[Samba] pam_winbind fails to authenticate domain users on my debian wheezy domain member servers

Bruno La Torre b.thetower at gmail.com
Thu Jan 2 17:11:54 MST 2014

look at
for winbind + pam

2014/1/2 Georg Vorlaufer <georg.vorlaufer at gmail.com>

> [SNIP]
> However, when I try to login via ssh to either of the two machines using my
> domain account (georg), I get rejected by the pam_winbind module. However,
> the kerberos ticket cache is created during the ssh authentication process
> (i.e. the file /tmp/krb5cc_10001, where 10001 is the numeric uid of user
> georg, is created and contains a valid ticket)
> And here is the pam config (/etc/pam.d/common-auth)
> #
> # /etc/pam.d/common-auth - authentication settings common to all services
> #
> # here are the per-package modules (the "Primary" block)
> auth    [success=2 default=ignore]    pam_unix.so nullok_secure
> auth    [success=1 default=ignore]    pam_winbind.so krb5_auth
> krb5_ccache_type=FILE try_first_pass
> # here's the fallback if no module succeeds
> auth    requisite            pam_deny.so
> # prime the stack with a positive return value if there isn't one already;
> # this avoids us returning an error just because nothing sets a success
> code
> # since the modules above will each just jump around
> auth    required            pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> # end of pam-auth-update config
you must write pam_winbind.so line before pam_unix.so line.


More information about the samba mailing list