[Samba] Unknown PAM failiure in WIN2003/ Active Directory + samba

Philippe Dhont (Sea-ro) philippe.dhont at searo.be
Mon Oct 17 09:42:49 GMT 2005 


Hello,

I have an existing windows 2003 network and now try to add a new linux
server with samba/kerberos support for unified logon authentication.
Normally, everything is installed & this is the configuration:


- Debian with 2.6.16.4 kernel 
- heimdal kerberos
- samba log info:	
	log.smbd:
		[2005/10/17 10:48:26, 0] smbd/server.c:main(798)
  		smbd version 3.0.14a-Debian started.
  		Copyright Andrew Tridgell and the Samba Team 1992-2004

	log.nmbd:
		[2005/10/17 10:48:26, 0] nmbd/nmbd.c:main(668)
 		 Netbios nameserver version 3.0.14a-Debian started.
  		Copyright Andrew Tridgell and the Samba Team 1994-2004

	log.winbind:
		[2005/10/17 10:48:37, 1] nsswitch/winbindd.c:main(864)
 		 winbindd version 3.0.14a-Debian started.
 		 Copyright The Samba Team 2000-2004


	There are no errors in the logging when i start the services

- smb.conf (testparm)

# Global parameters
[global]
        workgroup = TEST
        realm = TEST.LOCAL
        server string = %h server (Samba %v)
        security = ADS
        obey pam restrictions = Yes
        password server = mainserver.test.local
        passdb backend = tdbsam, guest
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        invalid users = root

[homes]
        comment = Home Directories
        create mask = 0700
        directory mask = 0700
        browseable = No

[webcontrol]
        comment = Webcontrol test
        path = /disk2/test
        guest ok = Yes

[printers]
        comment = All Printers
        path = /tmp
        create mask = 0700
        printable = Yes
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers



- nsswitch.conf

passwd:         files   winbind
group:          files   winbind
shadow:         compat

hosts:          files dns winbind
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


My krb5.conf:

[libdefaults]
        default_realm = TEST.LOCAL
        krb4_get_tickets = false
        clockskew = 300

[realms]
TEST.LOCAL = {
         kdc = MAINSERVER.TEST.LOCAL
        admin_server = 192.168.0.10
}


[domain_realm]
        mainserver.test.local = TEST.LOCAL



In my /etc/pam.d/samba file i have:
@include common-auth
@include common-account
@include common-session
auth    required        /lib/security/pam_winbind.so
account required        /lib/security/pam_winbind.so




When i do kinit Administrator at TEST.LOCAL:
primsquid:/etc/samba# kinit Administrator at TEST.LOCAL
Administrator at TEST.LOCAL's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week


When i do 
Getent passwd, i get all the information.  Getent users gives me also
information

When i try to connect from a windows client, i get a logon screen and
when i fill in my windows Administrator user or another one, the logon
windows comes up again.

In my loggings i get after trying:

Log.smbd:
[2005/10/17 11:26:28, 0] smbd/server.c:main(798)
  smbd version 3.0.14a-Debian started.
  Copyright Andrew Tridgell and the Samba Team 1992-2004


Log.nmbd:
[2005/10/17 11:26:28, 0] nmbd/nmbd.c:main(668)
  Netbios nameserver version 3.0.14a-Debian started.
  Copyright Andrew Tridgell and the Samba Team 1994-2004


Log.winbind:
[2005/10/17 11:26:36, 1] nsswitch/winbindd.c:main(864)
  winbindd version 3.0.14a-Debian started.
  Copyright The Samba Team 2000-2004


In the new added logfile from the windows pc i tried to connect:

[2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_account(573)
  smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management
for User: TEST\phil
[2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_accountcheck(781)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
TEST\phil!
[2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_account(573)
  smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management
for User: TEST\phil
[2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_accountcheck(781)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
TEST\phil!
[2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_account(573)
  smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management
for User: TEST\phil
[2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_accountcheck(781)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
TEST\phil!
[2005/10/17 11:27:00, 0] auth/pampass.c:smb_pam_account(573)
  smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management
for User: TEST\phil
[2005/10/17 11:27:00, 0] auth/pampass.c:smb_pam_accountcheck(781)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
TEST\phil!
[2005/10/17 11:27:00, 0] auth/pampass.c:smb_pam_account(573)
  smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management
for User: TEST\phil
[2005/10/17 11:27:00, 0] auth/pampass.c:smb_pam_accountcheck(781)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
TEST\phil!
[2005/10/17 11:27:05, 0] auth/pampass.c:smb_pam_account(573)
  smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management
for User: TEST\administrator
[2005/10/17 11:27:05, 0] auth/pampass.c:smb_pam_accountcheck(781)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
TEST\administrator!



On the windowsXP pc, i am logged in as phil and when i connect and i get
a logon, i tried TEST\Administrator



I don't find alot of good information about this error, but i hope that
someone can help me out.


Thnx & Grtz,
Phil.

More information about the samba mailing list