[Samba] Re: samba with ADS. winbindd ignore for user authentication

Oliver Neubauer oliver at netfirms.com
Thu Oct 20 17:45:02 GMT 2005

Thanks Rex, that was helpful. However, I have now run into something 
else. From the smb.conf documentation:

obey pam restrictions (G)

Note that Samba always ignores PAM for authentication in the case of 
encrypt passwords = yes. The reason is that PAM modules cannot support 
the challenge/response authentication mechanism needed in the presence 
of SMB password encryption.

So, if I have to use encrypted passwords, and I can't use nsswitch 
(apparently not working in FreeBSD 4.x), and PAM is ignored....am I out 
of luck?

Say it ain't so.


Rex Dieter wrote:
> Oliver Neubauer wrote:
>> I'm trying to set up samba using ADS for authentication.
>> I can successfully join the samba machine to the domain. Windows hosts 
>> can "see" the samba machine.
>> After successfully joining, doing:
>> # wbinfo -u
>> shows me ADS-defined users. Same goes for groups.
>> However, when I try and assign one of those users ownership of a file, 
>> I get:
>> # chown user1 /tmp/test
>> chown: test1: illegal user name
>> even though that user is a valid AD user.
> You need to configure pam to use nss_winbind, see
> http://us1.samba.org/samba/docs/man/Samba3-HOWTO/winbind.html#id2634773
> for example, my /etc/pam.d/system-auth contains references to pam_winbind:
> auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
> ...
> account     [default=bad success=ok user_unknown=ignore] 
> /lib/security/$ISA/pam_winbind.so
> ...
> password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok

Oliver Neubauer
System Administrator

Netfirms Inc.
5160 Yonge St.
Toronto, ON, CA

More information about the samba mailing list