[Samba] PAM, winbind, kerberos and CIFS...

Rowland Penny rpenny at samba.org
Thu Oct 16 20:23:05 UTC 2025 

On Thu, 16 Oct 2025 13:11:35 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> 
> An ubuntu client suddenly start to reject logons:
> 
>  Oct 16 12:29:25 nikola sshd[2616]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=leia.sv.lnf.it  user=gaio Oct 16 12:29:25 nikola sshd[2616]:
> pam_winbind(sshd:auth): getting password (0x00000388) Oct 16 12:29:25
> nikola sshd[2616]: pam_winbind(sshd:auth): pam_get_item returned a
> password Oct 16 12:29:25 nikola sshd[2616]: pam_winbind(sshd:auth):
> request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error:
> PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message
> was: Logon failure Oct 16 12:29:25 nikola sshd[2616]:
> pam_winbind(sshd:auth): user 'gaio' denied access (incorrect password
> or invalid membership) Oct 16 12:29:27 nikola sshd[2616]: Failed
> password for gaio from 10.5.1.45 port 38046 ssh2
> 
> trying to resolve, i've found in logs:
> 
>  Oct 16 12:14:26 nikola kernel: [  213.681786] RPC: AUTH_GSS upcall
> failed. Please check user daemon is running. Oct 16 12:14:26 nikola
> kernel: [  213.744119] CIFS VFS: cifs_mount failed w/return code = -6
> Oct 16 12:14:26 nikola kernel: [  213.758326] CIFS VFS: cifs_mount
> failed w/return code = -6

-6 is 'No such device or address'

> 
> the client does not use 'cifs mount', but autofs to mount via NFS the
> home.

Okay, but something is attempting to use cifs in the kernel.

> 
> PAM configuration had:
> 
> 	#auth   [success=1 default=ignore]      pam_winbind.so
> krb5_auth krb5_ccache_type=FILE cached_login try_first_pass

I take it that came from /etc/pam.d/common-auth.
Was it exactly like that, with a '#' at the beginning ?
If so, it was turned off and it should look like that, just without the
'#'.

> 
> if i modify as:
> 	auth    [success=1 default=ignore]      pam_winbind.so
> cached_login try_first_pass 

I would change it back, you have turned off kerberos.

The question is, if the '#' was there, who put it there ?

Rowland

More information about the samba mailing list