Philippe Dhont (Sea-ro)
2005-Oct-17 13:57 UTC
:Re: [Samba] Unknown PAM failiure in WIN2003/ Active Directory + samba
Damn, 2.6.13.4 i REALLY mean! :) (i probably need a holliday!) Huh....2.6.16.4....i mean! :) In smb.conf, i removed obey pam restrictions and now it works... What does "obey pam restrictions" do ? Cheers, Phil. - Hash: SHA1 Philippe Dhont (Sea-ro) escreveu:> Hello, > I have an existing windows 2003 network and now try to add a new linux> server with samba/kerberos support for unified logon authentication. > Normally, everything is installed & this is the configuration:> - Debian with 2.6.16.4 kernelAre you sure about this kernel version? :-) [...]> In my /etc/pam.d/samba file i have: > @include common-auth > @include common-account > @include common-session > auth required /lib/security/pam_winbind.so > account required /lib/security/pam_winbind.soI'm not sure, but I believe you should put auth options together, same for account, AFAIK, pam check the options line by line, after the auth area ends, there is no chance to "another auth area", you should put auth parameters all together, like this: @include common-auth auth required /lib/security/pam_winbind.so @include common-account account required /lib/security/pam_winbind.so [...]> In my loggings i get after trying:[...]> In the new added logfile from the windows pc i tried to connect:> [2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_account(573) > smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account > Management for User: TEST\phil > [2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_accountcheck(781) > smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting > User TEST\phil![...] Yep, looks like pam stack problem. :-)> On the windowsXP pc, i am logged in as phil and when i connect and i > get a logon, i tried TEST\Administrator I don't find alot of good > information about this error, but i hope that someone can help me out.Hope it helps, cheers, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Felipe Augusto van de Wiel
2005-Oct-17 16:45 UTC
:Re: [Samba] Unknown PAM failiure in WIN2003/ Active Directory + samba
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Philippe Dhont (Sea-ro) escreveu:> Damn, 2.6.13.4 i REALLY mean! :) > (i probably need a holliday!)[...] Ok. :-)> In smb.conf, i removed obey pam restrictions and now it works... > What does "obey pam restrictions" do ?- From smb.conf manpage: obey pam restrictions (G) When Samba 3.0 is configured to enable PAM support (i.e. --with-pa m), this parameter will control whether or not Samba should obey PAM?s account a nd session management directives. The default behavior is to use PAM for clear t ext authentication only and to ignore any account or session management. Note th at Samba always ignores PAM for authentication in the case of encrypt passwords = yes. The reason is that PAM modules cannot support the challenge/response auth entication mechanism needed in the presence of SMB password encryption. Default: obey pam restrictions = no Kind regards, - -- ////////// // Felipe Augusto van de Wiel <felipe@paranacidade.org.br> // CTI/Suporte - SEDU/PARANACIDADE // http://www.paranacidade.org.br/ ////////// -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFDU9UeCj65ZxU4gPQRAtNoAJ9ju6gKtT/pxft/LzCzc8pLM27z2wCeLTsR GtY14kIPeLaj4VCsh1xfPIU=UwXe -----END PGP SIGNATURE-----