[Samba] ssh + pam_winbind error 'incorrect password or invaid membership'

jstile john at stilen.com
Tue May 24 03:39:17 GMT 2005 

I got a little farther.

After creating the home directory , /home/MS/johns
And fixing the path to the default shell,
I can ssh in with:
   ssh 192.168.60.189 -l MS\+johns
But not with this:
   ssh 192.168.60.189 -l johns
My smb.conf definitely has:
   winbind use default domain = Yes

How can I make ssh work with the short user name?

On Fri, 2005-05-20 at 14:27 -0700, jstile wrote:
> Configuration: 
> Samba 3.0.14a-1 (on debian 3.1) +  winbind 3.0.14a-1 + krb5-user 1.3.6-2
> 
> I need help debugging pam_winbind.so in /etc/pam.d/ssh on debian.
> 
> Samba is a member of an AD domain, authenticating access to shares via
> winbind+nsswitch.conf.  Authentication to shares works great.  Now I
> want winbind to authenticate ssh users as a pam module and it's failing.
> Below I show the output of an ssh attempt with the auth.log and winbind
> (in debug 3). If you see any problems with the configs/logs below, our
> you need any other confgs/logs,  please let me know.  Thank you very
> much.
> 
> No problem with any of the following tests:
>   smbd -b |egrep 'KRB|LDAP' # Shows Samba has needed Libs.
>   wbinfo -u                  # Shows winbind is doing lookups from ADS
> 	johns
>   wbinfo -g                  # Shows winbind is doing lookups from ADS
>   getent passwd          # Shows nsswitch is correct, to resolve
> ADSusers.
> 	johns:x:10000:10000:John Stile:/home/MS/johns:/usr/local/bin/bash
>   getent group            # Shows nsswitch is correct, to resolve ADS
> groups.
>   net ads info              # Show AD info
> 	LDAP server: 192.168.50.42
> 	LDAP server name: stan
> 	Realm: MS.STILEN.COM
> 	Bind Path: dc=MS,dc=STILEN,dc=COM
> 	LDAP port: 389
> 	Server time: Fri, 20 May 2005 21:15:29 GMT
> 	KDC server: 192.168.50.42
> 	Server time offset: 0
>   net ads join -Ujohns%passwd # Joined the domain
>   net ads testjoin        # Shows join is ok
>   wbinfo -a johns%password # Test if winbind can authenticate
> 	plaintext password authentication succeeded
> 	challenge/response password authentication succeeded
>   kinit johns               # Test kerberose authentication
> 	Password for johns at MS.STILEN.COM:
> 	<ends without any response>
>   smbclient  -L localhost -U ms\\johns%password # list shares using
> passwd
>   
> Configuration: 
> Samba 3.0.14a-1 (on debian 3.1) +  winbind 3.0.14a-1 + krb5-user 1.3.6-2
> 
> Ran winbind in debug mode during a ssh attempt
> winbindd -d 3 -i 
>   [ 3195]: request interface version
>   [ 3195]: request location of privileged pipe
>   [ 3195]: pam auth johns
>   cm_get_ipc_userpass: No auth-user defined
>   Doing spnego session setup (blob length=105)
>   got OID=1 2 840 48018 1 2 2
>   got OID=1 2 840 113554 1 2 2
>   got OID=1 2 840 113554 1 2 2 3
>   got OID=1 3 6 1 4 1 311 2 2 10
>   got principal=stan$@MS.STILEN.COM
>   Doing kerberos session setup
>   Ticket in ccache[MEMORY:cliconnect] expiration Sat, 21 May 2005 06:58:43 GMT
>   Plain-text authentication for user johns returned NT_STATUS_WRONG_PASSWORD (PAM: 7)
> ---------------------------------
> Authlog 
> ==> /var/log/auth.log <==
>   May 20 20:58:31 localhost sshd[3195]: Illegal user johns from ::ffff:192.168.60.161
>   May 20 20:58:43 localhost pam_winbind[3195]: request failed: Wrong Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD
>   May 20 20:58:43 localhost pam_winbind[3195]: user `johns' denied access (incorrect password or invalid membership)
> ---------------------------------
> Only added the winbind stuff to default debian /etc/pam.d/ssh
>   # PAM configuration for the Secure Shell service
>   auth      sufficient   pam_winbind.so
>   auth       required     pam_nologin.so
>   auth       required     pam_env.so # [1]
>   @include common-auth
>   account  sufficient     pam_winbind.so
>   @include common-account
>   session required pam_mkhomedir.so skel=/etc/skel umask=0022
>   @include common-session
>   session    optional     pam_motd.so # [1]
>   session    optional     pam_mail.so standard noenv # [1]
>   session    required     pam_limits.so
>   @include common-password
> ---------------------------------
> [global]
>   realm = MS.STILEN.COM
>   idmap uid = 10000-20000
>   idmap gid = 10000-20000
>   template homedir = /home/%D/%U
>   template shell = /usr/local/bin/bash
>   winbind enum users = yes
>   winbind enum groups = yes
>   winbind nested groups = Yes
>   winbind use default domain = Yes
>   winbind separator = +
>   workgroup = MS
>   security = ADS
>   password server = stan.ms.stilen.com
>   wins support = yes
>   wins server = stan.ms.stilen.com
>   server string = %h server (Samba %v)
>   dns proxy = no
>   ldap ssl = no
>   log file = /var/log/samba/log.%m
>   max log size = 1000
>   syslog = 0
>   panic action = /usr/share/samba/panic-action %d
>   encrypt passwords = true
>   passdb backend = tdbsam guest
>   obey pam restrictions = no 
>   invalid users = root Debian-exim daemon bin sys adm lp listen noaccess www-data
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
>    load printers = no
> ---------------------------------
> /etc/resolv.conf
> search ms.stilen.com
> ---------------------------------
>

More information about the samba mailing list