[Samba] Unified logons with winbind and tdbsam backend

Juha Pietikäinen juha.pietikainen at connet.net
Tue Nov 8 12:03:14 GMT 2005

I am trying to setup unified logons to my VPN (L2TP/IPsec) users.

My goal is to get rid of chap.secrets file and use winbind to authenticate
against tdbsam password backend located in the PDC (Fedora Core 1) running
with Samba 3.0.21pre1. I have tried also with older Samba versions without
success. Using winbind should allow password changes from the Windows XP
Pro (SP2) -client using CTRL+ALT+DEL.

Smb.conf, nsswitch.conf and pam.d/system-auth are configured as they should
(according to Samba3-ByExample). Winbind.so and ntlm_auth-helper is added in
ppp(2.4.3)-configuration file.

Testing with ntlm_auth and wbinfo -a from the server both succeed with given
username (and domain+winbind separator+username) and password combination
but I can't logon from Windows XP client using winbind. Without winbind
(ms-chap-v2) authentication works fine. Wbinfo -t works but wbinfo -u and
wbinfo -g doesn't work.

I receive following error messages with ppp-debug option:
fgets() failed! dying..... errno=1 (Operation not permitted)
Peer DOMAIN\\user failed CHAP authentication

I haven't tried yet with LDAP because I want keep things simple and my
network is small.

Has anybody get this working with a similar configuration?

Juha Pietikäinen 

More information about the samba mailing list