[Samba] question regarding Perl + PAM + Winbindd

Abhay Pradhan orphean at gmail.com
Sat Sep 24 06:20:32 GMT 2005


I'm using a Perl script to call PAM to authenticate using Winbind to contact
a Windows ADS. This is on a Debian Sarge box. The machine has been added to
the domain (using kerberos and net ads join command). Winbindd is configured
successfully and I get this when I try and run wbinfo -a

wbinfo -a abhay_pradhan%******
plaintext password authentication succeeded
challenge/response password authentication succeeded

However, when I use the Perl script (Authen::SimplePam package and calling
the service foobar), the winbind log shows that the user is authenticated
only using Plain-text. Why not challenge-response?

package FOO::PAM;

use Authen::SimplePam;
use strict;

sub is_good_pam
my ($user, $pass) = @_;
my $service = "foobar";

my $authn = new Authen::SimplePam();
if ($authn->auth_user($user, $pass, $service) eq 1) {
debug("success, returning 1");
return 1;
else {
debug("failure, returning 0 with user=$user and pass=$pass");
return 0;
Here is the output from the winbind log.

[2005/09/24 11:40:24, 5] nsswitch/winbindd_pam.c:winbindd_pam_auth(361)
Plain-text authentication for user abhay_pradhan returned NT_STATUS_OK (PAM:

Is there something I'm doing wrong? Here is the relevant foobar service


@include common-auth
@include common-account
auth sufficient /lib/security/pam_winbind.so debug
account sufficient /lib/security/pam_winbind.so debug

and here is the relevant smb.conf

# Global parameters
unix charset = LOCALE
workgroup = MYGROUP
netbios name = foo
server string = Samba Server

# security
security = ADS
encrypt passwords = Yes
auth methods = winbind
password server = <>

# logging
log level = 9
syslog = 0
log file = /var/log/samba/%m
max log size = 50

# user info
username map = /etc/samba/smbusers
#idmap backend = idmap_rid:MYGROUP=16777216-33554431
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
template homedir = /home/%D/%U
template primary group = "Domain Users"

# winbind
winbind use default domain = Yes
winbind separator = +
winbind enum users = No
winbind enum groups = No
winbind cache time = 300
winbind enable local accounts = no
winbind nested groups = Yes

# server related
allow trusted domains = No
obey pam restrictions = no
domain logons = No
add user script = /usr/sbin/useradd -s /bin/false '%u'
client signing = no
client use spnego = No
client schannel = no



More information about the samba mailing list