Bryant, Phillip -AES Phillip.Bryant at itt.com
Thu Sep 22 21:35:01 GMT 2005

FC4 with Samba 3.20
Win 2003 AD Domain, no SP1 yet

wbinfo --authenticate=dom+domtest%password yields the following

could not open handle to NETLOGON pipe (error: STATUS_BUFFER_OVERFLOW)
NTLM CRAP authentication for user [dom]\[domtest] returned STATUS_BUFFER_OVERFLOW (PAM: 4)
challenge/response password authentication failed
Could not authenticate user dom+domtest with challenge/response

from running winbindd -i -d3 logging

my smb.conf is as follows:

        workgroup = DOM
        realm = DOM.MYDOMAIN.COM
        server string = Samba Server
        security = ADS
        allow trusted domains = No
        password server = dc.dom.mydomain.com
        log file = /var/log/samba/%m.log
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        printcap name = /etc/printcap
        os level = 30
        preferred master = No
        local master = No
        domain master = No
        browse list = No
        dns proxy = No
        wins server =
        ldap ssl = no
        idmap backend = idmap_rid:DOM=10000-100000000
        idmap uid = 10000-100000000
        idmap gid = 10000-100000000
        template shell = /bin/bash
        winbind separator = +
        winbind nested groups = Yes
        cups options = raw

I've tried playing with the authentication options so that only NTLMv2 was sent as I'm pretty sure only NTLM and NTLMv2 are accepted by our DCs. But changing those from the defaults in smb.conf have never made a difference in how wbinfo sends password information out.

my system-auth file

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_localuser.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

wbinfo -u/-g and getent passwd/group all spit out the information as intended, only the authentication right now is giving me fits.

The end goal is to unify my logons to AD alone vs. having some on NIS and the rest on AD.

A text logon yields the following:

[    0]: getpwnam dom+domtest
[ 2371]: lookupname DOM+domtest
[ 2371]: lookupsid S-1-5-21-963995414-1895067062-1845911597-4472
[    0]: getpwnam dom+domtest
[ 2371]: lookupname DOM+domtest
[ 2371]: lookupsid S-1-5-21-963995414-1895067062-1845911597-4472
[    0]: request interface version
[    0]: request location of privileged pipe
[    0]: pam auth dom+domtest
[ 2371]: pam auth dom+domtest
could not open handle to NETLOGON pipe
Plain-text authentication for user dom+domtest returned STATUS_BUFFER_OVERFLOW (PAM: 4)

and /var/log/messages

Sep 22 14:55:59 abq-fc4workstation pam_winbind[4900]: request failed, but PAM error 0!
Sep 22 14:55:59 abq-fc4workstation pam_winbind[4900]: internal module error (retval = 3, user = `dom+domtest')
Sep 22 14:56:02 abq-fc4workstation login[4900]: FAILED LOGIN 1 FROM (null) FOR dom+domtest, Authentication failure

As far as a server the configuration works as it is supposed to, but I'm not able to get it to act as a full client due to this authentication problem.

Phil Bryant
Systems Administrator
ITT Industries, AES
MCSE 2000

This e-mail and any files transmitted with it are proprietary and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Industries, Inc. The recipient should check this e-mail and any attachments for the presence of viruses. ITT Industries accepts no liability for any damage caused by any virus transmitted by this e-mail.

More information about the samba mailing list