[Samba] PAM winbind authentication problem NT domain

Martin Vuille martin at jpmvrealtime.com
Sun Apr 10 08:34:55 MDT 2011


I have Samba Version 3.5.8-74.fc13 (Fedora 13) set up as the PDC for an NT
domain.

I have several Windows XP Pro and Windows 7 Ultimate workstations as
domain members and everything is working fine. Domain users can log-in
at the workstations, access shares on the Samba server and the other
workstations, etc.

I am in the process of adding Samba Version 3.5.8-76.fc14 (Fedora 14) as an
additional
domain member. x86_64 arch, if that matters. So far I have joined it to the
domain, other workstations can see it and can access its shares. With
smbclient
I can access shares on other domain members.

I want to enable authentication via PAM and winbind (Version 3.5.8-74.fc14).
I have things set-up to the point where "wbinfo -u", "wbinfo -g", "getent
passwd"
and "getent group" are all showing the lists of domain users and groups. PAM
has been configured as well.

But here's the rub: authentication of domain users on this workstation is
failing.
When I try to login using domain credentials, this fails with the error
NT_STATUS_NO_SUCH_USER.

If I use "wbinfo -a user%password", I get the following results:

	plaintext password authentication failed
	Could not authenticate user%password with plaintext password
	challenge/response authentication succeeded

In the logs, I see the error NT_STATUS_NO_SUCH_USER.

At this point, I'm not sure how to proceed. Should I be investigating why
plaintext
authentication is failing and trying to fix it, or should I be trying to get
pam_winbind to use challenge/response authentication instead, since that
works?

I am under the impression that plaintext authentication is obsolete and
insecure
(I have "encrypt passwords = yes" configured in smb.conf on both PDC and
workstation),
so my inclination is towards the latter.

smb.conf from workstation (manually retyped, might have minor typos, names
and
addresses changed):

	netbios name = NAME
	server string =
	workgroup = DOMAIN
	security = domain
	password server = *
	encrypt passwords = yes
	wins server = 66.67.68.69
	winbind separator = .
	idmap uid = 500-599
	idmap gid = 500-599
	idmap backend = tdb
	winbind enum users = yes
	winbind enum groups = yes
	template homedir = /home/%D/%u
	template shell = /bin/bash
	winbind rpc only = yes
	winbind offline logon = yes
	winbind normalize names = yes

Any suggestions or advice for investigating deeper would be greatly
appreciated.

(Could the version difference between samba-winbind and the other parts of
samba
be the problem? I had to manually download the rpm and force an install.
Trying
to install with yum did not work as the x86_64 samba-winbind seemed to
require
i686 dependencies instead of using the corresponding x86_64 packages I
already had.)

MV



More information about the samba mailing list