[Samba] ActiveDirectory authentication failures with pam_winbind on SuSE 11

Kiran Patil kiran.dpatil at gmail.com
Mon Sep 29 08:31:11 MDT 2014


Facing issue with the authenticating users against Windows 2008
ActiveDirectory. Joining/leaving domain and getting user and groups (id
<user>, getent group <group name>) works fine. But PAM authentication
through pam_winbind fails with below error.

Sep 25 11:02:15 host sshd[74473]: pam_winbind(sshd:auth): getting password
Sep 25 11:02:15 host sshd[74473]: pam_winbind(sshd:auth): pam_get_item
returned a password
Sep 25 11:02:15 host sshd[74473]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4),
NTSTATUS: NT_STATUS_ACCESS_DENIED, Error message was: Access denied
Sep 25 11:02:15 host sshd[74473]: pam_winbind(sshd:auth): internal module
error (retval = PAM_SYSTEM_ERR(4), user = 'user1')

Auto generated krb5.conf file:

default_realm = SAMPLE.NET
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5

kdc = xx.xx.xx.xx
kdc = xx.xx.xx.xx

smb.conf file:

server signing = auto
lanman auth = no
workgroup = SAMPLE
server string = Test host
log file = /var/log/samba/%m.log
max log size = 50
security = ADS
passdb backend = tdbsam
local master = no
load printers = no
map to guest = Bad User
follow symlinks = yes
wide links = yes
unix extensions = no
hide dot files = no
restrict anonymous = 1
idmap gid = 10000-20000
idmap uid = 10000-20000
winbind refresh tickets = yes
winbind use default domain = yes
strict sync = yes
winbind cache time = 5
client ldap sasl wrapping = sign
realm = SAMPLE.NET
template homedir = /home/users
template shell = /bin/bash
winbind enum groups = no
winbind enum users = no
winbind offline logon = yes

"id user1" and "kinit users1" works too. Only authentication fails when
user trying to logon through sshd.

Has anyone came across similar issue?


More information about the samba mailing list