[Samba] [PLUG] Ongoing saga with Samba and AD

Mike Leone turgon at mike-leone.com
Sat Mar 27 22:35:59 MDT 2010

Ben Love had this to say:
> * Mike Leone wrote on [2010-03-27 22:02:38 -0400]:
>> I tried to log on as "DACRIB+administrator" at the physical console. I 
>> was prompted twice for my password (dunno if that's because my password 
>> has a "!" in it or not). Then it starts to login. I see the motd. I see 
>> it say that it was trying to create a home directory for administrator 
>> in "/home/DACRIB/administrator" - which is exactly what it should do.
>> Then I am immediately logged out, and returned to a new login prompt. No 
>> other messages on the console, nothing.
> This sounds like a problem with PAM configuration.  I've definitely had
> PAM ask for my password multiple times when I set up things like
> pam_mount and so on.  

I have an idea that it tries to look up the user as local, and fails. 
And then asks again, to authenticate remotely. Maybe one of those 
"use_first_pass" options will help? Or re-ordering the local vs winbind 

> PAM is probably also responsible for the immediate
> logout.  The /etc/pam.d/common-* files are the most likely culprits.
> (You may also have an /etc/pam.d/login file, but that usually just links
> to the common-* files.)
> Congratualations on getting this far!  You're nearly there.

Almost, almost ...

Here's the auth.log (I added "debug=yes" to pam_winbind.conf, and 
"krb5_auth=yes") on a failed login:

am_unix(login:auth): authentication failure; logname=DACRIB+ldap-proxy 
uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=DACRIB+ldap-proxy
pam_winbind(login:auth): [pamh: 0x89f63b8] ENTER: pam_sm_authenticate 
(flags: 0x0000)
pam_winbind(login:auth): getting password (0x00000181)
pam_winbind(login:auth): Verify user 'DACRIB+ldap-proxy'
pam_winbind(login:auth): PAM config: krb5_ccache_type 'FILE'
pam_winbind(login:auth): enabling krb5 login flag
pam_winbind(login:auth): enabling request for a FILE krb5 ccache
pam_winbind(login:auth): request wbcLogonUser succeeded
pam_winbind(login:auth): user 'DACRIB+ldap-proxy' granted access
pam_winbind(login:auth): request returned KRB5CCNAME: FILE:/tmp/krb5cc_10006
pam_winbind(login:auth): Returned user was 'DACRIB+ldap-proxy'
pam_winbind(login:auth): [pamh: 0x89f63b8] LEAVE: pam_sm_authenticate 
returning 0 (PAM_SUCCESS)
pam_unix(login:session): session opened for user DACRIB+ldap-proxy by 
pam_winbind(login:setcred): [pamh: 0x89f63b8] ENTER: pam_sm_setcred 
(flags: 0x0002)
pam_winbind(login:setcred): PAM_ESTABLISH_CRED not implemented
pam_winbind(login:setcred): [pamh: 0x89f63b8] LEAVE: pam_sm_setcred 
returning 0 (PAM_SUCCESS)
pam_unix(login:session): session closed for user DACRIB+ldap-proxy

Looks like it *should* be working - it's using kerberos, as I told 
winbind to do; I see "request wbcLogonUser succeeded". I see "granted 
access". Then I see the session closed. :-(

I suppose this means that tomorrow, I concentrate on the 
"common-ssession" parts of /etc/pam.d

More information about the samba mailing list