[Samba] pam_winbind([sshd|su|...]:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND

Linda Walsh samba at tlinx.org
Thu Mar 3 12:31:15 MST 2011

I've been getting these in my log for some time and was wondering what I had
to do to get 'pam_winbind' to 'work' with my samba 'DC'?

In looking around the net, others w/this error message were having a
problem with blocking login's and password changes, completely.

In my case, I have the 'pam_winbind.so' module in '/etc/pam.d/common-passwd'
setup with 'password sufficient', instead of 'password required', and have
other modules (like pam_unix2) that can continue the authorization should
pam_winbind fail.   So the above error doesn't seem to prevent any
valid operation from succeeding,
  I'm wondering why I am getting the error.  I.e.

  1) is it a mistake for samba (or winbind, or whoever) to have configured
winbind to be in the pam-authorization chain *at-all*?   OR
  2) Since I am trying to run my samba server as a DC (my local Win7 
is joined to the domain), I *should* have this module in the stack, but 
it isn't configured correctly (this is what I believe to be the case).

  In the case of 2, the errors seem to occur only on authorizations 
on the DC (i.e. the main machine running samba in DC mode).  So somehow,
winbind isn't setup to correct process 'unix' validations through my
samba DC. 

Is this type of 'unix' verification supported against a 3.5.4 Samba DC,
or is this only supported for testing against a windows DC?

I.e. if it is the later, then I shouldn't try to use winbind at all(?) :-(.

If it is supported, any idea where I might look to see why winbind
isn't supporting 'local' Samba DC validation?

I could just take the route of 'disabling' any attempt at using winbind
for my unix validation attempts as an 'easy way out' to get rid of these
messages, but I'd prefer to fix the problem rather than bury it,

So, is this a lost cause, or an arcane misconfiguration?  If the latter,
any idea where to look for the break?  

I have a feeling it has something to do with local login's having no
Domain name attached to them (i.e., because they are 'local', and it not
realizing that 'local' = 'Domain'...  but that's a pure guess on my part...



More information about the samba mailing list