[Samba] Pam-logon failure for AD users
VigneshDhanraj G
vigneshdhanraj.g at gmail.com
Thu Dec 17 06:58:36 UTC 2015
Hi,
I complied samba from source and i am using pam from debian. But, i
confused why pam uses pam_auth_crap instead of pam_auth.
may i know the basic difference between pam_auth and pam_auth_crap.
Regards,
Vigneshdhanraj G
On Wed, Dec 16, 2015 at 6:45 PM, L.P.H. van Belle <belle at bazuin.nl> wrote:
> I see 2 things here which are strange.
>
> Self compiled samba
> > >> /usr/local/samba/bin/wbinfo --pam-logon="DOMAIN\testusr1"
>
> Debian samba ? or older version installed and not latest.
> > >> Samba version : 4.1.17
>
> Which is it? self compiled or debian samba?
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens VigneshDhanraj
> G
> > Verzonden: woensdag 16 december 2015 13:25
> > Aan: Rowland penny
> > CC: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Pam-logon failure for AD users
> >
> > Thanks rowland, I understand that there was a mess. and now i changed the
> > smb.conf with the above as you instructed to be. But still i found same
> > issue. I have two systems which connect to same AD. i found to different
> > winbind logs. One uses pam_auth and other one which is not working uses
> > pam_auth_crap while using pam logon. I browsed on this but unfortunately
> i
> > am not able to find anything useful.
> >
> > May i know please, whats the difference between pam_auth and
> > pam_auth_crap.
> > may this would be the problem?
> >
> > could you please help me regarding this.
> >
> > Regards,
> >
> > Vigneshdhanraj G
> >
> > On Sat, Dec 12, 2015 at 3:05 PM, Rowland penny <rpenny at samba.org> wrote:
> >
> > > On 12/12/15 08:53, VigneshDhanraj G wrote:
> > >
> > >> sorry for the late response Rowland,
> > >>
> > >> I didn't change the smb.conf with the same smb.conf, i configured new
> > AD
> > >> that works fine. Do you need to change the smb.conf could you please
> > tell
> > >> me what i need to change specifically. And i also suspect that problem
> > with
> > >> my AD server. But i am not able to find the exact problem, The
> > confusion is
> > >> Ftp works with same pam working fine but cifs always shows access
> > denied.
> > >> if password is wrong it shows Wrong password.
> > >>
> > >> Regards,
> > >>
> > >> Vigneshdhanraj G
> > >>
> > >> On Thu, Dec 10, 2015 at 2:41 PM, Rowland penny <rpenny at samba.org
> > <mailto:
> > >> rpenny at samba.org>> wrote:
> > >>
> > >> On 10/12/15 07:49, VigneshDhanraj G wrote:
> > >>
> > >> Hi,
> > >>
> > >> This issue not solved, ftp and cifs using same way of
> > >> authentication. but
> > >> when trying to access cifs it always shows the same
> > >> ACCESS_DENIED error.
> > >>
> > >> Regards,
> > >>
> > >> Vigneshdhanraj G
> > >>
> > >>
> > >> On Tue, Nov 3, 2015 at 6:36 PM, Rowland Penny
> > >> <rowlandpenny241155 at gmail.com
> > >> <mailto:rowlandpenny241155 at gmail.com>>
> > >>
> > >> wrote:
> > >>
> > >> On 03/11/15 12:25, VigneshDhanraj G wrote:
> > >>
> > >> Hi Team,
> > >>
> > >> when i am running this command i am getting the
> > >> following error
> > >> /usr/local/samba/bin/wbinfo --pam-
> > logon="DOMAIN\testusr1"
> > >>
> > >> Enter DOMAIN\testusr1's password:
> > >> plaintext password authentication failed
> > >> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> > >> error message was: Access denied
> > >> pam_logon failed for DOMAIN\testusr1
> > >>
> > >> FTP and Cifs uses pam. Ftp authentication using domain
> > >> working fine. But,
> > >> Cifs showing ACCESS_DENIED error.
> > >>
> > >> Samba version : 4.1.17
> > >>
> > >> In winbindd.log i could see
> > >> [2015/11/03 11:59:46.377088, 10, pid=435, effective(0,
> > >> 0), real(0, 0),
> > >> class=winbind]
> > >> ../source3/winbindd/winbindd.c:755(wb_request_done)
> > >> wb_request_done[559:PAM_AUTH_CRAP]:
> > >> NT_STATUS_ACCESS_DENIED
> > >>
> > >> My smb.conf is
> > >>
> > >> available= yes
> > >> restrict anonymous= 0
> > >> server string= LenovoEMC™ px6-300d
> > >> Workgroup= DOMAIN
> > >> netbios name= Debian
> > >> realm= DOMAIN.LOCAL
> > >> password server= 192.168.1.100, *
> > >> idmap backend= tdb
> > >> idmap uid= 5000-9999999
> > >> idmap gid= 5000-9999999
> > >> security= ADS
> > >> name resolve order= wins host bcast lmhosts
> > >> client use spnego= yes
> > >> dns proxy= no
> > >> winbind use default domain= no
> > >> winbind nested groups= yes
> > >> inherit acls= yes
> > >> winbind enum users= yes
> > >> winbind enum groups= yes
> > >> winbind separator= \\
> > >> winbind cache time= 300
> > >> winbind offline logon= true
> > >> template shell= /bin/sh
> > >> map to guest= Bad User
> > >> host msdfs= yes
> > >> strict allocate= yes
> > >> encrypt passwords= yes
> > >> passdb backend= smbpasswd
> > >> printcap name= lpstat
> > >> printable= no
> > >> load printers= yes
> > >> max smbd processes= 500
> > >> getwd cache= yes
> > >> syslog= 0
> > >> use sendfile= yes
> > >> log level= 0
> > >> max log size= 50
> > >> unix extensions= no
> > >> dos charset= ascii
> > >> state directory= /mnt/system/samba/system
> > >>
> > >>
> > >> Windows client from which i am trying to access cifs
> > >> is also connected to
> > >> the domain.
> > >>
> > >>
> > >>
> > > Lets be honest, your original smb.conf was a mess, it uses a lot of
> > > default settings and a lot of settings that really shouldn't be there,
> > this
> > > is what it really should have looked like:
> > >
> > > [global]
> > > Workgroup= DOMAIN
> > > security= ADS
> > > realm= DOMAIN.LOCAL
> > > netbios name= Debian
> > > server string= LenovoEMC™ px6-300d
> > > dedicated keytab file = /etc/krb5.keytab
> > > kerberos method = secrets and keytab
> > > idmap config *:backend = tdb
> > > idmap config *:range = 2000-4999
> > > idmap config DOMAIN:backend = rid
> > > idmap config DOMAIN:range = 5000-9999999
> > > winbind nss info = template
> > > winbind enum users = yes
> > > winbind enum groups = yes
> > > winbind refresh tickets = Yes
> > > winbind offline logon= true
> > > dns proxy= no
> > > template shell= /bin/sh
> > > map to guest= Bad User
> > > strict allocate= yes # really meant to be used in a share
> > > printcap name = lpstat
> > > max smbd processes= 500
> > > syslog= 0
> > > max log size= 50
> > > use sendfile= yes
> > > unix extensions= no
> > > state directory= /mnt/system/samba/system # why are you moving this
> > to
> > > what I presume is a share
> > > on another system?????
> > > vfs objects = acl_xattr
> > > map acl inherit = yes
> > > store dos attributes = yes
> > >
> > > The 'tabbed' lines are yours, the others are what I would add.
> > >
> > >
> > > Rowland
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list