[Samba] winbindd behaving oddly

Glenn Bailey gbailey at terremark.com
Wed Aug 6 23:42:40 GMT 2008

Hello folks,

Been beating my head with an winbind and pam just behaving oddly. I have following
various HOW-TO's, wiki's, and docs, and just can't seem to get past a wall. Here a
some of the issues:

- the 1st attempt at ssh'ing to a server gives me a 'Wrong Password' in the logs. Here's
an exact snippet:

Aug  6 18:45:40 mia21654bcu001 sshd[5371]: pam_winbind(sshd): request failed: Wrong Password, PAM error was Authentication failure (7), NT error was NT_STATUS_WRONG_PASSWORD

I get this w/o even entering a password. If I break out and just hit it 2 more times it will lock the account out
as expected.

- require_membership_of seems to be flat out ignored. it will work if I have one group, and put it in
the 'auth' section of the system-auth file but I have multiple groups. If I put mutiple groups under the
'auth' section it will try to authenticate for each group and lock the account out if the password is
typed a single time. Putting this in the 'session' section it is flat out ignored. Here's my system-auth:

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
account     required      /lib/security/$ISA/pam_permit.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     required      /lib/security/$ISA/pam_winbind.so use_first_pass require_membership_of=some_group

glenn @ terremark worldwide

More information about the samba mailing list