[Samba] PAM, winbind, kerberos and CIFS...

[Marco Gaiarin]

An ubuntu client suddenly start to reject logons:

 Oct 16 12:29:25 nikola sshd[2616]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=leia.sv.lnf.it  user=gaio
 Oct 16 12:29:25 nikola sshd[2616]: pam_winbind(sshd:auth): getting password (0x00000388)
 Oct 16 12:29:25 nikola sshd[2616]: pam_winbind(sshd:auth): pam_get_item returned a password
 Oct 16 12:29:25 nikola sshd[2616]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: Logon failure
 Oct 16 12:29:25 nikola sshd[2616]: pam_winbind(sshd:auth): user 'gaio' denied access (incorrect password or invalid membership)
 Oct 16 12:29:27 nikola sshd[2616]: Failed password for gaio from 10.5.1.45 port 38046 ssh2

trying to resolve, i've found in logs:

 Oct 16 12:14:26 nikola kernel: [  213.681786] RPC: AUTH_GSS upcall failed. Please check user daemon is running.
 Oct 16 12:14:26 nikola kernel: [  213.744119] CIFS VFS: cifs_mount failed w/return code = -6
 Oct 16 12:14:26 nikola kernel: [  213.758326] CIFS VFS: cifs_mount failed w/return code = -6

the client does not use 'cifs mount', but autofs to mount via NFS the home.

PAM configuration had:

	#auth   [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass

if i modify as:
	auth    [success=1 default=ignore]      pam_winbind.so cached_login try_first_pass 

logon happen successfully (and there's no more cifs_mount errors in logs).


Other client have still 'krb5_auth krb5_ccache_type=FILE' and works as
expected.


What i'm missing?! Thanks.

--