[Samba] pam_winbind fails to authenticate domain users on my debian wheezy domain member servers

Rowland Penny rowlandpenny at googlemail.com
Wed Jan 8 03:41:54 MST 2014

On 07/01/14 23:05, Georg Vorlaufer wrote:
> So I tried all your suggestions but no success.
> Just to confirm I set up a new domain member using debian wheezy and 
> the standard samba packages provided with the distro (I believe is 3.6.6)
> .
> Login via ssh and a domain user works absolutely perfect with the 
> smb.conf and pam settings as described in one of my previous posts.
> So that makes me come back to my original question: Are there known 
> with the combination of samba4.1.3 pam-winbind (and debian wheezy) ?
> Thanks again
> Georg
> 2014/1/3 Georg Vorlaufer <georg.vorlaufer at gmail.com 
> <mailto:georg.vorlaufer at gmail.com>>
>     Sorry for the misunderstanding. I try to login to one of my domain
>     members via ssh using a domain user account (ssh login with root
>     ist working ok). While this is working for an opensuse 13.1 domain
>     member, it ist not for a debian wheezy domain member. Right now I
>     am away from home, but I will try your suggestions as soon as I am
>     back.
>     Thank you for your effort. Greetings, Georg
>     Am 03.01.2014 12:53 schrieb "Rowland Penny"
>     <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>>:
>         On 02/01/14 23:55, Georg Vorlaufer wrote:
>>         Tried the template shell option with no change -- anyway my
>>         ad user entries have loginshell and unixhomedirectory set.
>>         I also would say that the tls options only affect the way one
>>         can connect to the active directory domain controller via
>>         ldap(s).
>>         Furthermore, these options are specified on the ad-dc and not
>>         on the machine I try to ssh to.
>>         Greetings
>>         Georg
>>         2014/1/3 Michael Wood <esiotrot at gmail.com
>>         <mailto:esiotrot at gmail.com>>
>>             On 02 Jan 2014 10:31 PM, "Rowland Penny"
>>             <rowlandpenny at googlemail.com
>>             <mailto:rowlandpenny at googlemail.com>> wrote:
>>             >
>>             > On 02/01/14 19:54, Georg Vorlaufer wrote:
>>             [...]
>>             >>     tls enabled = yes
>>             >>     tls keyfile = tls/raspberrypi.key
>>             >>     tls certfile = tls/raspberrypi.crt
>>             >>     tls cafile = tls/ca.crt
>>             >
>>             > If adding the line above doesn't work, comment out the
>>             four lines above, I do not use tls and ssh works, so it
>>             may be failing here.
>>             >
>>             > Rowland
>>             The tls options should not interfere with SSH at all.
>>             They allow connecting to Samba over LDAPS and I don't
>>             think they have anything to do with Kerberos.
>>             -- 
>>             Michael Wood
>         OK, I thought that you were trying to login into the samba4
>         server and I do not have/use tls on the server, so I was
>         offering this as a possible problem.
>         So, just where are you trying to login into and where from, as
>         I can also login into my LM 15 laptop from another machine via
>         ssh.
>         Rowland
Hi, just to say that I set up debian wheezy in a VM and then setup 
sernet-samba as the OP did and I could not get winbind to work, I tried 
everything that I could think of but to no avail. I then tried to 
install sssd instead, but it would seem that if you are using the sernet 
samba packages you cannot install sssd. So, at risk of upsetting Sernet, 
I cannot recommend their packages at all until they stop naming them 
sernet-*. But all is not lost, Ubuntu 14.04 will have sssd 1.11.3 and, 
at the moment, Samba 4.0.13 and with a bit of luck will get Samba 4.1.3 
(this is in Jessie now). so with 5 years of updates, this will make a 
better platform than Debian Wheezy.


More information about the samba mailing list