Hi,
I'm running a linux RedHat 7.2 box with samba 2.2.4.
I want to use winbind for authentification.
The samba server is a member server in a W2K domain.
I followed the steps in the winbind help which comes with the samba
distribution (http://localhost:901/swat/help/winbind.html).
Joining the domain was successfull:
$ smbpasswd -j DOMAIN -r PDC -U toto
| INFO: Debug class all level = 100 (pid 3643 from pid 3643)
| Password:
| Joined domain DOMAIN.
and wbinfo -t returnes secret is good:
$ wbinfo -t
| Secret is good
wbinfo -u and wbinfo -g shows the domain users and groups.
getent passwd and getent group show both local and win2k unix users
and
groups.
When I try to log into the linux samba box with a valid win2k account
I get the following error in log file /var/log/messages:
| Jun 5 11:36:34 lima pam_winbind[15139]: request failed, PAM error
was 4, NT error was
| NT_STATUS_INVALID_PARAMETER
| Jun 5 11:36:34 lima pam_winbind[15139]: internal module error
(retval = 4, user | `toto'
| Jun 5 11:36:34 lima login(pam_unix)[15139]: check pass; user
unknown
| Jun 5 11:36:34 lima login(pam_unix)[15139]: authentication failure;
logname=LOGIN
| uid=0 euid=0 tty=tty1 ruser= rhost| Jun 5 11:36:40 lima
login(pam_unix)[15139]: check pass; user
unknown
| Jun 5 11:36:42 lima login[15139]: FAILED LOGIN 1 FROM (null) FOR
toto,
| Authentication failure
$ wbinfo -a stoto%passworrd
| plaintext password authentication failed
| error code was NT_STATUS_INVALID_PARAMETER (0xc000000d)
| Could not authenticate user toto%password with plaintext password
| challenge/response password authentication succeeded
| error code was NT_STATUS_OK (0x0)
$ tail -f log.winbind
| [2002/06/05 12:12:56, 2]
nsswitch/winbindd_pam.c:winbindd_pam_auth(118)
| Plain-text authenticaion for user toto returned
NT_STATUS_INVALID_PARAMETER | (PAM: 4)
My smb.conf file contains the following lines:
---------------------------------------------------------------------------------
[global]
workgroup = DOMAIN
netbios name = LIMA
server string = Linux with Samba (%v) on %L
wins server = x.x.x.x
security = domain
password server = PDC
message command = csh -c 'xedit %s; rm %s' &
# password
encrypt passwords = Yes
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *new*password* %n\n *new*password* %n\n
*success*
passwd chat debug = Yes
# users
invalid users = root bin daemon adm sync shutdown \
halt mail news uucp operator gother
#
# winbind
#
# separate domain and username with '+', like DOMAIN+username
winbind separator = +
# use uids from 10000 to 20000 for domain users
winbind uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
winbind gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have
telnet access)
template homedir = /home/win2k/%D/%U
template shell = /bin/bash
#
# log config
#
log level = 2
log file = /var/log/samba.log
---------------------------------------------------------------------------------
As you can see, the 'encrypt passwords' option is set to yes.
Here is the /etc/pam.d/login file content:
---------------------------------------------------------------------------------
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
---------------------------------------------------------------------------------
I've compiled samba with the following options:
--with-smbwrapper --with-automount --with-smbmount
--with-pam --with-pam_smbpass --with-ssl --with-quotas
--with-acl-support --with-ldapsam --with-syslog
Any idea about how to solve this issue ?
Any help would be greatly appreciated.
Thanks.
Sabrina
IT engineer
France
---------------------------------------------
Powered by Alinto (http://www.alinto.net)
for lavache.com (http://www.lavacheautomatique.com)
LAUTIER Sabrina
2002-Jun-07 03:23 UTC
[Samba] SUMMARY: winbind NT_STATUS_INVALID_PARAMETER
I solved my issue by simply login as "DOMAIN+toto" and not only as "toto" ! --------------------------------------- lima login: DOMAIN+toto password: Last login: Fri Jun 7 09;53:01 on tty1 bash-2.05$ --------------------------------------- As my linux box was part of the win2k domain and the local linux account didn't exist I thought that I didn't have to specify the domain name before the win2k account. So both samba and PAM were well configured. Cheers, Sab> ---------------- Beginning of the original message------------------> Hi, > > I'm running a linux RedHat 7.2 box with samba 2.2.4. > I want to use winbind for authentification. > The samba server is a member server in a W2K domain. > I followed the steps in the winbind help which comes with the > samba > distribution (http://localhost:901/swat/help/winbind.html). > Joining the domain was successfull: > $ smbpasswd -j DOMAIN -r PDC -U toto > | INFO: Debug class all level = 100 (pid 3643 from pid 3643) > | Password: > | Joined domain DOMAIN. > > and wbinfo -t returnes secret is good: > $ wbinfo -t > | Secret is good > > wbinfo -u and wbinfo -g shows the domain users and groups. > getent passwd and getent group show both local and win2k unix > users > and > groups. > > When I try to log into the linux samba box with a valid win2k > account > I get the following error in log file /var/log/messages: > | Jun 5 11:36:34 lima pam_winbind[15139]: request failed, PAM > error > was 4, NT error was > | NT_STATUS_INVALID_PARAMETER > | Jun 5 11:36:34 lima pam_winbind[15139]: internal module > error > (retval = 4, user > | `toto' > | Jun 5 11:36:34 lima login(pam_unix)[15139]: check pass; > user > unknown > | Jun 5 11:36:34 lima login(pam_unix)[15139]: authentication > failure; > logname=LOGIN > | uid=0 euid=0 tty=tty1 ruser= rhost> | Jun 5 11:36:40 lima login(pam_unix)[15139]: check pass; > user > unknown > | Jun 5 11:36:42 lima login[15139]: FAILED LOGIN 1 FROM > (null) FOR > toto, > | Authentication failure > > $ wbinfo -a stoto%passworrd > | plaintext password authentication failed > | error code was NT_STATUS_INVALID_PARAMETER (0xc000000d) > | Could not authenticate user toto%password with plaintext > password > | challenge/response password authentication succeeded > | error code was NT_STATUS_OK (0x0) > > $ tail -f log.winbind > | [2002/06/05 12:12:56, 2] > nsswitch/winbindd_pam.c:winbindd_pam_auth(118) > | Plain-text authenticaion for user toto returned > NT_STATUS_INVALID_PARAMETER | (PAM: 4) > > My smb.conf file contains the following lines: >---------------------------------------------------------------------------------> [global] > workgroup = DOMAIN > netbios name = LIMA > server string = Linux with Samba (%v) on %L > wins server = x.x.x.x > security = domain > password server = PDC > message command = csh -c 'xedit %s; rm %s' & > # password > encrypt passwords = Yes > unix password sync = Yes > passwd program = /usr/bin/passwd %u > passwd chat = *new*password* %n\n *new*password* %n\n > *success* > passwd chat debug = Yes > # users > invalid users = root bin daemon adm sync shutdown \ > halt mail news uucp operator gother > # > # winbind > # > # separate domain and username with '+', like > DOMAIN+username > winbind separator = + > # use uids from 10000 to 20000 for domain users > winbind uid = 10000-20000 > # use gids from 10000 to 20000 for domain groups > winbind gid = 10000-20000 > # allow enumeration of winbind users and groups > winbind enum users = yes > winbind enum groups = yes > # give winbind users a real shell (only needed if they > have > telnet access) > template homedir = /home/win2k/%D/%U > template shell = /bin/bash > # > # log config > # > log level = 2 > log file = /var/log/samba.log >---------------------------------------------------------------------------------> > As you can see, the 'encrypt passwords' option is set to yes. > > Here is the /etc/pam.d/login file content: >---------------------------------------------------------------------------------> #%PAM-1.0 > auth required /lib/security/pam_securetty.so > auth sufficient /lib/security/pam_winbind.so > auth sufficient /lib/security/pam_unix.so > use_first_pass > auth required /lib/security/pam_stack.so > service=system-auth > auth required /lib/security/pam_nologin.so > account sufficient /lib/security/pam_winbind.so > account required /lib/security/pam_stack.so > service=system-auth > password required /lib/security/pam_stack.so > service=system-auth > session required /lib/security/pam_stack.so > service=system-auth > session optional /lib/security/pam_console.so >---------------------------------------------------------------------------------> > I've compiled samba with the following options: > --with-smbwrapper --with-automount --with-smbmount > --with-pam --with-pam_smbpass --with-ssl > --with-quotas > --with-acl-support --with-ldapsam --with-syslog > > Any idea about how to solve this issue ? > > Any help would be greatly appreciated. > > Thanks. > > Sabrina > IT engineer > France--------------------------------------------- Powered by Alinto (http://www.alinto.net) for lavache.com (http://www.lavacheautomatique.com)