[Samba] Pam-logon failure for AD users

L.P.H. van Belle belle at bazuin.nl
Wed Dec 16 13:15:02 UTC 2015 

I see 2 things here which are strange. 

Self compiled samba 
> >> /usr/local/samba/bin/wbinfo --pam-logon="DOMAIN\testusr1"

Debian samba ? or older version installed and not latest. 
> >> Samba version : 4.1.17

Which is it? self compiled or debian samba? 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens VigneshDhanraj G
> Verzonden: woensdag 16 december 2015 13:25
> Aan: Rowland penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Pam-logon failure for AD users
> 
> Thanks rowland, I understand that there was a mess. and now i changed the
> smb.conf with the above as you instructed to be. But still i found same
> issue. I have two systems which connect to same AD. i found to different
> winbind logs. One uses pam_auth and other one which is not working uses
> pam_auth_crap while using pam logon. I browsed on this but unfortunately i
> am not able to find anything useful.
> 
> May i know please, whats the difference between pam_auth and
> pam_auth_crap.
> may this would be the problem?
> 
> could you please help me regarding this.
> 
> Regards,
> 
> Vigneshdhanraj G
> 
> On Sat, Dec 12, 2015 at 3:05 PM, Rowland penny <rpenny at samba.org> wrote:
> 
> > On 12/12/15 08:53, VigneshDhanraj G wrote:
> >
> >> sorry for the late response Rowland,
> >>
> >> I didn't change the smb.conf with the same smb.conf, i configured new
> AD
> >> that works fine. Do you need to change the smb.conf could you please
> tell
> >> me what i need to change specifically. And i also suspect that problem
> with
> >> my AD server. But i am not able to find the exact problem, The
> confusion is
> >> Ftp works with same pam working fine but cifs always shows access
> denied.
> >> if password is wrong it shows Wrong password.
> >>
> >> Regards,
> >>
> >> Vigneshdhanraj G
> >>
> >> On Thu, Dec 10, 2015 at 2:41 PM, Rowland penny <rpenny at samba.org
> <mailto:
> >> rpenny at samba.org>> wrote:
> >>
> >>     On 10/12/15 07:49, VigneshDhanraj G wrote:
> >>
> >>         Hi,
> >>
> >>         This issue not solved, ftp and cifs using same way of
> >>         authentication. but
> >>         when trying to access cifs it always shows the same
> >>         ACCESS_DENIED error.
> >>
> >>         Regards,
> >>
> >>         Vigneshdhanraj G
> >>
> >>
> >>         On Tue, Nov 3, 2015 at 6:36 PM, Rowland Penny
> >>         <rowlandpenny241155 at gmail.com
> >>         <mailto:rowlandpenny241155 at gmail.com>>
> >>
> >>         wrote:
> >>
> >>             On 03/11/15 12:25, VigneshDhanraj G wrote:
> >>
> >>                 Hi Team,
> >>
> >>                 when i am running this command i am getting the
> >>                 following error
> >>                 /usr/local/samba/bin/wbinfo --pam-
> logon="DOMAIN\testusr1"
> >>
> >>                 Enter DOMAIN\testusr1's password:
> >>                 plaintext password authentication failed
> >>                 error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> >>                 error message was: Access denied
> >>                 pam_logon failed for DOMAIN\testusr1
> >>
> >>                 FTP and Cifs uses pam. Ftp authentication using domain
> >>                 working fine. But,
> >>                 Cifs showing ACCESS_DENIED error.
> >>
> >>                 Samba version : 4.1.17
> >>
> >>                 In winbindd.log i could see
> >>                 [2015/11/03 11:59:46.377088, 10, pid=435, effective(0,
> >>                 0), real(0, 0),
> >>                 class=winbind]
> >>                 ../source3/winbindd/winbindd.c:755(wb_request_done)
> >>                     wb_request_done[559:PAM_AUTH_CRAP]:
> >>                 NT_STATUS_ACCESS_DENIED
> >>
> >>                 My smb.conf is
> >>
> >>                 available= yes
> >>                 restrict anonymous= 0
> >>                 server string= LenovoEMC™ px6-300d
> >>                 Workgroup= DOMAIN
> >>                 netbios name= Debian
> >>                 realm= DOMAIN.LOCAL
> >>                 password server= 192.168.1.100, *
> >>                 idmap backend= tdb
> >>                 idmap uid= 5000-9999999
> >>                 idmap gid= 5000-9999999
> >>                 security= ADS
> >>                 name resolve order= wins host bcast lmhosts
> >>                 client use spnego= yes
> >>                 dns proxy= no
> >>                 winbind use default domain= no
> >>                 winbind nested groups= yes
> >>                 inherit acls= yes
> >>                 winbind enum users= yes
> >>                 winbind enum groups= yes
> >>                 winbind separator= \\
> >>                 winbind cache time= 300
> >>                 winbind offline logon= true
> >>                 template shell= /bin/sh
> >>                 map to guest= Bad User
> >>                 host msdfs= yes
> >>                 strict allocate= yes
> >>                 encrypt passwords= yes
> >>                 passdb backend= smbpasswd
> >>                 printcap name= lpstat
> >>                 printable= no
> >>                 load printers= yes
> >>                 max smbd processes= 500
> >>                 getwd cache= yes
> >>                 syslog= 0
> >>                 use sendfile= yes
> >>                 log level= 0
> >>                 max log size= 50
> >>                 unix extensions= no
> >>                 dos charset= ascii
> >>                 state directory= /mnt/system/samba/system
> >>
> >>
> >>                 Windows client from which i am trying to access cifs
> >>                 is also connected to
> >>                 the domain.
> >>
> >>
> >>
> > Lets be honest, your original smb.conf was a mess, it uses a lot of
> > default settings and a lot of settings that really shouldn't be there,
> this
> > is what it really should have looked like:
> >
> > [global]
> >     Workgroup= DOMAIN
> >     security= ADS
> >     realm= DOMAIN.LOCAL
> >     netbios name= Debian
> >     server string= LenovoEMC™ px6-300d
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> > idmap config *:backend = tdb
> > idmap config *:range = 2000-4999
> > idmap config DOMAIN:backend = rid
> > idmap config DOMAIN:range = 5000-9999999
> > winbind nss info = template
> >     winbind enum users  = yes
> >     winbind enum groups = yes
> > winbind refresh tickets = Yes
> >     winbind offline logon= true
> >     dns proxy= no
> >     template shell= /bin/sh
> >     map to guest= Bad User
> >     strict allocate= yes # really meant to be used in a share
> >     printcap name = lpstat
> >     max smbd processes= 500
> >     syslog= 0
> >     max log size= 50
> >     use sendfile= yes
> >     unix extensions= no
> >     state directory= /mnt/system/samba/system # why are you moving this
> to
> > what I presume is a share
> >                             on another system?????
> > vfs objects = acl_xattr
> > map acl inherit = yes
> > store dos attributes = yes
> >
> > The 'tabbed' lines are yours, the others are what I would add.
> >
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list