[Samba] pam_unix failing after pam_winbind when Samba is running in Standalone Server mode

[Jöran Malek]

Hi,

I'm trying to get PAM to authenticate against a local install of
Samba, using the Standalone server mode.

Environment information:
- Debian 12
- Samba version: 4.17.9

Following packages are installed:
- samba
- libpam-winbind
- libnss-winbind

I added a user to passwd using
> adduser --no-create-home --disabled-password --ingroup users jmalek
Then registered that user in Sambas tdb:
> pdbedit -a -u jmalek
Confirmed the password, and continued:
pdbedit -L
jmalek:1000:

Now, nsswitch.conf is configured to use winbind for passwd and group.

I'm basically encountering the same issue that Brian Campbell
encountered in 2014:
https://bugzilla.samba.org/show_bug.cgi?id=10669#c12
but can't find a resolution to this (I do see, that the mentioned
patch is - albeit modified - still in Samba sources).

Trying to authenticate with my created user on tty results in this syslog:
> Aug 04 08:53:37 media login[381]: pam_winbind(login:auth): getting password (0x00000388)
> Aug 04 08:53:37 media login[381]: pam_winbind(login:auth): pam_get_item returned a password
> Aug 04 08:53:37 media login[381]: pam_winbind(login:auth): user 'jmalek' granted access
> Aug 04 08:53:37 media login[381]: pam_unix(login:account): could not identify user (from getpwnam(MEDIA\jmalek))
> Aug 04 08:53:37 media login[381]: Authentication failure
> Aug 04 08:53:37 media login[381]: PAM 1 more authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/ttyS0 ruser= rhost= user=jmalek

Did anyone figure out how to run Samba and pam in this standalone
server configuration to let Samba perform authentication of local unix
users?

Best,
Jöran Malek


== smb.conf ==
[global]
   netbios name = MEDIA
   workgroup = WORKGROUP
   server role = standalone server
   map to guest = bad user
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   usershare allow guests = yes
   include = registry