samba - Nov 2004 - PAM Error 9

Hi all
I have set my Samba server up to join an AD realm. Winbind is working 
fine and I am able to use it for authentication as needed. When I try to 
connect to one of my shares via a Windows client, I get the following error:

[2004/11/04 11:57:54, 0] auth/pampass.c:smb_pam_account(573)
   smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for
User: MYDOMAIN+room1
[2004/11/04 11:57:54, 2] auth/pampass.c:smb_pam_error_handler(73)
   smb_pam_error_handler: PAM: Account Check Failed : Authentication service
cannot retrieve authentication info.
[2004/11/04 11:57:54, 0] auth/pampass.c:smb_pam_accountcheck(781)
   smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
MYDOMAIN+room1!
[2004/11/04 11:57:54, 2] auth/auth.c:check_ntlm_password(312)
   check_ntlm_password:  Authentication for user [room1] -> [room1] FAILED
with error NT_STATUS_LOGON_FAILURE


My smb.conf file looks something like this:

[global]

winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind cache time = 15
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/false
winbind use default domain = yes

    panic action = /usr/share/samba/panic-action %d
#       passwd program = /usr/bin/passwd %u
         printing = bsd
         netbios name = proxy
         dns proxy = no
         syslog only = no
         name resolve order = lmhosts host wins bcast
         encrypt passwords = true
#   passdb backend = smbpasswd guest
  socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096
         short preserve case = yes
         printcap name = /etc/printcap
         invalid users = root
         max log size = 1000
         obey pam restrictions = yes
#       passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
Retype\snew\sUNIX\spassword:* %n\n .
         security = ads
         password server = DC1
         realm = MYDOMAIN.BLAH
         preserve case = yes
         unix password sync = false
         workgroup = MYDOMAIN
         server string = %h server (Samba %v)
         syslog = 0;
         guest account = nobody
         load printers = yes


For what it's worth, my /etc/pam.d/samba file is as follows:
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_winbind.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     sufficient    /lib/security/pam_winbind.so use_first_pass

password    required      /lib/security/pam_cracklib.so retry=3 type# Note: The
above line is complete. There is nothing following the '='
password    sufficient    /lib/security/pam_unix.so \
                                              nullok use_authtok md5 shadow
password    sufficient    /lib/security/pam_winbind.so use_first_pass
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     sufficient    /lib/security/pam_unix.so
session     sufficient    /lib/security/pam_winbind.so use_first_pass`


Interestingly enough, if I connect using smbclient and force it to use
kerberos with the -k option, I am able to connect. It's not until I try 
to use NTLM that I receive the error.

Any suggestions?
Cheers
Richard

Richard,

What entries did you put in /etc/nsswitch.conf?
Does 'getent passwd' return the ADS user info?

- John T.

On Tuesday 09 November 2004 12:45, Richard Greaney
wrote:
> Hi all
> I have set my Samba server up to join an AD realm. Winbind is working
> fine and I am able to use it for authentication as needed. When I try to
> connect to one of my shares via a Windows client, I get the following
> error:
>
> [2004/11/04 11:57:54, 0] auth/pampass.c:smb_pam_account(573)
>    smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management
> for User: MYDOMAIN+room1
> [2004/11/04 11:57:54, 2] auth/pampass.c:smb_pam_error_handler(73)
>    smb_pam_error_handler: PAM: Account Check Failed : Authentication
> service cannot retrieve authentication info.
> [2004/11/04 11:57:54, 0] auth/pampass.c:smb_pam_accountcheck(781)
>    smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
> MYDOMAIN+room1!
> [2004/11/04 11:57:54, 2] auth/auth.c:check_ntlm_password(312)
>    check_ntlm_password:  Authentication for user [room1] -> [room1]
FAILED
> with error NT_STATUS_LOGON_FAILURE
>
>
> My smb.conf file looks something like this:
>
> [global]
>
> winbind separator = +
> winbind uid = 10000-20000
> winbind gid = 10000-20000
> winbind cache time = 15
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /home/%U
> template shell = /bin/false
> winbind use default domain = yes
>
>     panic action = /usr/share/samba/panic-action %d
> #       passwd program = /usr/bin/passwd %u
>          printing = bsd
>          netbios name = proxy
>          dns proxy = no
>          syslog only = no
>          name resolve order = lmhosts host wins bcast
>          encrypt passwords = true
> #   passdb backend = smbpasswd guest
>   socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096
>          short preserve case = yes
>          printcap name = /etc/printcap
>          invalid users = root
>          max log size = 1000
>          obey pam restrictions = yes
> #       passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> Retype\snew\sUNIX\spassword:* %n\n .
>          security = ads
>          password server = DC1
>          realm = MYDOMAIN.BLAH
>          preserve case = yes
>          unix password sync = false
>          workgroup = MYDOMAIN
>          server string = %h server (Samba %v)
>          syslog = 0;
>          guest account = nobody
>          load printers = yes
>
>
> For what it's worth, my /etc/pam.d/samba file is as follows:
> auth        required      /lib/security/pam_env.so
> auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/pam_winbind.so use_first_pass
> auth        required      /lib/security/pam_deny.so
>
> account     required      /lib/security/pam_unix.so
> account     sufficient    /lib/security/pam_winbind.so use_first_pass
>
> password    required      /lib/security/pam_cracklib.so retry=3 type> #
Note: The above line is complete. There is nothing following the '='
> password    sufficient    /lib/security/pam_unix.so \
>                                               nullok use_authtok md5 shadow
> password    sufficient    /lib/security/pam_winbind.so use_first_pass
> password    required      /lib/security/pam_deny.so
>
> session     required      /lib/security/pam_limits.so
> session     sufficient    /lib/security/pam_unix.so
> session     sufficient    /lib/security/pam_winbind.so use_first_pass`
>
>
> Interestingly enough, if I connect using smbclient and force it to use
> kerberos with the -k option, I am able to connect. It's not until I try
> to use NTLM that I receive the error.
>
> Any suggestions?
> Cheers
> Richard
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

John
Thanks for your reply.  winbind authentication is working fine. I am using 
pam_winbind.so for POP3 authentication. getent passwd also returns all the 
users with no problems. If I run 'wbinfo -a username%password for a user 
on the Windows DC, all works fine.

Richard
> Richard,
> 
> What entries did you put in /etc/nsswitch.conf?
> Does 'getent passwd' return the ADS user info?
> 
> - John T.
> 
> On Tuesday 09 November 2004 12:45, Richard Greaney wrote:
> > Hi all
> > I have set my Samba server up to join an AD realm. Winbind is working
> > fine and I am able to use it for authentication as needed. When I try 
to
> > connect to one of my shares via a Windows client, I get the following
> > error:
> >
> > [2004/11/04 11:57:54, 0] auth/pampass.c:smb_pam_account(573)
> >    smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account 
Management
> > for User: MYDOMAIN+room1
> > [2004/11/04 11:57:54, 2] auth/pampass.c:smb_pam_error_handler(73)
> >    smb_pam_error_handler: PAM: Account Check Failed : Authentication
> > service cannot retrieve authentication info.
> > [2004/11/04 11:57:54, 0] auth/pampass.c:smb_pam_accountcheck(781)
> >    smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting 
User
> > MYDOMAIN+room1!
> > [2004/11/04 11:57:54, 2] auth/auth.c:check_ntlm_password(312)
> >    check_ntlm_password:  Authentication for user [room1] -> [room1]
FAILED
> > with error NT_STATUS_LOGON_FAILURE
> >
> >
> > My smb.conf file looks something like this:
> >
> > [global]
> >
> > winbind separator = +
> > winbind uid = 10000-20000
> > winbind gid = 10000-20000
> > winbind cache time = 15
> > winbind enum users = yes
> > winbind enum groups = yes
> > template homedir = /home/%U
> > template shell = /bin/false
> > winbind use default domain = yes
> >
> >     panic action = /usr/share/samba/panic-action %d
> > #       passwd program = /usr/bin/passwd %u
> >          printing = bsd
> >          netbios name = proxy
> >          dns proxy = no
> >          syslog only = no
> >          name resolve order = lmhosts host wins bcast
> >          encrypt passwords = true
> > #   passdb backend = smbpasswd guest
> >   socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096 
SO_RCVBUF=4096
> >          short preserve case = yes
> >          printcap name = /etc/printcap
> >          invalid users = root
> >          max log size = 1000
> >          obey pam restrictions = yes
> > #       passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> > Retype\snew\sUNIX\spassword:* %n\n .
> >          security = ads
> >          password server = DC1
> >          realm = MYDOMAIN.BLAH
> >          preserve case = yes
> >          unix password sync = false
> >          workgroup = MYDOMAIN
> >          server string = %h server (Samba %v)
> >          syslog = 0;
> >          guest account = nobody
> >          load printers = yes
> >
> >
> > For what it's worth, my /etc/pam.d/samba file is as follows:
> > auth        required      /lib/security/pam_env.so
> > auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> > auth        sufficient    /lib/security/pam_winbind.so use_first_pass
> > auth        required      /lib/security/pam_deny.so
> >
> > account     required      /lib/security/pam_unix.so
> > account     sufficient    /lib/security/pam_winbind.so use_first_pass
> >
> > password    required      /lib/security/pam_cracklib.so retry=3
type> > # Note: The above line is complete. There is nothing following the
'='
> > password    sufficient    /lib/security/pam_unix.so \
> >                                               nullok use_authtok md5 
shadow
> > password    sufficient    /lib/security/pam_winbind.so use_first_pass
> > password    required      /lib/security/pam_deny.so
> >
> > session     required      /lib/security/pam_limits.so
> > session     sufficient    /lib/security/pam_unix.so
> > session     sufficient    /lib/security/pam_winbind.so use_first_pass`
> >
> >
> > Interestingly enough, if I connect using smbclient and force it to use
> > kerberos with the -k option, I am able to connect. It's not until
I try
> > to use NTLM that I receive the error.
> >
> > Any suggestions?
> > Cheers
> > Richard
> 
> -- 
> John H Terpstra
> Samba-Team Member
> Phone: +1 (650) 580-8668
> 
> Author:
> The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
> Samba-3 by Example, ISBN: 0131472216
> Hardening Linux, ISBN: 0072254971
> Other books in production.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

------------------------------------------------
This message was sent using InSPire Net Webmail.
http://www.inspire.net.nz