[Samba] Problems authenticating Ubuntu 8.04 client (gdm) againstSamba (Ubuntu 8.04) domain server

Jeff LePage Jeff.LePage at asg.com
Tue Jul 29 11:55:39 GMT 2008

Problem solved.

There was a spelling error in my configuration, introduced during a
hasty edit.  Once I fixed that and rebooted everything works.

-----Original Message-----
From: samba-bounces+jeff.lepage=asg.com at lists.samba.org
[mailto:samba-bounces+jeff.lepage=asg.com at lists.samba.org] On Behalf Of
Jeff LePage
Sent: Monday, July 28, 2008 9:21 AM
To: samba at lists.samba.org
Subject: [Samba] Problems authenticating Ubuntu 8.04 client (gdm)
againstSamba (Ubuntu 8.04) domain server



Does anyone have a working pam configuration that allows gdm logins?  My
current config works with ssh and bash logins.  I'd like gdm to work
with usernames like DOMAIN\\USERNAME.




I'm trying to get a Linux client (Ubuntu 8.04) to authenticate against a
Samba domain controller (also Ubuntu8.04).  WindowsXP clients work fine
with the samba PDC.


I have managed to get logins to work for ssh and at the bash prompt,


login: ora\\bob


This works fine, but logging in at the console does NOT work.  When I
try to login using  gdm, I get a popup that says that "Authentication
failed". This is not the normal error message when logging in as a local
user with incorrect password.  This indicates to me that the user
"ORA\\bob" (and all syntactic variations thereof) is being recognized as
a domain user, but the password server is rejecting the user.


The (relevant portions of) smb.conf on the client system are:


   workgroup = ORA # this is my domain name

   security = Domain

   encrypt passwords = true

   password server = samba1 # this is my Ubuntu8.04 samba domain

  passdb backend = tdbsam

  obey pam restrictions = yes

  unix password sync = yes


   passwd program = /usr/bin/passwd %u


   pam password change = yes


idmap uid = 10000-20000

idmap gid = 10000-20000

template shell = /bin/bash

template homedir = /home/%D/%U

winbind cache time = 5

winbind enum users = yes

winbind enum groups = yes




My /etc/pam.d/gdm is shown below.  Ubuntu separates out certain blocks
into common files that are included in the application specific files.
I have included the includes:


auth    requisite       pam_nologin.so

auth    required        pam_env.so readenv=1

auth    required        pam_env.so readenv=1 envfile=/etc/default/locale


#@include common-auth

auth    sufficient      pam_winbind.so

auth    sufficient      pam_unix.so nullok_secure use_first_pass

auth    optional        pam_smbpass.so migrate missingok

#@include common-auth


auth    optional        pam_gnome_keyring.so


#@include common-account

account sufficient      pam_winbind.so

account required        pam_unix.so

#@include common-account


session required        pam_limits.so


#@include common-session

session required        pam_unix.so

session required pam_mkhomedir.so umask=0022 skel=/etc/skel

#@include common-session


session optional        pam_gnome_keyring.so auto_start


#@include common-password

password   requisite   pam_unix.so nullok obscure md5

password   optional   pam_smbpass.so nullok use_authtok use_first_pass

#@include common-password

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list