[Samba] Samba 3.5.6 pam problems

Andrew Lyon andrew.lyon at gmail.com
Wed Oct 20 06:10:16 MDT 2010 

On Wed, Oct 20, 2010 at 12:46 PM, Andrew Lyon <andrew.lyon at gmail.com> wrote:
> Hi,
>
> I've setup Samba 3.5.6 as a member server in a 2003R2 domain with a
> single dc, idmapping is by rfc2307 with a tdb backend for builtin
> accounts etc, I can list users and groups using wbinfo and I can
> create shares and access them from the windows server, files and
> folders owned by ad users show the correct user and group names so
> mapping appears to be working, I can su to ad accounts but I am unable
> to ssh into the system as a AD user.
>
> Relevant config files:
>
> cat /etc/samba/smb.conf
>
>
> [global]
> debug hires timestamp = yes
>        workgroup = SAMBATEST
>        security = ADS
>        winbind use default domain = true
>        realm = SAMBATEST.LOCAL
>        server string = Samba file and print server
>        log level = 3
>        max log size = 4192
>        printcap name = cups
>        idmap config SAMBATEST : backend  = ad
>        idmap config SAMBATEST : range = 10000-10020
>        idmap config SAMBATEST : schema_mode = rfc2307
>        idmap config SAMBATEST : default = yes
>        idmap backend = tdb
>        idmap uid = 10100-10110
>        idmap gid = 10100-10110
>        winbind separator = +
>        winbind enum users = Yes
>        winbind enum groups = Yes
>        winbind refresh tickets = Yes
>        winbind normalize names = Yes
>        winbind nested groups = Yes
>        client ntlmv2 auth = yes
>        encrypt passwords = yes
>        password server = w2k3r2svr.sambatest.local
>        template shell = /bin/bash
> [homes]
>        comment = Home Directories
>        read only = No
>
> [printers]
>        comment = All Printers
>        guest ok = Yes
>        printable = Yes
>        browseable = No
>        available = No
>
> cat /etc/pam.d/sshd
> auth       include      system-remote-login
> account    include      system-remote-login
> password   include      system-remote-login
> session    include      system-remote-login
>
> cat /etc/pam.d/system-remote-login
> auth            include         system-login
> account         include         system-login
> password        include         system-login
> session         include         system-login
>
> cat /etc/pam.d/system-login
> auth            required        pam_tally.so onerr=succeed
> auth            required        pam_shells.so
> auth            required        pam_nologin.so
> auth            include         system-auth
>
> account         required        pam_access.so
> account         required        pam_nologin.so
> account         include         system-auth
> account         required        pam_tally.so onerr=succeed
>
> password        include         system-auth
>
> session         required        pam_env.so
> session         optional        pam_lastlog.so
> session         include         system-auth
> session         optional        pam_ck_connector.so nox11
> session         optional        pam_motd.so motd=/etc/motd
> session         optional        pam_mail.so
>
> file /etc/pam.d/system-auth
> /etc/pam.d/system-auth: symbolic link to `system-auth-winbind'
>
>  cat /etc/pam.d/system-auth-winbind
> #%PAM-1.0
> # $Header: /var/cvsroot/gentoo-x86/net-fs/samba/files/3.5/system-auth-winbind.pam,v
> 1.1 2010/03/01 16:19:54 patrick Exp $
>
> auth        required      pam_env.so
> auth        sufficient    pam_winbind.so
> auth        sufficient    pam_unix.so likeauth nullok use_first_pass
> auth        required      pam_deny.so
>
> account     sufficient    pam_winbind.so
> account     sufficient    pam_unix.so
>
> password    required      pam_cracklib.so retry=3
> password    sufficient    pam_unix.so nullok use_authtok md5 shadow
> password    required      pam_deny.so
>
> session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0022
> session     required      pam_limits.so
> session     sufficient    pam_unix.so
>
> Trust is ok:
>
> wbinfo -t
> checking the trust secret for domain SAMBATEST via RPC calls succeeded
>
>
> I can authenticate the user using kerberos
>
> kinit testuser
> Password for testuser at SAMBATEST.LOCAL:
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: testuser at SAMBATEST.LOCAL
>
> Valid starting     Expires            Service principal
> 10/20/10 12:28:11  10/20/10 19:08:11  krbtgt/SAMBATEST.LOCAL at SAMBATEST.LOCAL
>
> And with wbinfo:
>
>
> wbinfo -a testuser%abcABC123
> plaintext password authentication failed
> Could not authenticate user testuser%abcABC123 with plaintext password
> challenge/response password authentication succeeded
>
> When authenticating with wbinfo the following events are logged to log.winbindd
>
> [2010/10/20 12:39:25.902284,  3]
> winbindd/winbindd_misc.c:352(winbindd_interface_version)
>  [ 2329]: request interface version
> [2010/10/20 12:39:25.902435,  3]
> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
>  [ 2329]: request location of privileged pipe
> [2010/10/20 12:39:25.902626,  3] winbindd/winbindd_pam.c:818(winbindd_pam_auth)
>  [ 2329]: pam auth testuser
> [2010/10/20 12:39:25.911435,  3]
> winbindd/winbindd_misc.c:352(winbindd_interface_version)
>  [ 2329]: request interface version
> [2010/10/20 12:39:25.911533,  3] winbindd/winbindd_misc.c:340(winbindd_info)
>  [ 2329]: request misc info
> [2010/10/20 12:39:25.911628,  3]
> winbindd/winbindd_misc.c:373(winbindd_netbios_name)
>  [ 2329]: request netbios name
> [2010/10/20 12:39:25.911724,  3]
> winbindd/winbindd_misc.c:362(winbindd_domain_name)
>  [ 2329]: request domain name
> [2010/10/20 12:39:25.911816,  3]
> winbindd/winbindd_misc.c:244(winbindd_domain_info)
>  [ 2329]: domain_info [SAMBATEST]
> [2010/10/20 12:39:25.912161,  3]
> winbindd/winbindd_pam.c:1768(winbindd_pam_auth_crap)
>  [ 2329]: pam auth crap domain: [SAMBATEST] user: testuser
>
>
> But when I try to ssh into the samba server as testuser the
> authentication fails, the winbindd log entries are:
>
> [2010/10/20 12:41:39.712313,  3]
> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
>  getpwnam testuser
> [2010/10/20 12:41:41.208210,  3]
> winbindd/winbindd_misc.c:352(winbindd_interface_version)
>  [ 6462]: request interface version
> [2010/10/20 12:41:41.208378,  3]
> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
>  [ 6462]: request location of privileged pipe
> [2010/10/20 12:41:41.208596,  3]
> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
>  getpwnam testuser
> [2010/10/20 12:41:41.209050,  3]
> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
>  getpwnam testuser
> [2010/10/20 12:41:55.790569,  3]
> winbindd/winbindd_misc.c:352(winbindd_interface_version)
>  [ 6889]: request interface version
> [2010/10/20 12:41:55.790795,  3]
> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
>  [ 6889]: request location of privileged pipe
> [2010/10/20 12:41:55.791038,  3]
> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
>  getpwnam testuser
> [2010/10/20 12:41:55.795625,  3]
> winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
>  getgroups testuser
> [2010/10/20 12:41:55.798148,  3]
> winbindd/winbindd_misc.c:352(winbindd_interface_version)
>  [ 6891]: request interface version
> [2010/10/20 12:41:55.798304,  3]
> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
>  [ 6891]: request location of privileged pipe
> [2010/10/20 12:41:55.798580,  3]
> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
>  getpwnam testuser
> [2010/10/20 12:41:55.799019,  3]
> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
>  getpwnam testuser
> [2010/10/20 12:41:57.789992,  3]
> winbindd/winbindd_misc.c:352(winbindd_interface_version)
>  [ 6891]: request interface version
> [2010/10/20 12:41:57.790115,  3]
> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
>  [ 6891]: request location of privileged pipe
> [2010/10/20 12:41:57.790277,  3] winbindd/winbindd_pam.c:818(winbindd_pam_auth)
>  [ 6891]: pam auth testuser
> [2010/10/20 12:41:57.807080,  3]
> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
>  getpwnam testuser
> [2010/10/20 12:41:59.716477,  3]
> winbindd/winbindd_misc.c:352(winbindd_interface_version)
>  [ 7019]: request interface version
> [2010/10/20 12:41:59.716632,  3]
> winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
>  [ 7019]: request location of privileged pipe
> [2010/10/20 12:41:59.716828,  3]
> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
>  getpwnam testuser
> [2010/10/20 12:41:59.717221,  3]
> winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
>  getpwnam testuser
>
>
> log.wb-SAMBATEST (the name of the windows dc) logs the following errors:
>
> [2010/10/20 12:43:15.749729,  3]
> winbindd/winbindd_pam.c:1466(winbindd_dual_pam_auth)
>  [ 2769]: dual pam auth SAMBATEST+testuser
> [2010/10/20 12:43:15.750852,  2]
> winbindd/winbindd_pam.c:1722(winbindd_dual_pam_auth)
>  Plain-text authentication for user SAMBATEST\testuser returned
> NT_STATUS_NO_SUCH_USER (PAM: 10)
>
>
> I've tried using ssh -l testuser and ssh -l SAMBATEST+testuser, it
> makes no difference to the result or the log entries.
>
> getent passwd/group returns only local users, perhaps a clue as to
> what is wrong?
>
> Any suggestions would be appreciated, I've been trying to get this
> working for quite a while but I seem to have hit a wall.
>
> Andy
>

Trypical, try to fix something for 2 days and a few mins after posting
the problem I figured it out, it appears that winbind separator = +
causes pam authentication to fail, after commenting out that line I
can login using ssh.

Looks like I'm not the only person to hit this problem
http://www.linuxquestions.org/questions/linux-server-73/getting-pam-working-with-samba-with-active-directory-authentication-639165/
, perhaps it is a bug after all? winbind should know what separator is
being used shouldn't it?

Andy

More information about the samba mailing list