[Samba] AD logins using winbind looking for user in /etc/shadow

Jason Mogavero chemhead at gmail.com
Wed Sep 6 00:00:56 GMT 2006

I'm running CentOS 4.3 with the most recent samba-client and samba-common
rpms.  I've managed to configure samba/winbind to allow me to join the box
to the AD, create the UID and GID mappings,  etc.  However, when I try to
connect via ssh, the account cannot log in.  /var/log/messages says the

Sep  5 17:15:25 kdcdmz sshd[6263]: error: Could not get shadow information
for jason.mogavero
Sep  5 17:15:25 kdcdmz sshd[6263]: Failed password for jason.mogavero from port 3646 ssh2

net ads status, getent passwd, and wbinfo all show the expected output with
no errors.  I'll include some of that output at the end of the config files.

It shouldn't be looking for a shadow password, it should be checking against
the AD user database, right?  Here are my configs.  I've poured over them
and compared them to several How-Tos and working configs and can't find
anything different.  If this would be better placed in the PAM list, let me
know and I'll send it there.


workgroup = KDCTEST
password server = adauth.kdctest.com
security = ads
encrypt passwords = yes
allow trusted domains = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
winbind separator = \
winbind cache time = 10
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
winbind use default domain = yes
template shell = /bin/bash
template homedir = /home/%U
client use spnego = yes


 default_realm = kdctest.com
 dns_lookup_realm = true
 dns_lookup_kdc = true
 default_tkt_enctypes = des-cbc-md5
 default_tgs_enctypes = des-cbc-md5

 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

  kdc = adauth.kdctest.com:88
  admin_server = adauth.kdctest.com:749
  default_domain = kdctest.com


 kdctest.com = {
  kdc = adauth.kdctest.com
  admin_server = adauth.kdctest.com

  kdc = adauth.kdctest.com


        kdctest.com = KDCTEST.COM
        .kdctest.com = KDCTEST.COM
        adauth.kdctest.com = KDCTEST.COM


passwd:     files winbind
shadow:     files
group:      files winbind

hosts:      files dns

bootparams: files
ethers:     files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:        files
services:   files winbind
netgroup:   files winbind
publickey:  files
automount:  files winbind
aliases:    files


auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so

And finally, /etc/pam.d/system-auth

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
#auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
#account     [default=bad success=ok user_unknown=ignore]
#account     [default=bad success=ok user_unknown=ignore]
account     sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
#password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
#session     optional      /lib/security/$ISA/pam_krb5.so

Now here's some output from testing AD connectivity:

net ads info
LDAP server:
LDAP server name: adauth
Bind Path: dc=KDCTEST,dc=COM
LDAP port: 389
Server time: Tue, 05 Sep 2006 17:37:55 GMT
KDC server:
Server time offset: -14

getent passwd  (just the AD stuff is shown here)
jason.mogavero:*:10004:10000:Jason Mogavero:/home/jason.mogavero:/bin/bash

wbinfo -u

Any ideas as to where the problem might lie?  Thanks.

More information about the samba mailing list