[Samba] ADS, pam_winbind and vsftpd

Stefan G. Weichinger lists at xunil.at
Thu Nov 5 02:09:39 MST 2009

Greets ... I am not getting it.

I have samba (old one, 3.0.22-11-SUSE-CODE10) in an ADS-context, winbind
works OK ...

I am trying to connect vsftpd to winbind via PAM, this works TOO GOOD ;-)

currently I am able to login to vsftpd with ANY password, that's bad.

I am not understanding that PAM-stuff and I have some pressure to get
that ftp-server up, so please would someone help me out?

My file:

This one is heavily edited now, as I played trial and error for hours.

# cat /etc/pam.d/vsftpd

# Uncomment this to achieve what used to be ftpd -A.
# auth required pam_listfile.so item=user sense=allow
file=/etc/ftpchroot onerr=fail

auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers
auth       sufficient   /lib/security/pam_winbind.so
auth       required     /lib/security/pam_shells.so

account sufficient	pam_winbind.so
account	required	pam_unix2.so

password required       pam_pwcheck.so	nullok
password required       pam_unix2.so    nullok use_first_pass use_authtok

session	required	pam_limits.so
session	required	pam_unix2.so


The logs show (I used a correct user and a wrong password):

Nov  5 09:55:25 comm01 vsftpd: Thu Nov  5 09:55:25 2009 [pid 6323]
Nov  5 09:55:32 comm01 pam_winbind[6322]: request failed: Wrong
Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD
Nov  5 09:55:32 comm01 pam_winbind[6322]: user `DOM\user' denied access
(incorrect password or invalid membership)
Nov  5 09:55:32 comm01 pam_winbind[6322]: user 'DOM\user' OK
Nov  5 09:55:32 comm01 pam_winbind[6322]: user 'DOM\user' granted access

Why does it deny first and then grant access anyway?

Is it a bug in the old samba-release or just my mistake?

Thanks for any help on this, I just don't see it ...


More information about the samba mailing list