[Samba] winbind authentification trouble

Stefan Froehlich samba at froehlich.priv.at
Thu Sep 9 08:22:36 MDT 2010 

A Debian/Lenny-Server is connected to a PDC (using samba) and tries to
authenticate logins via pam_winbind. User mapping and everything else
needed works fine (i.e. especially getent shows all the accounts),
however remote logins of domain users fail. I have:

| gatekeeper:~# cat /etc/pam.d/common-auth
| [...]
| auth    sufficient      pam_unix.so nullok_secure
| auth    required        pam_winbind.so debug use_first_pass

and (limited to the winbind-relevant entries) in the smb.conf:

| workgroup = [...]
| netbios name = [...]
| os level = 0
| preferred master = no
| domain master = no
| local master = no
| security = domain
| wins support = no
| wins server = [...]
| password server = [...]
| passdb backend = tdbsam
| obey pam restrictions = yes
| idmap uid = 10000-20000
| idmap gid = 10000-20000
| template shell = /bin/bash
| winbind enum groups = yes
| winbind enum users = yes
| winbind use default domain = yes


and if someone tries to login, I get:

| [...] sshd[19524]: pam_winbind(sshd:auth): [pamh: 0x7f4a5dd15040] ENTER: pam_sm_authenticate (flags: 0x0001)
| [...] sshd[19524]: pam_winbind(sshd:auth): getting password (0x00000011)
| [...] sshd[19524]: pam_winbind(sshd:auth): pam_get_item returned a password
| [...] sshd[19524]: pam_winbind(sshd:auth): Verify user 'sfroehli'
| [...] sshd[19524]: pam_winbind(sshd:auth): request failed: Invalid parameter, PAM error was System error (4), NT error was NT_STATUS_INVALID_PARAMETER
| [...] sshd[19524]: pam_winbind(sshd:auth): internal module error (retval = 4, user = 'sfroehli')
| [...] sshd[19524]: pam_winbind(sshd:auth): [pamh: 0x7f4a5dd15040] LEAVE: pam_sm_authenticate returning 4
| [...] sshd[19524]: Failed password for sfroehli from 192.168.1.245 port 49078 ssh2

Sounds to me like "almost working, but not quite". Looking for a solution on
the net only brought up an IRC-log of the samba developers which is not really
enlightening to me (plus a german clone of this posting sent by me a few days
ago).

The problem is, I do not even know where to start looking for an error (which I
assume had been made by me at some place, as this is not such an uncommon
setting).

Any ideas?

Ciao,
Stefan

More information about the samba mailing list