Philippe Dhont (Sea-ro)
2005-Oct-17 09:43 UTC
[Samba] Unknown PAM failiure in WIN2003/ Active Directory + samba
Hello, I have an existing windows 2003 network and now try to add a new linux server with samba/kerberos support for unified logon authentication. Normally, everything is installed & this is the configuration: - Debian with 2.6.16.4 kernel - heimdal kerberos - samba log info: log.smbd: [2005/10/17 10:48:26, 0] smbd/server.c:main(798) smbd version 3.0.14a-Debian started. Copyright Andrew Tridgell and the Samba Team 1992-2004 log.nmbd: [2005/10/17 10:48:26, 0] nmbd/nmbd.c:main(668) Netbios nameserver version 3.0.14a-Debian started. Copyright Andrew Tridgell and the Samba Team 1994-2004 log.winbind: [2005/10/17 10:48:37, 1] nsswitch/winbindd.c:main(864) winbindd version 3.0.14a-Debian started. Copyright The Samba Team 2000-2004 There are no errors in the logging when i start the services - smb.conf (testparm) # Global parameters [global] workgroup = TEST realm = TEST.LOCAL server string = %h server (Samba %v) security = ADS obey pam restrictions = Yes password server = mainserver.test.local passdb backend = tdbsam, guest passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No panic action = /usr/share/samba/panic-action %d idmap uid = 10000-20000 idmap gid = 10000-20000 invalid users = root [homes] comment = Home Directories create mask = 0700 directory mask = 0700 browseable = No [webcontrol] comment = Webcontrol test path = /disk2/test guest ok = Yes [printers] comment = All Printers path = /tmp create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers - nsswitch.conf passwd: files winbind group: files winbind shadow: compat hosts: files dns winbind networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis My krb5.conf: [libdefaults] default_realm = TEST.LOCAL krb4_get_tickets = false clockskew = 300 [realms] TEST.LOCAL = { kdc = MAINSERVER.TEST.LOCAL admin_server = 192.168.0.10 } [domain_realm] mainserver.test.local = TEST.LOCAL In my /etc/pam.d/samba file i have: @include common-auth @include common-account @include common-session auth required /lib/security/pam_winbind.so account required /lib/security/pam_winbind.so When i do kinit Administrator@TEST.LOCAL: primsquid:/etc/samba# kinit Administrator@TEST.LOCAL Administrator@TEST.LOCAL's Password: kinit: NOTICE: ticket renewable lifetime is 1 week When i do Getent passwd, i get all the information. Getent users gives me also information When i try to connect from a windows client, i get a logon screen and when i fill in my windows Administrator user or another one, the logon windows comes up again. In my loggings i get after trying: Log.smbd: [2005/10/17 11:26:28, 0] smbd/server.c:main(798) smbd version 3.0.14a-Debian started. Copyright Andrew Tridgell and the Samba Team 1992-2004 Log.nmbd: [2005/10/17 11:26:28, 0] nmbd/nmbd.c:main(668) Netbios nameserver version 3.0.14a-Debian started. Copyright Andrew Tridgell and the Samba Team 1994-2004 Log.winbind: [2005/10/17 11:26:36, 1] nsswitch/winbindd.c:main(864) winbindd version 3.0.14a-Debian started. Copyright The Samba Team 2000-2004 In the new added logfile from the windows pc i tried to connect: [2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_account(573) smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: TEST\phil [2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_accountcheck(781) smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User TEST\phil! [2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_account(573) smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: TEST\phil [2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_accountcheck(781) smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User TEST\phil! [2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_account(573) smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: TEST\phil [2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_accountcheck(781) smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User TEST\phil! [2005/10/17 11:27:00, 0] auth/pampass.c:smb_pam_account(573) smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: TEST\phil [2005/10/17 11:27:00, 0] auth/pampass.c:smb_pam_accountcheck(781) smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User TEST\phil! [2005/10/17 11:27:00, 0] auth/pampass.c:smb_pam_account(573) smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: TEST\phil [2005/10/17 11:27:00, 0] auth/pampass.c:smb_pam_accountcheck(781) smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User TEST\phil! [2005/10/17 11:27:05, 0] auth/pampass.c:smb_pam_account(573) smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: TEST\administrator [2005/10/17 11:27:05, 0] auth/pampass.c:smb_pam_accountcheck(781) smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User TEST\administrator! On the windowsXP pc, i am logged in as phil and when i connect and i get a logon, i tried TEST\Administrator I don't find alot of good information about this error, but i hope that someone can help me out. Thnx & Grtz, Phil.
Felipe Augusto van de Wiel
2005-Oct-17 13:21 UTC
[Samba] Unknown PAM failiure in WIN2003/ Active Directory + samba
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Philippe Dhont (Sea-ro) escreveu:> Hello, > I have an existing windows 2003 network and now try to add a > new linux server with samba/kerberos support for unified > logon authentication. Normally, everything is installed & this > is the configuration:> - Debian with 2.6.16.4 kernelAre you sure about this kernel version? :-) [...]> In my /etc/pam.d/samba file i have: > @include common-auth > @include common-account > @include common-session > auth required /lib/security/pam_winbind.so > account required /lib/security/pam_winbind.soI'm not sure, but I believe you should put auth options together, same for account, AFAIK, pam check the options line by line, after the auth area ends, there is no chance to "another auth area", you should put auth parameters all together, like this: @include common-auth auth required /lib/security/pam_winbind.so @include common-account account required /lib/security/pam_winbind.so [...]> In my loggings i get after trying:[...]> In the new added logfile from the windows pc i tried to connect:> [2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_account(573) > smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management > for User: TEST\phil > [2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_accountcheck(781) > smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User > TEST\phil![...] Yep, looks like pam stack problem. :-)> On the windowsXP pc, i am logged in as phil and when i connect and i get > a logon, i tried TEST\Administrator > I don't find alot of good information about this error, but i hope that > someone can help me out.Hope it helps, cheers, - -- ////////// // Felipe Augusto van de Wiel <felipe@paranacidade.org.br> // CTI/Suporte - SEDU/PARANACIDADE // http://www.paranacidade.org.br/ ////////// -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFDU6WKCj65ZxU4gPQRAtf2AJ9ScMX108VQIa8UGFvK8PwV1snmjgCeINPM qhLYUmS7CAf4UbvU0xemRQE=g45U -----END PGP SIGNATURE-----