[Samba] Samba 3.5.10 pam authentication question

Christopher Stahl css115 at psu.edu
Tue Jan 17 13:15:51 MST 2012

So I have Samba 3.5 set up to use pam to authenticate against kerberos.  This seems to be working fine when I connect to the from a linux system using smbclient.  However, when I try to connect from a windows system, it fails.  I cranked up the debug level, but I'm unable to figure why this does not work.  I feel I'm missing a component to this.  

I use samba on a handful of our servers, but I have them authenticate back to the windows domain.  This system is different and I'm just missing something here.  It's a basic set up right now.


    workgroup = MYGROUP
    server string = Samba Server Version %v

    log file = /var/log/samba/log.%m
    max log size = 50

    security = user
    passdb backend = tdbsam
    encrypt passwords = no
    client plaintext auth = yes
    client lanman auth = yes

        load printers = yes
        cups options = raw

        comment = Home Directories
        browseable = no
        writable = yes
;       valid users = %S
;       valid users = MYDOMAIN\%S

        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes


auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

The system works fine connecting from linux with smbclient, from windows I get "The account is not authorized to log in from this station".  I'm guessing this is something simple.


More information about the samba mailing list