samba - May 2005 - ssh + pam_winbind error 'incorrect password or invaid membership'

Configuration: 
Samba 3.0.14a-1 (on debian 3.1) +  winbind 3.0.14a-1 + krb5-user 1.3.6-2

I need help debugging pam_winbind.so in /etc/pam.d/ssh on debian.

Samba is a member of an AD domain, authenticating access to shares via
winbind+nsswitch.conf.  Authentication to shares works great.  Now I
want winbind to authenticate ssh users as a pam module and it's failing.
Below I show the output of an ssh attempt with the auth.log and winbind
(in debug 3). If you see any problems with the configs/logs below, our
you need any other confgs/logs,  please let me know.  Thank you very
much.

No problem with any of the following tests:
  smbd -b |egrep 'KRB|LDAP' # Shows Samba has needed Libs.
  wbinfo -u                  # Shows winbind is doing lookups from ADS
	johns
  wbinfo -g                  # Shows winbind is doing lookups from ADS
  getent passwd          # Shows nsswitch is correct, to resolve
ADSusers.
	johns:x:10000:10000:John Stile:/home/MS/johns:/usr/local/bin/bash
  getent group            # Shows nsswitch is correct, to resolve ADS
groups.
  net ads info              # Show AD info
	LDAP server: 192.168.50.42
	LDAP server name: stan
	Realm: MS.STILEN.COM
	Bind Path: dc=MS,dc=STILEN,dc=COM
	LDAP port: 389
	Server time: Fri, 20 May 2005 21:15:29 GMT
	KDC server: 192.168.50.42
	Server time offset: 0
  net ads join -Ujohns%passwd # Joined the domain
  net ads testjoin        # Shows join is ok
  wbinfo -a johns%password # Test if winbind can authenticate
	plaintext password authentication succeeded
	challenge/response password authentication succeeded
  kinit johns               # Test kerberose authentication
	Password for johns@MS.STILEN.COM:
	<ends without any response>
  smbclient  -L localhost -U ms\\johns%password # list shares using
passwd
  
Configuration: 
Samba 3.0.14a-1 (on debian 3.1) +  winbind 3.0.14a-1 + krb5-user 1.3.6-2

Ran winbind in debug mode during a ssh attempt
winbindd -d 3 -i 
  [ 3195]: request interface version
  [ 3195]: request location of privileged pipe
  [ 3195]: pam auth johns
  cm_get_ipc_userpass: No auth-user defined
  Doing spnego session setup (blob length=105)
  got OID=1 2 840 48018 1 2 2
  got OID=1 2 840 113554 1 2 2
  got OID=1 2 840 113554 1 2 2 3
  got OID=1 3 6 1 4 1 311 2 2 10
  got principal=stan$@MS.STILEN.COM
  Doing kerberos session setup
  Ticket in ccache[MEMORY:cliconnect] expiration Sat, 21 May 2005 06:58:43 GMT
  Plain-text authentication for user johns returned NT_STATUS_WRONG_PASSWORD
(PAM: 7)
---------------------------------
Authlog 
==> /var/log/auth.log <=  May 20 20:58:31 localhost sshd[3195]: Illegal
user johns from ::ffff:192.168.60.161
  May 20 20:58:43 localhost pam_winbind[3195]: request failed: Wrong Password,
PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD
  May 20 20:58:43 localhost pam_winbind[3195]: user `johns' denied access
(incorrect password or invalid membership)
---------------------------------
Only added the winbind stuff to default debian /etc/pam.d/ssh
  # PAM configuration for the Secure Shell service
  auth      sufficient   pam_winbind.so
  auth       required     pam_nologin.so
  auth       required     pam_env.so # [1]
  @include common-auth
  account  sufficient     pam_winbind.so
  @include common-account
  session required pam_mkhomedir.so skel=/etc/skel umask=0022
  @include common-session
  session    optional     pam_motd.so # [1]
  session    optional     pam_mail.so standard noenv # [1]
  session    required     pam_limits.so
  @include common-password
---------------------------------
[global]
  realm = MS.STILEN.COM
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  template homedir = /home/%D/%U
  template shell = /usr/local/bin/bash
  winbind enum users = yes
  winbind enum groups = yes
  winbind nested groups = Yes
  winbind use default domain = Yes
  winbind separator = +
  workgroup = MS
  security = ADS
  password server = stan.ms.stilen.com
  wins support = yes
  wins server = stan.ms.stilen.com
  server string = %h server (Samba %v)
  dns proxy = no
  ldap ssl = no
  log file = /var/log/samba/log.%m
  max log size = 1000
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  encrypt passwords = true
  passdb backend = tdbsam guest
  obey pam restrictions = no 
  invalid users = root Debian-exim daemon bin sys adm lp listen noaccess
www-data
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
   load printers = no
---------------------------------
/etc/resolv.conf
search ms.stilen.com
---------------------------------

I got a little farther.

After creating the home directory , /home/MS/johns
And fixing the path to the default shell,
I can ssh in with:
   ssh 192.168.60.189 -l MS\+johns
But not with this:
   ssh 192.168.60.189 -l johns
My smb.conf definitely has:
   winbind use default domain = Yes

How can I make ssh work with the short user name?

On Fri, 2005-05-20 at 14:27 -0700, jstile wrote:
> Configuration: 
> Samba 3.0.14a-1 (on debian 3.1) +  winbind 3.0.14a-1 + krb5-user 1.3.6-2
> 
> I need help debugging pam_winbind.so in /etc/pam.d/ssh on debian.
> 
> Samba is a member of an AD domain, authenticating access to shares via
> winbind+nsswitch.conf.  Authentication to shares works great.  Now I
> want winbind to authenticate ssh users as a pam module and it's
failing.
> Below I show the output of an ssh attempt with the auth.log and winbind
> (in debug 3). If you see any problems with the configs/logs below, our
> you need any other confgs/logs,  please let me know.  Thank you very
> much.
> 
> No problem with any of the following tests:
>   smbd -b |egrep 'KRB|LDAP' # Shows Samba has needed Libs.
>   wbinfo -u                  # Shows winbind is doing lookups from ADS
> 	johns
>   wbinfo -g                  # Shows winbind is doing lookups from ADS
>   getent passwd          # Shows nsswitch is correct, to resolve
> ADSusers.
> 	johns:x:10000:10000:John Stile:/home/MS/johns:/usr/local/bin/bash
>   getent group            # Shows nsswitch is correct, to resolve ADS
> groups.
>   net ads info              # Show AD info
> 	LDAP server: 192.168.50.42
> 	LDAP server name: stan
> 	Realm: MS.STILEN.COM
> 	Bind Path: dc=MS,dc=STILEN,dc=COM
> 	LDAP port: 389
> 	Server time: Fri, 20 May 2005 21:15:29 GMT
> 	KDC server: 192.168.50.42
> 	Server time offset: 0
>   net ads join -Ujohns%passwd # Joined the domain
>   net ads testjoin        # Shows join is ok
>   wbinfo -a johns%password # Test if winbind can authenticate
> 	plaintext password authentication succeeded
> 	challenge/response password authentication succeeded
>   kinit johns               # Test kerberose authentication
> 	Password for johns@MS.STILEN.COM:
> 	<ends without any response>
>   smbclient  -L localhost -U ms\\johns%password # list shares using
> passwd
>   
> Configuration: 
> Samba 3.0.14a-1 (on debian 3.1) +  winbind 3.0.14a-1 + krb5-user 1.3.6-2
> 
> Ran winbind in debug mode during a ssh attempt
> winbindd -d 3 -i 
>   [ 3195]: request interface version
>   [ 3195]: request location of privileged pipe
>   [ 3195]: pam auth johns
>   cm_get_ipc_userpass: No auth-user defined
>   Doing spnego session setup (blob length=105)
>   got OID=1 2 840 48018 1 2 2
>   got OID=1 2 840 113554 1 2 2
>   got OID=1 2 840 113554 1 2 2 3
>   got OID=1 3 6 1 4 1 311 2 2 10
>   got principal=stan$@MS.STILEN.COM
>   Doing kerberos session setup
>   Ticket in ccache[MEMORY:cliconnect] expiration Sat, 21 May 2005 06:58:43
GMT
>   Plain-text authentication for user johns returned
NT_STATUS_WRONG_PASSWORD (PAM: 7)
> ---------------------------------
> Authlog 
> ==> /var/log/auth.log <=>   May 20 20:58:31 localhost sshd[3195]:
Illegal user johns from ::ffff:192.168.60.161
>   May 20 20:58:43 localhost pam_winbind[3195]: request failed: Wrong
Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD
>   May 20 20:58:43 localhost pam_winbind[3195]: user `johns' denied
access (incorrect password or invalid membership)
> ---------------------------------
> Only added the winbind stuff to default debian /etc/pam.d/ssh
>   # PAM configuration for the Secure Shell service
>   auth      sufficient   pam_winbind.so
>   auth       required     pam_nologin.so
>   auth       required     pam_env.so # [1]
>   @include common-auth
>   account  sufficient     pam_winbind.so
>   @include common-account
>   session required pam_mkhomedir.so skel=/etc/skel umask=0022
>   @include common-session
>   session    optional     pam_motd.so # [1]
>   session    optional     pam_mail.so standard noenv # [1]
>   session    required     pam_limits.so
>   @include common-password
> ---------------------------------
> [global]
>   realm = MS.STILEN.COM
>   idmap uid = 10000-20000
>   idmap gid = 10000-20000
>   template homedir = /home/%D/%U
>   template shell = /usr/local/bin/bash
>   winbind enum users = yes
>   winbind enum groups = yes
>   winbind nested groups = Yes
>   winbind use default domain = Yes
>   winbind separator = +
>   workgroup = MS
>   security = ADS
>   password server = stan.ms.stilen.com
>   wins support = yes
>   wins server = stan.ms.stilen.com
>   server string = %h server (Samba %v)
>   dns proxy = no
>   ldap ssl = no
>   log file = /var/log/samba/log.%m
>   max log size = 1000
>   syslog = 0
>   panic action = /usr/share/samba/panic-action %d
>   encrypt passwords = true
>   passdb backend = tdbsam guest
>   obey pam restrictions = no 
>   invalid users = root Debian-exim daemon bin sys adm lp listen noaccess
www-data
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
>    load printers = no
> ---------------------------------
> /etc/resolv.conf
> search ms.stilen.com
> ---------------------------------
>