[Samba] SLES 10 - Winbind-problem

danny.petterson at accenture.com danny.petterson at accenture.com
Fri Feb 6 12:21:11 GMT 2009

Hi Gurus!


Hope you can help me - I'm trying to get my SLES 10 SP2-box to
authenticate users against Windows AD using Winbind, but I can't get it
to work as I want. I have configured smb, winbind and Kerberos, and
kinit, list, net ads join, wbinfo etc. works fine - but when I try to
login, user xx.xx.admin, it fails. This is what I got in my


eb  6 12:15:09 045gev-rcms-001 sshd[16209]: pam_winbind(sshd:auth):
request failed: Access denied, PAM error was System error (4), NT error

Feb  6 12:15:09 045gev-rcms-001 sshd[16209]: pam_winbind(sshd:auth):
internal module error (retval = 4, user = xx.xx.admin')


...which is kind of weird, as the password is fine, works on Windows,
and on some HP-UX-boxes where I use LDAP/Kerberos to authenticate
through Windows AD.


Also, at various points, it puts this in the warn-file:

Feb  6 13:16:01 045gev-rcms-001 winbindd[1421]: [2009/02/06 13:16:01, 0]

Feb  6 13:16:01 045gev-rcms-001 winbindd[1421]:
kerberos_kinit_password 045GEV-RCMS-001$@VELUX.ORG failed:
Preauthentication failed


Any hint, help etc. will be appreciated - configuration is stated below.


Thanx in advance.


Here is my conf-files:

cat /etc/samba/smb.conf


       workgroup = DOMAIN

       security = ads

       netbios name = 045gefvsora003

       realm = DOMAIN.ORG

       password server = 045geveladdc001.velux.org

       workgroup = DOMAIN.ORG

       idmap uid = 1000-29999

       idmap gid = 1000-29999

       winbind separator = +

       winbind enum users = yes

       winbind enum groups = yes

       winbind use default domain = yes

       template homedir = /home/%U

       template shell = /bin/bash

       client use spnego = yes

       domain master = no

       server string =


cat /etc/krb5.conf


       default_realm = VELUX.ORG



       VELUX.ORG = {

               kdc = 045geveladdc001.velux.org

               kdc = 045geveladdc002.velux.org

               kdc = 045geveladdc003.velux.org



       .velux.org = VELUX.ORG

       velux.org = VELUX.ORG


cat /etc/nsswitch.conf


passwd:         compat winbind

group:          compat winbind

shadow:         compat

hosts:          files dns wins

networks:       files

protocols:      db files

services:       db files

ethers:         db files

rpc:            db files

netgroup:       nis


cat /etc/pam.d/common-account

account sufficient      pam_winbind.so

account required        pam_unix2.so


cat /etc/pam.d/common-auth

auth    sufficient      pam_winbind.so

auth    required        pam_env.so

auth    required        pam_unix2.so


cat /etc/pam.d/common-password

assword required       pam_pwcheck.so  nullok

password required       pam_unix2.so    nullok_secure use_first_pass


cat /etc/pam.d/common-session

session required        pam_limits.so

session required        pam_unix2.so

session required        pam_mkhomedir.so umask=0022 skel=/etc/skel


cat /etc/security/pam_winbind.conf



# turn on debugging

;debug = yes


# request a cached login if possible

# (needs "winbind offline logon = yes" in smb.conf)

;cached_login = no


# authenticate using kerberos

;krb5_auth = yes


# when using kerberos, request a "FILE" krb5 credential cache type

# (leave empty to just do krb5 authentication but not have a ticket

# afterwards)

;krb5_ccache_type =


# make successful authentication dependend on membership of one SID

# (can also take a name)

;require_membership_of =


# password expiry warning period in days

;warn_pwd_expire = 14 



Lots of greetings

Danny Petterson

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information.  If you have received it in error, please notify the sender immediately and delete the original.  Any other use of the email by you is prohibited.

More information about the samba mailing list