd # Joined the domain
  net ads testjoin        # Shows join is ok
  wbinfo -a johns%password # Test if winbind can authenticate
	plaintext password authentication succeeded
	challenge/response password authentication succeeded
  kinit johns               # Test kerberose authentication
	Password for johns at MS.STILEN.COM:
	<ends without any response>
  smbclient  -L localhost -U ms\\johns%password # list shares using
passwd
  
Configuration: 
Samba 3.0.14a-1 (on debian 3.1) +  winbind 3.0.14a-1 + krb5-user 1.3.6-2

Ran winbind in debug mode during a ssh attempt
winbindd -d 3 -i 
  [ 3195]: request interface version
  [ 3195]: request location of privileged pipe
  [ 3195]: pam auth johns
  cm_get_ipc_userpass: No auth-user defined
  Doing spnego session setup (blob length=105)
  got OID=1 2 840 48018 1 2 2
  got OID=1 2 840 113554 1 2 2
  got OID=1 2 840 113554 1 2 2 3
  got OID=1 3 6 1 4 1 311 2 2 10
  got principal=stan$@MS.STILEN.COM
  Doing kerberos session setup
  Ticket in ccache[MEMORY:cliconnect] expiration Sat, 21 May 2005 06:58:43 GMT
  Plain-text authentication for user johns returned NT_STATUS_WRONG_PASSWORD (PAM: 7)
---------------------------------
Authlog 
==> /var/log/auth.log <==
  May 20 20:58:31 localhost sshd[3195]: Illegal user johns from ::ffff:192.168.60.161
  May 20 20:58:43 localhost pam_winbind[3195]: request failed: Wrong Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD
  May 20 20:58:43 localhost pam_winbind[3195]: user `johns' denied access (incorrect password or invalid membership)
---------------------------------
Only added the winbind stuff to default debian /etc/pam.d/ssh
  # PAM configuration for the Secure Shell service
  auth      sufficient   pam_winbind.so
  auth       required     pam_nologin.so
  auth       required     pam_env.so # [1]
  @include common-auth
  account  sufficient     pam_winbind.so
  @include common-account
  session required pam_mkhomedir.so skel=/etc/skel umask=0022
  @include common-session
  session    optional     pam_motd.so # [1]
  session    optional     pam_mail.so standard noenv # [1]
  session    required     pam_limits.so
  @include common-password
---------------------------------
[global]
  realm = MS.STILEN.COM
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  template homedir = /home/%D/%U
  template shell = /usr/local/bin/bash
  winbind enum users = yes
  winbind enum groups = yes
  winbind nested groups = Yes
  winbind use default domain = Yes
  winbind separator = +
  workgroup = MS
  security = ADS
  password server = stan.ms.stilen.com
  wins support = yes
  wins server = stan.ms.stilen.com
  server string = %h server (Samba %v)
  dns proxy = no
  ldap ssl = no
  log file = /var/log/samba/log.%m
  max log size = 1000
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  encrypt passwords = true
  passdb backend = tdbsam guest
  obey pam restrictions = no 
  invalid users = root Debian-exim daemon bin sys adm lp listen noaccess www-data
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
   load printers = no
---------------------------------
/etc/resolv.conf
search ms.stilen.com
---------------------------------

More information about the samba mailing list