samba - Nov 2004 - ADS Domain Member Server + PAM problem

Hi all
I have set my Samba server up to join an AD realm. Winbind is working fine
and I am able to use it for authentication as needed. When I try to connect
to one of my shares via a Windows client, I get the following error:

[2004/11/04 11:57:54, 0] auth/pampass.c:smb_pam_account(573)
  smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for
User: MYDOMAIN+room1
[2004/11/04 11:57:54, 2] auth/pampass.c:smb_pam_error_handler(73)
  smb_pam_error_handler: PAM: Account Check Failed : Authentication service
cannot retrieve authentication info.
[2004/11/04 11:57:54, 0] auth/pampass.c:smb_pam_accountcheck(781)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
MYDOMAIN+room1!
[2004/11/04 11:57:54, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [room1] -> [room1] FAILED
with error NT_STATUS_LOGON_FAILURE


My smb.conf file looks something like this:

[global]

winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind cache time = 15
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/false
winbind use default domain = yes

   panic action = /usr/share/samba/panic-action %d
#       passwd program = /usr/bin/passwd %u
        printing = bsd
        netbios name = proxy
        dns proxy = no
        syslog only = no
        name resolve order = lmhosts host wins bcast
        encrypt passwords = true
#   passdb backend = smbpasswd guest
 socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096
        short preserve case = yes
        printcap name = /etc/printcap
        invalid users = root
        max log size = 1000
        obey pam restrictions = yes
#       passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
Retype\snew\sUNIX\spassword:* %n\n .
        security = ads
        password server = DC1
        realm = MYDOMAIN.BLAH
        preserve case = yes
        unix password sync = false
        workgroup = MYDOMAIN
        server string = %h server (Samba %v)
        syslog = 0;
        guest account = nobody
        load printers = yes


For what it's worth, my /etc/pam.d/samba file is as follows:
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_winbind.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     sufficient    /lib/security/pam_winbind.so use_first_pass

password    required      /lib/security/pam_cracklib.so retry=3 type# Note: The
above line is complete. There is nothing following the '='
password    sufficient    /lib/security/pam_unix.so \
                                             nullok use_authtok md5 shadow
password    sufficient    /lib/security/pam_winbind.so use_first_pass
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     sufficient    /lib/security/pam_unix.so
session     sufficient    /lib/security/pam_winbind.so use_first_pass`


Interestingly enough, if I connect using smbclient and force it to use
kerberos with the -k option, I am able to connect. It's not until I try to
use NTLM that I receive the error.

Any suggestions?
Cheers
Richard

------------------------------------------------
This message was sent using InSPire Net Webmail.
http://www.inspire.net.nz