I have a Samba 2.2.0 PDC set up running Linux and I have a Windows 2000 client computer. The Win2k computer can join the domain, but no one can log in. Everytime I try to logon with the Win2k computer, it says that the account is disabled. I can use the account to browse shares and mount the home directory from the PDC. I have added the account to a group on the Win2k computer. I found the following output in syslog. Apr 21 17:27:38 Venom smbd[7753]: [2001/04/21 17:27:38, 0] rpc_server/srv_netlog.c:api_net_sam_logon(177) Apr 21 17:27:38 Venom smbd[7753]: api_net_sam_logon: Failed to marshall NET_R_SAM_LOGON. Apr 21 17:27:38 Venom smbd[7753]: [2001/04/21 17:27:38, 0] rpc_server/srv_pipe.c:api_rpcTNP(1215) Apr 21 17:27:38 Venom smbd[7753]: api_rpcTNP: api_netlog_rpc: NET_SAMLOGON failed. Apr 21 17:27:38 Venom smbd[7753]: [2001/04/21 17:27:38, 0] passdb/pampass.c:pam_account(268) Apr 21 17:27:38 Venom smbd[7753]: PAM: UNKNOWN ERROR for User: thuang Apr 21 17:27:38 Venom smbd[7753]: [2001/04/21 17:27:38, 0] passdb/pampass.c:pam_accountcheck(381) Apr 21 17:27:38 Venom smbd[7753]: PAM: Account Validation Failed - Rejecting User! Thanks, Norman Jordan
Norman Jordan wrote:> > I have a Samba 2.2.0 PDC set up running Linux and I have a Windows 2000 client computer. The Win2k computer can join the domain, but no one can log in. Everytime I try to logon with the Win2k computer, it says that the account is disabled. I can use the account to browse shares and mount the home directory from the PDC. I have added the account to a group on the Win2k computer. > > I found the following output in syslog. > Apr 21 17:27:38 Venom smbd[7753]: [2001/04/21 17:27:38, 0] rpc_server/srv_netlog.c:api_net_sam_logon(177) > Apr 21 17:27:38 Venom smbd[7753]: api_net_sam_logon: Failed to marshall NET_R_SAM_LOGON. > Apr 21 17:27:38 Venom smbd[7753]: [2001/04/21 17:27:38, 0] rpc_server/srv_pipe.c:api_rpcTNP(1215) > Apr 21 17:27:38 Venom smbd[7753]: api_rpcTNP: api_netlog_rpc: NET_SAMLOGON failed. > Apr 21 17:27:38 Venom smbd[7753]: [2001/04/21 17:27:38, 0] passdb/pampass.c:pam_account(268) > Apr 21 17:27:38 Venom smbd[7753]: PAM: UNKNOWN ERROR for User: thuang > Apr 21 17:27:38 Venom smbd[7753]: [2001/04/21 17:27:38, 0] passdb/pampass.c:pam_accountcheck(381) > Apr 21 17:27:38 Venom smbd[7753]: PAM: Account Validation Failed - Rejecting User! > > Thanks, > > Norman Jordan >Samba 2.2.0 now checks with PAM's account management facility (is this user valid? expired? permitted to login at this time? from this machine?) for all authentications, not just plain-text passwords. Check your /etc/pam.d/samba file and the validity of the account in question. Andrew Bartlett abartlet@pcug.org.au -- Andrew Bartlett abartlet@pcug.org.au
Norman Jordan <njordan@home.com> wrote:> I have a Samba 2.2.0 PDC set up running Linux and I have a Windows > 2000 client computer. The Win2k computer can join the domain, but no > one can log in. Everytime I try to logon with the Win2k computer, it > says that the account is disabled. I can use the account to browse > shares and mount the home directory from the PDC. I have added the > account to a group on the Win2k computer. > > I found the following output in syslog. > > Apr 21 17:27:38 Venom smbd[7753]: [2001/04/21 17:27:38, 0] rpc_server/srv_netlog.c:api_net_sam_logon(177) > Apr 21 17:27:38 Venom smbd[7753]: api_net_sam_logon: Failed to marshall NET_R_SAM_LOGON. > Apr 21 17:27:38 Venom smbd[7753]: [2001/04/21 17:27:38, 0] rpc_server/srv_pipe.c:api_rpcTNP(1215) > Apr 21 17:27:38 Venom smbd[7753]: api_rpcTNP: api_netlog_rpc: NET_SAMLOGON failed. > Apr 21 17:27:38 Venom smbd[7753]: [2001/04/21 17:27:38, 0] passdb/pampass.c:pam_account(268) > Apr 21 17:27:38 Venom smbd[7753]: PAM: UNKNOWN ERROR for User: thuang Apr 21 17:27:38 Venom smbd[7753]: [2001/04/21 17:27:38, 0] passdb/pampass.c:pam_accountcheck(381) > Apr 21 17:27:38 Venom smbd[7753]: PAM: Account Validation Failed - Rejecting User!I see the same exact thing. We have 2.0.7 working just great, but when I upgrade to 2.2.0, it claims that all the accounts are "disabled" even though any of them are allowed to log in using ssh or at the console just fine. We're using pam (obviously) on a RedHat Linux 6.1 box. -Craig
PAM and Win2k domain logons appear to be incompatiable at the moment. Recompile without pam is my advice for a quick fix. I am looking at the "Failed to marshall" message right now. Cheers, jerry ---------------------------------------------------------------------- /\ Gerald (Jerry) Carter Professional Services \/ http://www.valinux.com/ VA Linux Systems gcarter@valinux.com http://www.samba.org/ SAMBA Team jerry@samba.org http://www.plainjoe.org/ jerry@plainjoe.org "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 )