[Samba] Pam-logon failure for AD users
VigneshDhanraj G
vigneshdhanraj.g at gmail.com
Wed Dec 16 12:24:49 UTC 2015
Thanks rowland, I understand that there was a mess. and now i changed the
smb.conf with the above as you instructed to be. But still i found same
issue. I have two systems which connect to same AD. i found to different
winbind logs. One uses pam_auth and other one which is not working uses
pam_auth_crap while using pam logon. I browsed on this but unfortunately i
am not able to find anything useful.
May i know please, whats the difference between pam_auth and pam_auth_crap.
may this would be the problem?
could you please help me regarding this.
Regards,
Vigneshdhanraj G
On Sat, Dec 12, 2015 at 3:05 PM, Rowland penny <rpenny at samba.org> wrote:
> On 12/12/15 08:53, VigneshDhanraj G wrote:
>
>> sorry for the late response Rowland,
>>
>> I didn't change the smb.conf with the same smb.conf, i configured new AD
>> that works fine. Do you need to change the smb.conf could you please tell
>> me what i need to change specifically. And i also suspect that problem with
>> my AD server. But i am not able to find the exact problem, The confusion is
>> Ftp works with same pam working fine but cifs always shows access denied.
>> if password is wrong it shows Wrong password.
>>
>> Regards,
>>
>> Vigneshdhanraj G
>>
>> On Thu, Dec 10, 2015 at 2:41 PM, Rowland penny <rpenny at samba.org <mailto:
>> rpenny at samba.org>> wrote:
>>
>> On 10/12/15 07:49, VigneshDhanraj G wrote:
>>
>> Hi,
>>
>> This issue not solved, ftp and cifs using same way of
>> authentication. but
>> when trying to access cifs it always shows the same
>> ACCESS_DENIED error.
>>
>> Regards,
>>
>> Vigneshdhanraj G
>>
>>
>> On Tue, Nov 3, 2015 at 6:36 PM, Rowland Penny
>> <rowlandpenny241155 at gmail.com
>> <mailto:rowlandpenny241155 at gmail.com>>
>>
>> wrote:
>>
>> On 03/11/15 12:25, VigneshDhanraj G wrote:
>>
>> Hi Team,
>>
>> when i am running this command i am getting the
>> following error
>> /usr/local/samba/bin/wbinfo --pam-logon="DOMAIN\testusr1"
>>
>> Enter DOMAIN\testusr1's password:
>> plaintext password authentication failed
>> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
>> error message was: Access denied
>> pam_logon failed for DOMAIN\testusr1
>>
>> FTP and Cifs uses pam. Ftp authentication using domain
>> working fine. But,
>> Cifs showing ACCESS_DENIED error.
>>
>> Samba version : 4.1.17
>>
>> In winbindd.log i could see
>> [2015/11/03 11:59:46.377088, 10, pid=435, effective(0,
>> 0), real(0, 0),
>> class=winbind]
>> ../source3/winbindd/winbindd.c:755(wb_request_done)
>> wb_request_done[559:PAM_AUTH_CRAP]:
>> NT_STATUS_ACCESS_DENIED
>>
>> My smb.conf is
>>
>> available= yes
>> restrict anonymous= 0
>> server string= LenovoEMC™ px6-300d
>> Workgroup= DOMAIN
>> netbios name= Debian
>> realm= DOMAIN.LOCAL
>> password server= 192.168.1.100, *
>> idmap backend= tdb
>> idmap uid= 5000-9999999
>> idmap gid= 5000-9999999
>> security= ADS
>> name resolve order= wins host bcast lmhosts
>> client use spnego= yes
>> dns proxy= no
>> winbind use default domain= no
>> winbind nested groups= yes
>> inherit acls= yes
>> winbind enum users= yes
>> winbind enum groups= yes
>> winbind separator= \\
>> winbind cache time= 300
>> winbind offline logon= true
>> template shell= /bin/sh
>> map to guest= Bad User
>> host msdfs= yes
>> strict allocate= yes
>> encrypt passwords= yes
>> passdb backend= smbpasswd
>> printcap name= lpstat
>> printable= no
>> load printers= yes
>> max smbd processes= 500
>> getwd cache= yes
>> syslog= 0
>> use sendfile= yes
>> log level= 0
>> max log size= 50
>> unix extensions= no
>> dos charset= ascii
>> state directory= /mnt/system/samba/system
>>
>>
>> Windows client from which i am trying to access cifs
>> is also connected to
>> the domain.
>>
>>
>>
> Lets be honest, your original smb.conf was a mess, it uses a lot of
> default settings and a lot of settings that really shouldn't be there, this
> is what it really should have looked like:
>
> [global]
> Workgroup= DOMAIN
> security= ADS
> realm= DOMAIN.LOCAL
> netbios name= Debian
> server string= LenovoEMC™ px6-300d
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> idmap config *:backend = tdb
> idmap config *:range = 2000-4999
> idmap config DOMAIN:backend = rid
> idmap config DOMAIN:range = 5000-9999999
> winbind nss info = template
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = Yes
> winbind offline logon= true
> dns proxy= no
> template shell= /bin/sh
> map to guest= Bad User
> strict allocate= yes # really meant to be used in a share
> printcap name = lpstat
> max smbd processes= 500
> syslog= 0
> max log size= 50
> use sendfile= yes
> unix extensions= no
> state directory= /mnt/system/samba/system # why are you moving this to
> what I presume is a share
> on another system?????
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> The 'tabbed' lines are yours, the others are what I would add.
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list