I've been trying for a couple of weeks to get FreeBSD + winbindd + PAM
working, without success. I'm hoping that someone here has bumped into my
problem before and has some advice to give.
My current setup is winbindd from Samba 2.8.8a on both FreeBSD 4.8-RELEASE
and 5.1-BETA. I've configured Samba with the following options: syslog,
nocups, utmp, msdfs, quota, recycle, audit, winbind, wbauth. On the
5.1-BETA box, I've also added the WITH_WINBIND_NSS=yes option.
My smb.conf has the following entries:
[global]
workgroup = ICT
netbios name = VARK
security = domain
password server = MADAM EVE
encrypt passwords = yes
winbind separator = .
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /usr/local/bin/ftponly
template homedir = /tmp/raid/%D.%U
I run winbindd, and set a domain admin password using wbinfo -A. With this
I can successfully enumerate the domain's users and groups:
guy@vark:~$ wbinfo -u | wc -l
675
On the 5.1-BETA box, I've edited nsswitch.conf to include winbindd and can
see winbindd users with pw(8).
guy@vark:~$ pw usershow ICT.admingah
ICT.admingah:*:10004:10013::0:0:Guy Antony
Halse:/tmp/raid/ICT.admingah:/usr/local/bin/ftponly
I realise this won't work on anything prior to the commitment of the new
nsswitch implementation by Jacques A. Vidrine, so I haven't bothered to try
this on the 4.8-RELEASE box.
So far, so good. Everything works as I want to to, so I moved on to trying
to get PAM authentication working.
The first thing I noticed was that the pam_winbind.so from the port was not
installed (I checked the Makefile for PAM-related options and saw none), so
I manually copied this file into /usr/local/lib/compat and ran ldconfig(8).
I have subsequently tried /usr/lib/compat too, but that shouldn't matter.
I edited {pam.conf,pam.d/ftpd} to create entries for my FTP server, that
looked like:
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_winbind.so debug try_first_pass
auth required pam_unix.so no_warn try_first_pass
account sufficient pam_winbind.so debug
account required pam_unix.so
session required pam_permit.so
This is where things start falling apart for me. Authentication always
fails, and I get the following in my logs:
Jun 4 09:07:07 vark ftpd[97485]: connection from omniscient (146.231.120.1)
Jun 4 09:07:15 vark pam_winbind[97485]: Could not retrive user's password
Jun 4 09:07:15 vark kernel: Jun 4 09:07:15 vark pam_winbind[97485]: Could not
retrive user's password
Jun 4 09:07:15 vark ftpd[97485]: in _openpam_check_error_code():
pam_sm_authenticate(): unexpected return value 20
Jun 4 09:07:15 vark kernel: Jun 4 09:07:15 vark ftpd[97485]: in _openpam_check
_error_code(): pam_sm_authenticate(): unexpected return value 20
Jun 4 09:07:15 vark ftpd[97485]: FTP LOGIN FAILED FROM omniscient
Jun 4 09:07:15 vark kernel: Jun 4 09:07:15 vark ftpd[97485]: FTP LOGIN FAILED
FROM omniscient
Jun 4 09:07:15 vark ftpd[97485]: FTP LOGIN FAILED FROM omniscient, ICT.admingah
This problem isn't just restricted to FTP. If I try and set up PAM for
the login service, I get the same _openpam_check_error_code() error.
I've tried reducing my PAM config so that it was completely minimal,
consisting of only required pam_winbind.so lines, but this doesn't appear to
make a difference.
Using winbindd -i -d3, I've watched for connections to winbindd while PAM
authentication is happening, and no connections are ever logged by it.
(They are when nsswitch is in use, and when I use wbinfo).
I've also tried recompiling the Samba suite with no optimizations (and
various stages of optimizations) as suggested by the pkg-message. None of
this seems to make any difference to my problem whatsoever.
Anyone have any ideas as to how I can get this to work?
- Guy
--
Dept of Computer Science, Rhodes University, Grahamstown, South Africa
Email: guy@mombe.org Web: http://mombe.org/ IRC: rm-rf@irc.zanet.net
*** ANSI Standard Disclaimer *** J.A.P.H