[Samba] FreeBSD 6.1 - winbind - ssh pam problem

Michael K. Smith - Adhost mksmith at adhost.com
Fri Nov 3 18:13:12 GMT 2006

Hello All:

I am trying to authenticate against an Active Directory using winbind in
my /etc/pam.d/sshd configuration (below).  If the user is in the local
password file, I can authenticate successfully using that user's Active
Directory credentials.  However, if the user is not in the local
password file, I get the following errors.

Nov  3 10:07:48 mailnat pam_winbind[29805]: request failed: Wrong
Password, PAM error was system error (4), NT error was
Nov  3 10:07:48 mailnat pam_winbind[29805]: internal module error
(retval = 4, user = `mksmithadmin')
Nov  3 10:07:48 mailnat sshd[29805]: in _openpam_check_error_code():
pam_sm_authenticate(): unexpected return value 4
Nov  3 10:07:48 mailnat sshd[29803]: error: PAM: error in service module
for illegal user mksmithadmin from

The password for the user is valid in the Active Directory, but the user
'mksmithadmin' is not in the local password file.  The user shows up
correctly when issuing a wbinfo -u.

Here are some relevent (I hope) configurations.  Any help would be
greatly appreciated.



# /etc/pam.d/sshd

auth            sufficient
auth            sufficient      pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn
auth            requisite       pam_opieaccess.so       no_warn
auth            sufficient      pam_unix.so             no_warn
account         sufficient
account         required        pam_unix.so
session         required        pam_permit.so
password        required        pam_unix.so      no_warn try_first_pass

# /etc/nsswitch.conf

group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files

# smb.conf 

   workgroup = ADHOST
   server string = Samba Server
   security = ADS
   hosts allow = 10.142.0. 10.211.128. 127.
   load printers = no
   printing = bsd
   log file = /usr/local/samba/var/%m.log
   log level = 3
   max log size = 500
   password server = ad-pdc01
   realm = ADHOST.LAN
   passdb backend = tdbsam
   interfaces = <lots of addresses>
   local master = no
   domain master = no
   preferred master = no
   domain logons = no
   wins support = no
   dns proxy = no 
   idmap uid = 600-20000 
   idmap gid = 600-20000 
   template shell = /bin/tcsh
   template homedir = /home/%U
   winbind use default domain = Yes
   winbind separator = +
   winbind nested groups = Yes
   winbind enum users = Yes
   winbind enum groups = Yes
   syslog only = Yes
   ldap ssl = No
   encrypt passwords = Yes

# ./configure parameters

  $ ./configure CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib
--with-winbind --with-ads --with-ldap --with-msdfs
--enable-socket-wrapper --disable-cups --disable-iprint --with-pam
--with-pam_smbpass --with-exp-modules

More information about the samba mailing list