[Samba] winbind, mod_auth_pam, and plaintext passwords

Humrick, Matt matt.humrick at advatechpacific.com
Sun May 11 23:05:18 GMT 2008 

We have a working samba file server using winbind to authenticate with a
Win2003 server in native mode.
[2008/05/10 18:22:54, 5]
nsswitch/winbindd_cm.c:set_dc_type_and_flags(1651)
  set_dc_type_and_flags: domain STARTREK is in native mode.
[2008/05/10 18:22:54, 5]
nsswitch/winbindd_cm.c:set_dc_type_and_flags(1654)
  set_dc_type_and_flags: domain STARTREK is running active directory.

I now want to allow the apache web server (running on the same machine
as samba) to utilize winbind to authenticate users with domain
credentials. I have installed and configured apache with mod_auth_pam.
When I access a protected website I get a login box but it doesn't allow
me to login with my domain user/pass.

The apache log gives the following error:
[Sat May 10 22:47:20 2008] [error] [client 192.168.1.48] PAM: user
'matt.humrick' - not authenticated: User not known to the underlying
authentication module

This along with an strace of apache shows that winbind is being used via
mod_auth_pam for authentication with no obvious errors. Tcpdump also
shows packets being exchanged between winbind and the AD Windows server.

The following error appears in the winbind log:
[2008/05/10 22:39:09, 6] nsswitch/winbindd.c:new_connection(628)
  accepted socket 19
[2008/05/10 22:39:09, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn INTERFACE_VERSION
[2008/05/10 22:39:09, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
  [31171]: request interface version
[2008/05/10 22:39:09, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2008/05/10 22:39:09, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
  [31171]: request location of privileged pipe
[2008/05/10 22:39:09, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn PAM_AUTH
[2008/05/10 22:39:09, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(751)
  [31171]: pam auth matt.humrick
[2008/05/10 22:39:09, 5] nsswitch/winbindd_pam.c:winbindd_pam_auth(764)
  Plain text authentication for matt.humrick returned
NT_STATUS_NO_SUCH_USER (PAM: 10)

I get a similar plaintext authentication error with wbinfo -a:
wbinfo -a matt.humrick%xxxxx
plaintext password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user matt.humrick%xxxxx with plaintext password
challenge/response password authentication succeeded

So, challenge/response authentication succeeded but plaintext
authentication fails. This appears to be a configuration issue to me.
Obviously apache gives a plaintext user/pass to winbind vs. the
challenge/response method used by an WinXP client (which is working
fine). What do I need to do to allow apache to authenticate with
winbind?

I've read through the smb.conf man page and looked at several settings
relating to plaintext passwords. However, I'm a bit confused as to when
these settings should be used and whether they will break the existing
functionality between the WinXP clients, winbind, and Win2003 AD server.

Thanks,
Matt

More information about the samba mailing list