samba - Aug 2023 - pam_unix failing after pam_winbind when Samba is running in Standalone Server mode

Hi,

I'm trying to get PAM to authenticate against a local install of
Samba, using the Standalone server mode.

Environment information:
- Debian 12
- Samba version: 4.17.9

Following packages are installed:
- samba
- libpam-winbind
- libnss-winbind

I added a user to passwd using
> adduser --no-create-home --disabled-password --ingroup users jmalek
Then registered that user in Sambas tdb:
> pdbedit -a -u jmalek
Confirmed the password, and continued:
pdbedit -L
jmalek:1000:

Now, nsswitch.conf is configured to use winbind for passwd and group.

I'm basically encountering the same issue that Brian Campbell
encountered in 2014:
https://bugzilla.samba.org/show_bug.cgi?id=10669#c12
but can't find a resolution to this (I do see, that the mentioned
patch is - albeit modified - still in Samba sources).

Trying to authenticate with my created user on tty results in this
syslog:
> Aug 04 08:53:37 media login[381]: pam_winbind(login:auth): getting password
(0x00000388)
> Aug 04 08:53:37 media login[381]: pam_winbind(login:auth): pam_get_item
returned a password
> Aug 04 08:53:37 media login[381]: pam_winbind(login:auth): user
'jmalek' granted access
> Aug 04 08:53:37 media login[381]: pam_unix(login:account): could not
identify user (from getpwnam(MEDIA\jmalek))
> Aug 04 08:53:37 media login[381]: Authentication failure
> Aug 04 08:53:37 media login[381]: PAM 1 more authentication failure;
logname=LOGIN uid=0 euid=0 tty=/dev/ttyS0 ruser= rhost= user=jmalek
Did anyone figure out how to run Samba and pam in this standalone
server configuration to let Samba perform authentication of local unix
users?

Best,
J?ran Malek


== smb.conf =[global]
   netbios name = MEDIA
   workgroup = WORKGROUP
   server role = standalone server
   map to guest = bad user
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   usershare allow guests = yes
   include = registry

On 04/08/2023 15:28, J?ran Malek via samba wrote:
> Hi,
> 
> I'm trying to get PAM to authenticate against a local install of
> Samba, using the Standalone server mode.
> 
> Environment information:
> - Debian 12
> - Samba version: 4.17.9
> 
> Following packages are installed:
> - samba
> - libpam-winbind
> - libnss-winbind
> 
> I added a user to passwd using
>> adduser --no-create-home --disabled-password --ingroup users jmalek
> Then registered that user in Sambas tdb:
>> pdbedit -a -u jmalek
> Confirmed the password, and continued:
> pdbedit -L
> jmalek:1000:
> 
> Now, nsswitch.conf is configured to use winbind for passwd and group.
Sorry, but I don't think that is ever going to work, you do not use 
winbind on a standalone server, it is meant for use in a domain and 
requires much more configuration.
> 
> I'm basically encountering the same issue that Brian Campbell
> encountered in 2014:
> https://bugzilla.samba.org/show_bug.cgi?id=10669#c12
> but can't find a resolution to this (I do see, that the mentioned
> patch is - albeit modified - still in Samba sources).
> 
Perhaps if you were to explain just what you are trying to achieve, we 
may be able to come up with a workaround.

Rowland