[Samba] Pam-logon failure for AD users

Rowland penny rpenny at samba.org
Sat Dec 12 09:35:21 UTC 2015 

On 12/12/15 08:53, VigneshDhanraj G wrote:
> sorry for the late response Rowland,
>
> I didn't change the smb.conf with the same smb.conf, i configured new 
> AD that works fine. Do you need to change the smb.conf could you 
> please tell me what i need to change specifically. And i also suspect 
> that problem with my AD server. But i am not able to find the exact 
> problem, The confusion is Ftp works with same pam working fine but 
> cifs always shows access denied. if password is wrong it shows Wrong 
> password.
>
> Regards,
>
> Vigneshdhanraj G
>
> On Thu, Dec 10, 2015 at 2:41 PM, Rowland penny <rpenny at samba.org 
> <mailto:rpenny at samba.org>> wrote:
>
>     On 10/12/15 07:49, VigneshDhanraj G wrote:
>
>         Hi,
>
>         This issue not solved, ftp and cifs using same way of
>         authentication. but
>         when trying to access cifs it always shows the same
>         ACCESS_DENIED error.
>
>         Regards,
>
>         Vigneshdhanraj G
>
>
>         On Tue, Nov 3, 2015 at 6:36 PM, Rowland Penny
>         <rowlandpenny241155 at gmail.com
>         <mailto:rowlandpenny241155 at gmail.com>>
>         wrote:
>
>             On 03/11/15 12:25, VigneshDhanraj G wrote:
>
>                 Hi Team,
>
>                 when i am running this command i am getting the
>                 following error
>                 /usr/local/samba/bin/wbinfo --pam-logon="DOMAIN\testusr1"
>
>                 Enter DOMAIN\testusr1's password:
>                 plaintext password authentication failed
>                 error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
>                 error message was: Access denied
>                 pam_logon failed for DOMAIN\testusr1
>
>                 FTP and Cifs uses pam. Ftp authentication using domain
>                 working fine. But,
>                 Cifs showing ACCESS_DENIED error.
>
>                 Samba version : 4.1.17
>
>                 In winbindd.log i could see
>                 [2015/11/03 11:59:46.377088, 10, pid=435, effective(0,
>                 0), real(0, 0),
>                 class=winbind]
>                 ../source3/winbindd/winbindd.c:755(wb_request_done)
>                     wb_request_done[559:PAM_AUTH_CRAP]:
>                 NT_STATUS_ACCESS_DENIED
>
>                 My smb.conf is
>
>                 available= yes
>                 restrict anonymous= 0
>                 server string= LenovoEMC™ px6-300d
>                 Workgroup= DOMAIN
>                 netbios name= Debian
>                 realm= DOMAIN.LOCAL
>                 password server= 192.168.1.100, *
>                 idmap backend= tdb
>                 idmap uid= 5000-9999999
>                 idmap gid= 5000-9999999
>                 security= ADS
>                 name resolve order= wins host bcast lmhosts
>                 client use spnego= yes
>                 dns proxy= no
>                 winbind use default domain= no
>                 winbind nested groups= yes
>                 inherit acls= yes
>                 winbind enum users= yes
>                 winbind enum groups= yes
>                 winbind separator= \\
>                 winbind cache time= 300
>                 winbind offline logon= true
>                 template shell= /bin/sh
>                 map to guest= Bad User
>                 host msdfs= yes
>                 strict allocate= yes
>                 encrypt passwords= yes
>                 passdb backend= smbpasswd
>                 printcap name= lpstat
>                 printable= no
>                 load printers= yes
>                 max smbd processes= 500
>                 getwd cache= yes
>                 syslog= 0
>                 use sendfile= yes
>                 log level= 0
>                 max log size= 50
>                 unix extensions= no
>                 dos charset= ascii
>                 state directory= /mnt/system/samba/system
>
>
>                 Windows client from which i am trying to access cifs
>                 is also connected to
>                 the domain.
>
>

Lets be honest, your original smb.conf was a mess, it uses a lot of 
default settings and a lot of settings that really shouldn't be there, 
this is what it really should have looked like:

[global]
     Workgroup= DOMAIN
     security= ADS
     realm= DOMAIN.LOCAL
     netbios name= Debian
     server string= LenovoEMC™ px6-300d
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 2000-4999
idmap config DOMAIN:backend = rid
idmap config DOMAIN:range = 5000-9999999
winbind nss info = template
     winbind enum users  = yes
     winbind enum groups = yes
winbind refresh tickets = Yes
     winbind offline logon= true
     dns proxy= no
     template shell= /bin/sh
     map to guest= Bad User
     strict allocate= yes # really meant to be used in a share
     printcap name = lpstat
     max smbd processes= 500
     syslog= 0
     max log size= 50
     use sendfile= yes
     unix extensions= no
     state directory= /mnt/system/samba/system # why are you moving this 
to what I presume is a share
                             on another system?????
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

The 'tabbed' lines are yours, the others are what I would add.

Rowland

More information about the samba mailing list