sorry for the late response Rowland, I didn't change the smb.conf with the same smb.conf, i configured new AD that works fine. Do you need to change the smb.conf could you please tell me what i need to change specifically. And i also suspect that problem with my AD server. But i am not able to find the exact problem, The confusion is Ftp works with same pam working fine but cifs always shows access denied. if password is wrong it shows Wrong password. Regards, Vigneshdhanraj G On Thu, Dec 10, 2015 at 2:41 PM, Rowland penny <rpenny at samba.org> wrote:> On 10/12/15 07:49, VigneshDhanraj G wrote: > >> Hi, >> >> This issue not solved, ftp and cifs using same way of authentication. but >> when trying to access cifs it always shows the same ACCESS_DENIED error. >> >> Regards, >> >> Vigneshdhanraj G >> >> >> On Tue, Nov 3, 2015 at 6:36 PM, Rowland Penny < >> rowlandpenny241155 at gmail.com> >> wrote: >> >> On 03/11/15 12:25, VigneshDhanraj G wrote: >>> >>> Hi Team, >>>> >>>> when i am running this command i am getting the following error >>>> /usr/local/samba/bin/wbinfo --pam-logon="DOMAIN\testusr1" >>>> >>>> Enter DOMAIN\testusr1's password: >>>> plaintext password authentication failed >>>> error code was NT_STATUS_ACCESS_DENIED (0xc0000022) >>>> error message was: Access denied >>>> pam_logon failed for DOMAIN\testusr1 >>>> >>>> FTP and Cifs uses pam. Ftp authentication using domain working fine. >>>> But, >>>> Cifs showing ACCESS_DENIED error. >>>> >>>> Samba version : 4.1.17 >>>> >>>> In winbindd.log i could see >>>> [2015/11/03 11:59:46.377088, 10, pid=435, effective(0, 0), real(0, 0), >>>> class=winbind] ../source3/winbindd/winbindd.c:755(wb_request_done) >>>> wb_request_done[559:PAM_AUTH_CRAP]: NT_STATUS_ACCESS_DENIED >>>> >>>> My smb.conf is >>>> >>>> available= yes >>>> restrict anonymous= 0 >>>> server string= LenovoEMC™ px6-300d >>>> Workgroup= DOMAIN >>>> netbios name= Debian >>>> realm= DOMAIN.LOCAL >>>> password server= 192.168.1.100, * >>>> idmap backend= tdb >>>> idmap uid= 5000-9999999 >>>> idmap gid= 5000-9999999 >>>> security= ADS >>>> name resolve order= wins host bcast lmhosts >>>> client use spnego= yes >>>> dns proxy= no >>>> winbind use default domain= no >>>> winbind nested groups= yes >>>> inherit acls= yes >>>> winbind enum users= yes >>>> winbind enum groups= yes >>>> winbind separator= \\ >>>> winbind cache time= 300 >>>> winbind offline logon= true >>>> template shell= /bin/sh >>>> map to guest= Bad User >>>> host msdfs= yes >>>> strict allocate= yes >>>> encrypt passwords= yes >>>> passdb backend= smbpasswd >>>> printcap name= lpstat >>>> printable= no >>>> load printers= yes >>>> max smbd processes= 500 >>>> getwd cache= yes >>>> syslog= 0 >>>> use sendfile= yes >>>> log level= 0 >>>> max log size= 50 >>>> unix extensions= no >>>> dos charset= ascii >>>> state directory= /mnt/system/samba/system >>>> >>>> >>>> Windows client from which i am trying to access cifs is also connected >>>> to >>>> the domain. >>>> >>>> >>>> Could anybody help me regarding this issue. Ftp and cifs both uses samba >>>> authentication but cifs authentication alone showing authentication >>>> error. >>>> >>>> >>>> >>>> Regards, >>>> >>>> Vigneshdhanraj G >>>> -- To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> You seem to be connecting to an AD domain, it might help if you setup >>> your >>> smb.conf a bit differently, I would have a look here: >>> >>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member >>> >>> adjust your smb.conf with reference to the above page and then follow the >>> various links. >>> >>> Rowland >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> > Please post your new smb.conf > > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 12/12/15 08:53, VigneshDhanraj G wrote:> sorry for the late response Rowland, > > I didn't change the smb.conf with the same smb.conf, i configured new > AD that works fine. Do you need to change the smb.conf could you > please tell me what i need to change specifically. And i also suspect > that problem with my AD server. But i am not able to find the exact > problem, The confusion is Ftp works with same pam working fine but > cifs always shows access denied. if password is wrong it shows Wrong > password. > > Regards, > > Vigneshdhanraj G > > On Thu, Dec 10, 2015 at 2:41 PM, Rowland penny <rpenny at samba.org > <mailto:rpenny at samba.org>> wrote: > > On 10/12/15 07:49, VigneshDhanraj G wrote: > > Hi, > > This issue not solved, ftp and cifs using same way of > authentication. but > when trying to access cifs it always shows the same > ACCESS_DENIED error. > > Regards, > > Vigneshdhanraj G > > > On Tue, Nov 3, 2015 at 6:36 PM, Rowland Penny > <rowlandpenny241155 at gmail.com > <mailto:rowlandpenny241155 at gmail.com>> > wrote: > > On 03/11/15 12:25, VigneshDhanraj G wrote: > > Hi Team, > > when i am running this command i am getting the > following error > /usr/local/samba/bin/wbinfo --pam-logon="DOMAIN\testusr1" > > Enter DOMAIN\testusr1's password: > plaintext password authentication failed > error code was NT_STATUS_ACCESS_DENIED (0xc0000022) > error message was: Access denied > pam_logon failed for DOMAIN\testusr1 > > FTP and Cifs uses pam. Ftp authentication using domain > working fine. But, > Cifs showing ACCESS_DENIED error. > > Samba version : 4.1.17 > > In winbindd.log i could see > [2015/11/03 11:59:46.377088, 10, pid=435, effective(0, > 0), real(0, 0), > class=winbind] > ../source3/winbindd/winbindd.c:755(wb_request_done) > wb_request_done[559:PAM_AUTH_CRAP]: > NT_STATUS_ACCESS_DENIED > > My smb.conf is > > available= yes > restrict anonymous= 0 > server string= LenovoEMC™ px6-300d > Workgroup= DOMAIN > netbios name= Debian > realm= DOMAIN.LOCAL > password server= 192.168.1.100, * > idmap backend= tdb > idmap uid= 5000-9999999 > idmap gid= 5000-9999999 > security= ADS > name resolve order= wins host bcast lmhosts > client use spnego= yes > dns proxy= no > winbind use default domain= no > winbind nested groups= yes > inherit acls= yes > winbind enum users= yes > winbind enum groups= yes > winbind separator= \\ > winbind cache time= 300 > winbind offline logon= true > template shell= /bin/sh > map to guest= Bad User > host msdfs= yes > strict allocate= yes > encrypt passwords= yes > passdb backend= smbpasswd > printcap name= lpstat > printable= no > load printers= yes > max smbd processes= 500 > getwd cache= yes > syslog= 0 > use sendfile= yes > log level= 0 > max log size= 50 > unix extensions= no > dos charset= ascii > state directory= /mnt/system/samba/system > > > Windows client from which i am trying to access cifs > is also connected to > the domain. > >Lets be honest, your original smb.conf was a mess, it uses a lot of default settings and a lot of settings that really shouldn't be there, this is what it really should have looked like: [global] Workgroup= DOMAIN security= ADS realm= DOMAIN.LOCAL netbios name= Debian server string= LenovoEMC™ px6-300d dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 2000-4999 idmap config DOMAIN:backend = rid idmap config DOMAIN:range = 5000-9999999 winbind nss info = template winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes winbind offline logon= true dns proxy= no template shell= /bin/sh map to guest= Bad User strict allocate= yes # really meant to be used in a share printcap name = lpstat max smbd processes= 500 syslog= 0 max log size= 50 use sendfile= yes unix extensions= no state directory= /mnt/system/samba/system # why are you moving this to what I presume is a share on another system????? vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes The 'tabbed' lines are yours, the others are what I would add. Rowland
Thanks rowland, I understand that there was a mess. and now i changed the smb.conf with the above as you instructed to be. But still i found same issue. I have two systems which connect to same AD. i found to different winbind logs. One uses pam_auth and other one which is not working uses pam_auth_crap while using pam logon. I browsed on this but unfortunately i am not able to find anything useful. May i know please, whats the difference between pam_auth and pam_auth_crap. may this would be the problem? could you please help me regarding this. Regards, Vigneshdhanraj G On Sat, Dec 12, 2015 at 3:05 PM, Rowland penny <rpenny at samba.org> wrote:> On 12/12/15 08:53, VigneshDhanraj G wrote: > >> sorry for the late response Rowland, >> >> I didn't change the smb.conf with the same smb.conf, i configured new AD >> that works fine. Do you need to change the smb.conf could you please tell >> me what i need to change specifically. And i also suspect that problem with >> my AD server. But i am not able to find the exact problem, The confusion is >> Ftp works with same pam working fine but cifs always shows access denied. >> if password is wrong it shows Wrong password. >> >> Regards, >> >> Vigneshdhanraj G >> >> On Thu, Dec 10, 2015 at 2:41 PM, Rowland penny <rpenny at samba.org <mailto: >> rpenny at samba.org>> wrote: >> >> On 10/12/15 07:49, VigneshDhanraj G wrote: >> >> Hi, >> >> This issue not solved, ftp and cifs using same way of >> authentication. but >> when trying to access cifs it always shows the same >> ACCESS_DENIED error. >> >> Regards, >> >> Vigneshdhanraj G >> >> >> On Tue, Nov 3, 2015 at 6:36 PM, Rowland Penny >> <rowlandpenny241155 at gmail.com >> <mailto:rowlandpenny241155 at gmail.com>> >> >> wrote: >> >> On 03/11/15 12:25, VigneshDhanraj G wrote: >> >> Hi Team, >> >> when i am running this command i am getting the >> following error >> /usr/local/samba/bin/wbinfo --pam-logon="DOMAIN\testusr1" >> >> Enter DOMAIN\testusr1's password: >> plaintext password authentication failed >> error code was NT_STATUS_ACCESS_DENIED (0xc0000022) >> error message was: Access denied >> pam_logon failed for DOMAIN\testusr1 >> >> FTP and Cifs uses pam. Ftp authentication using domain >> working fine. But, >> Cifs showing ACCESS_DENIED error. >> >> Samba version : 4.1.17 >> >> In winbindd.log i could see >> [2015/11/03 11:59:46.377088, 10, pid=435, effective(0, >> 0), real(0, 0), >> class=winbind] >> ../source3/winbindd/winbindd.c:755(wb_request_done) >> wb_request_done[559:PAM_AUTH_CRAP]: >> NT_STATUS_ACCESS_DENIED >> >> My smb.conf is >> >> available= yes >> restrict anonymous= 0 >> server string= LenovoEMC™ px6-300d >> Workgroup= DOMAIN >> netbios name= Debian >> realm= DOMAIN.LOCAL >> password server= 192.168.1.100, * >> idmap backend= tdb >> idmap uid= 5000-9999999 >> idmap gid= 5000-9999999 >> security= ADS >> name resolve order= wins host bcast lmhosts >> client use spnego= yes >> dns proxy= no >> winbind use default domain= no >> winbind nested groups= yes >> inherit acls= yes >> winbind enum users= yes >> winbind enum groups= yes >> winbind separator= \\ >> winbind cache time= 300 >> winbind offline logon= true >> template shell= /bin/sh >> map to guest= Bad User >> host msdfs= yes >> strict allocate= yes >> encrypt passwords= yes >> passdb backend= smbpasswd >> printcap name= lpstat >> printable= no >> load printers= yes >> max smbd processes= 500 >> getwd cache= yes >> syslog= 0 >> use sendfile= yes >> log level= 0 >> max log size= 50 >> unix extensions= no >> dos charset= ascii >> state directory= /mnt/system/samba/system >> >> >> Windows client from which i am trying to access cifs >> is also connected to >> the domain. >> >> >> > Lets be honest, your original smb.conf was a mess, it uses a lot of > default settings and a lot of settings that really shouldn't be there, this > is what it really should have looked like: > > [global] > Workgroup= DOMAIN > security= ADS > realm= DOMAIN.LOCAL > netbios name= Debian > server string= LenovoEMC™ px6-300d > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > idmap config *:backend = tdb > idmap config *:range = 2000-4999 > idmap config DOMAIN:backend = rid > idmap config DOMAIN:range = 5000-9999999 > winbind nss info = template > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > winbind offline logon= true > dns proxy= no > template shell= /bin/sh > map to guest= Bad User > strict allocate= yes # really meant to be used in a share > printcap name = lpstat > max smbd processes= 500 > syslog= 0 > max log size= 50 > use sendfile= yes > unix extensions= no > state directory= /mnt/system/samba/system # why are you moving this to > what I presume is a share > on another system????? > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > The 'tabbed' lines are yours, the others are what I would add. > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
I see 2 things here which are strange. Self compiled samba> >> /usr/local/samba/bin/wbinfo --pam-logon="DOMAIN\testusr1"Debian samba ? or older version installed and not latest.> >> Samba version : 4.1.17Which is it? self compiled or debian samba? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens VigneshDhanraj G > Verzonden: woensdag 16 december 2015 13:25 > Aan: Rowland penny > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Pam-logon failure for AD users > > Thanks rowland, I understand that there was a mess. and now i changed the > smb.conf with the above as you instructed to be. But still i found same > issue. I have two systems which connect to same AD. i found to different > winbind logs. One uses pam_auth and other one which is not working uses > pam_auth_crap while using pam logon. I browsed on this but unfortunately i > am not able to find anything useful. > > May i know please, whats the difference between pam_auth and > pam_auth_crap. > may this would be the problem? > > could you please help me regarding this. > > Regards, > > Vigneshdhanraj G > > On Sat, Dec 12, 2015 at 3:05 PM, Rowland penny <rpenny at samba.org> wrote: > > > On 12/12/15 08:53, VigneshDhanraj G wrote: > > > >> sorry for the late response Rowland, > >> > >> I didn't change the smb.conf with the same smb.conf, i configured new > AD > >> that works fine. Do you need to change the smb.conf could you please > tell > >> me what i need to change specifically. And i also suspect that problem > with > >> my AD server. But i am not able to find the exact problem, The > confusion is > >> Ftp works with same pam working fine but cifs always shows access > denied. > >> if password is wrong it shows Wrong password. > >> > >> Regards, > >> > >> Vigneshdhanraj G > >> > >> On Thu, Dec 10, 2015 at 2:41 PM, Rowland penny <rpenny at samba.org > <mailto: > >> rpenny at samba.org>> wrote: > >> > >> On 10/12/15 07:49, VigneshDhanraj G wrote: > >> > >> Hi, > >> > >> This issue not solved, ftp and cifs using same way of > >> authentication. but > >> when trying to access cifs it always shows the same > >> ACCESS_DENIED error. > >> > >> Regards, > >> > >> Vigneshdhanraj G > >> > >> > >> On Tue, Nov 3, 2015 at 6:36 PM, Rowland Penny > >> <rowlandpenny241155 at gmail.com > >> <mailto:rowlandpenny241155 at gmail.com>> > >> > >> wrote: > >> > >> On 03/11/15 12:25, VigneshDhanraj G wrote: > >> > >> Hi Team, > >> > >> when i am running this command i am getting the > >> following error > >> /usr/local/samba/bin/wbinfo --pam- > logon="DOMAIN\testusr1" > >> > >> Enter DOMAIN\testusr1's password: > >> plaintext password authentication failed > >> error code was NT_STATUS_ACCESS_DENIED (0xc0000022) > >> error message was: Access denied > >> pam_logon failed for DOMAIN\testusr1 > >> > >> FTP and Cifs uses pam. Ftp authentication using domain > >> working fine. But, > >> Cifs showing ACCESS_DENIED error. > >> > >> Samba version : 4.1.17 > >> > >> In winbindd.log i could see > >> [2015/11/03 11:59:46.377088, 10, pid=435, effective(0, > >> 0), real(0, 0), > >> class=winbind] > >> ../source3/winbindd/winbindd.c:755(wb_request_done) > >> wb_request_done[559:PAM_AUTH_CRAP]: > >> NT_STATUS_ACCESS_DENIED > >> > >> My smb.conf is > >> > >> available= yes > >> restrict anonymous= 0 > >> server string= LenovoEMC™ px6-300d > >> Workgroup= DOMAIN > >> netbios name= Debian > >> realm= DOMAIN.LOCAL > >> password server= 192.168.1.100, * > >> idmap backend= tdb > >> idmap uid= 5000-9999999 > >> idmap gid= 5000-9999999 > >> security= ADS > >> name resolve order= wins host bcast lmhosts > >> client use spnego= yes > >> dns proxy= no > >> winbind use default domain= no > >> winbind nested groups= yes > >> inherit acls= yes > >> winbind enum users= yes > >> winbind enum groups= yes > >> winbind separator= \\ > >> winbind cache time= 300 > >> winbind offline logon= true > >> template shell= /bin/sh > >> map to guest= Bad User > >> host msdfs= yes > >> strict allocate= yes > >> encrypt passwords= yes > >> passdb backend= smbpasswd > >> printcap name= lpstat > >> printable= no > >> load printers= yes > >> max smbd processes= 500 > >> getwd cache= yes > >> syslog= 0 > >> use sendfile= yes > >> log level= 0 > >> max log size= 50 > >> unix extensions= no > >> dos charset= ascii > >> state directory= /mnt/system/samba/system > >> > >> > >> Windows client from which i am trying to access cifs > >> is also connected to > >> the domain. > >> > >> > >> > > Lets be honest, your original smb.conf was a mess, it uses a lot of > > default settings and a lot of settings that really shouldn't be there, > this > > is what it really should have looked like: > > > > [global] > > Workgroup= DOMAIN > > security= ADS > > realm= DOMAIN.LOCAL > > netbios name= Debian > > server string= LenovoEMC™ px6-300d > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > idmap config *:backend = tdb > > idmap config *:range = 2000-4999 > > idmap config DOMAIN:backend = rid > > idmap config DOMAIN:range = 5000-9999999 > > winbind nss info = template > > winbind enum users = yes > > winbind enum groups = yes > > winbind refresh tickets = Yes > > winbind offline logon= true > > dns proxy= no > > template shell= /bin/sh > > map to guest= Bad User > > strict allocate= yes # really meant to be used in a share > > printcap name = lpstat > > max smbd processes= 500 > > syslog= 0 > > max log size= 50 > > use sendfile= yes > > unix extensions= no > > state directory= /mnt/system/samba/system # why are you moving this > to > > what I presume is a share > > on another system????? > > vfs objects = acl_xattr > > map acl inherit = yes > > store dos attributes = yes > > > > The 'tabbed' lines are yours, the others are what I would add. > > > > > > Rowland > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba