Hi All, I have tried logging into ftp using my NT username and password and it works. It is only SSH which has this problem. http://216.109.117.135/search/cache?p=pam+NOUSER&ei=UTF-8&fl=0&u=www.publicsource.apple.com/darwinsource/10.0.4/OpenSSH-9/openssh/auth2.c&w=pam+nouser&d=E6EA31C37E&icp=1&.intl=us The above link gave me this hint. Found it while looking for "NOUSER" and PAM. Darren ---------- Forwarded message ---------- Date: Tue, 28 Dec 2004 20:38:11 +1100 (EST) From: "Chew, Darren" <darrenc@vicscouts.asn.au> To: samba@samba.org Subject: [Samba] PAM sending wrong username to Winbind Hi All, I am unable to authenticate users through pam_winbind. "wbinfo -u", "wbinfo -g", "getent passwd", "getent group", "wbinfo -a DOMAIN\\Administrator%password" all work and suggest that samba and winbind are correctly configured. For some strange reason PAM seems to be sending Winbind "NOUSER" as the username to authenticate instead of the username I send sshd. Below is some output of winbind running in interactive mode and debuglevel 3 while I am trying to ssh as a nt user. Any help greatly appreciated. Darren. [root@box1 pam.d]# winbindd -d 3 -i winbindd version 3.0.9-1.3E.1 started. Copyright The Samba Team 2000-2004 lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" Processing section "[homes]" Processing section "[printers]" adding IPC service adding IPC service added interface ip=x.x.x.x bcast=x.x.x.x nmask=x.x.x.x added interface ip=x.x.x.x bcast=x.x.x.x nmask=x.x.x.x idmap_init: using 'ldap' as remote backend smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED add_trusted_domain: DOMAIN is an NT4 domain Added domain DOMAIN S-0-0 resolve_lmhosts: Attempting lmhosts lookup for name DOMAIN<0x1c> resolve_wins: Attempting wins lookup for name DOMAIN<0x1c> resolve_wins: using WINS server x.x.x.x and tag '*' name_resolve_bcast: Attempting broadcast lookup for name DOMAIN<0x1c> Got a positive name query response from x.x.x.x ( x.x.x.x ) rpc_dc_name: Returning DC PDC (x.x.x.x) for domain DOMAIN IPC$ connections done by user DOMAIN\Administrator Connecting to host=PDC Connecting to x.x.x.x at port 445 error connecting to x.x.x.x:445 (Connection refused) Connecting to x.x.x.x at port 139 bind_rpc_pipe: transfer syntax differs rpc_pipe_bind: check_bind_response failed. cli_nt_session_open: rpc bind to \PIPE\lsarpc failed rpc: trusted_domains rpc_dc_name: Returning DC PDC (x.x.x.x) for domain DOMAIN IPC$ connections done by user DOMAIN\Administrator Connecting to host=PDC Connecting to x.x.x.x at port 445 error connecting to x.x.x.x:445 (Connection refused) Connecting to x.x.x.x at port 139 add_trusted_domain: BUILTIN is an NT4 domain Added domain BUILTIN S-1-5-32 add_trusted_domain: BOX1 is an NT4 domain Added domain BOX1 S-1-5-21-776210177-1783708640-2802815666 rpc: trusted_domains [ 3781]: request interface version [ 3781]: request location of privileged pipe [ 3781]: pam auth NOUSER rpc_dc_name: Returning DC PDC (x.x.x.x) for domain DOMAIN IPC$ connections done by user DOMAIN\Administrator Connecting to host=PDC Connecting to x.x.x.x at port 445 error connecting to x.x.x.x:445 (Connection refused) Connecting to x.x.x.x at port 139 Plain-text authentication for user NOUSER returned NT_STATUS_WRONG_PASSWORD (PAM: 7) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
On Tue, 2004-12-28 at 21:06 +1100, Chew, Darren wrote:> Hi All, > > I have tried logging into ftp using my NT username and password and it > works. It is only SSH which has this problem.Yes, this is part of a misguided attempt by OpenSSH's PAM code to avoid giving away 'username ok, but wrong password' errors to remote attackers. I think it actually gave away more information than it hid, and I know at the very least this code has changed over a number of OpenSSH versions. Try the latest OpenSSH, and ensure that 'getpwnam domain\user' works, as OpenSSH does this when it thinks the username is invalid. Andrew Bartlett -- Andrew Bartlett abartlet@samba.org Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20050102/7aa3edb2/attachment.bin