[Samba] Winbind 3.0.26a cannot authenticate with ActiveDirectory
Walter Huf
hufman+samba at gmail.com
Fri Feb 22 19:43:43 GMT 2008
I am using Ubuntu Gutsy, which comes with Winbind 3.0.26a. I am using the
same configuration that worked on Ubuntu Feisty, which uses Winbind 3.0.24.
Something changed with Winbind, apparently, to break the configuration that
was working perfectly. How can I fix my configuration to work with the new
version?
The symptoms are as follows:
wbinfo -t works
wbinfo can retrieve a list of users
wbinfo can look up a user's SID by it's username
wbinfo can look up a user's username by it's SID
ntlm_auth can authenticate a user. I can not use wbinfo to verify this
because my password has a ! in it. Windows Event Viewer does not show an
event for this.
Logging in fails, generating a Windows Event with error code 0xC000006A.
su username does not work, failing with "Unknown id: username"
The relevant section of smb.conf:
workgroup = WORKGROUP
realm = WORKGROUP.TLD
security = ADS
winbind enum groups = yes
winbind enum users = yes
winbind cache time = 600
winbind nested groups = yes
winbind nss info = sfu
winbind separator = +
winbind use default domain = yes
idmap gid = 500-45000
idmap uid = 500-45000
idmap backend = ad
nsswitch.conf has the following:
passwd: files winbind
group: files winbind
Pam configuration:
auth requisite pam_nologin.so debug
auth [success=1 default=ignore] pam_localuser.so debug
auth [success=done auth_err=bad] pam_winbind.so debug
auth required pam_unix.so nullok_secure debug
account sufficient pam_winbind.so debug
account required pam_unix_acct.so debug
Relevent part of auth.log:
Feb 22 11:25:49 client sshd[4620]: Invalid user username from X.X.X.X
Feb 22 11:25:49 client sshd[4620]: Failed none for invalid user username
from X.X.X.X port 2086 ssh2
Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): [pamh: 0x8006e940]
ENTER: pam_sm_authenticate (flags: 0x0001)
Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): getting password
(0x00000001)
Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): Verify user
'username'
Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): request failed:
Wrong Password, PAM error was Authentication failure (7), NT error was
NT_STATUS_WRONG_PASSWORD
Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): user 'username'
denied access (incorrect password or invalid membership)
Feb 22 11:25:49 client sshd[4620]: pam_winbind(ssh:auth): [pamh: 0x8006e940]
LEAVE: pam_sm_authenticate returning 7
Feb 22 11:25:49 client sshd[4620]: pam_unix(ssh:auth): check pass; user
unknown
Feb 22 11:25:50 client sshd[4620]: pam_unix(ssh:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.X.X
Feb 22 11:25:51 client sshd[4620]: Failed password for invalid user username
from X.X.X.X port 2086 ssh2
klist output:
Default principal: principal at WORKGROUP.TLD
Valid starting Expires Service principal
02/22/08 10:51:58 02/22/08 20:51:43 krbtgt/WORKGROUP.TLD at WORKGROUP.TLD
renew until 02/23/08 10:51:58
02/22/08 11:20:58 02/22/08 20:51:43 dc$@WORKGROUP.TLD
renew until 02/23/08 10:51:58
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Does anyone have any ways to fix this serious problem?
More information about the samba
mailing list