Philippe Dhont (Sea-ro)
2005-Oct-17 09:43 UTC
[Samba] Unknown PAM failiure in WIN2003/ Active Directory + samba
Hello,
I have an existing windows 2003 network and now try to add a new linux
server with samba/kerberos support for unified logon authentication.
Normally, everything is installed & this is the configuration:
- Debian with 2.6.16.4 kernel
- heimdal kerberos
- samba log info:
log.smbd:
[2005/10/17 10:48:26, 0] smbd/server.c:main(798)
smbd version 3.0.14a-Debian started.
Copyright Andrew Tridgell and the Samba Team 1992-2004
log.nmbd:
[2005/10/17 10:48:26, 0] nmbd/nmbd.c:main(668)
Netbios nameserver version 3.0.14a-Debian started.
Copyright Andrew Tridgell and the Samba Team 1994-2004
log.winbind:
[2005/10/17 10:48:37, 1] nsswitch/winbindd.c:main(864)
winbindd version 3.0.14a-Debian started.
Copyright The Samba Team 2000-2004
There are no errors in the logging when i start the services
- smb.conf (testparm)
# Global parameters
[global]
workgroup = TEST
realm = TEST.LOCAL
server string = %h server (Samba %v)
security = ADS
obey pam restrictions = Yes
password server = mainserver.test.local
passdb backend = tdbsam, guest
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000-20000
idmap gid = 10000-20000
invalid users = root
[homes]
comment = Home Directories
create mask = 0700
directory mask = 0700
browseable = No
[webcontrol]
comment = Webcontrol test
path = /disk2/test
guest ok = Yes
[printers]
comment = All Printers
path = /tmp
create mask = 0700
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
- nsswitch.conf
passwd: files winbind
group: files winbind
shadow: compat
hosts: files dns winbind
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
My krb5.conf:
[libdefaults]
default_realm = TEST.LOCAL
krb4_get_tickets = false
clockskew = 300
[realms]
TEST.LOCAL = {
kdc = MAINSERVER.TEST.LOCAL
admin_server = 192.168.0.10
}
[domain_realm]
mainserver.test.local = TEST.LOCAL
In my /etc/pam.d/samba file i have:
@include common-auth
@include common-account
@include common-session
auth required /lib/security/pam_winbind.so
account required /lib/security/pam_winbind.so
When i do kinit Administrator@TEST.LOCAL:
primsquid:/etc/samba# kinit Administrator@TEST.LOCAL
Administrator@TEST.LOCAL's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
When i do
Getent passwd, i get all the information. Getent users gives me also
information
When i try to connect from a windows client, i get a logon screen and
when i fill in my windows Administrator user or another one, the logon
windows comes up again.
In my loggings i get after trying:
Log.smbd:
[2005/10/17 11:26:28, 0] smbd/server.c:main(798)
smbd version 3.0.14a-Debian started.
Copyright Andrew Tridgell and the Samba Team 1992-2004
Log.nmbd:
[2005/10/17 11:26:28, 0] nmbd/nmbd.c:main(668)
Netbios nameserver version 3.0.14a-Debian started.
Copyright Andrew Tridgell and the Samba Team 1994-2004
Log.winbind:
[2005/10/17 11:26:36, 1] nsswitch/winbindd.c:main(864)
winbindd version 3.0.14a-Debian started.
Copyright The Samba Team 2000-2004
In the new added logfile from the windows pc i tried to connect:
[2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_account(573)
smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management
for User: TEST\phil
[2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_accountcheck(781)
smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
TEST\phil!
[2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_account(573)
smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management
for User: TEST\phil
[2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_accountcheck(781)
smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
TEST\phil!
[2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_account(573)
smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management
for User: TEST\phil
[2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_accountcheck(781)
smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
TEST\phil!
[2005/10/17 11:27:00, 0] auth/pampass.c:smb_pam_account(573)
smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management
for User: TEST\phil
[2005/10/17 11:27:00, 0] auth/pampass.c:smb_pam_accountcheck(781)
smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
TEST\phil!
[2005/10/17 11:27:00, 0] auth/pampass.c:smb_pam_account(573)
smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management
for User: TEST\phil
[2005/10/17 11:27:00, 0] auth/pampass.c:smb_pam_accountcheck(781)
smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
TEST\phil!
[2005/10/17 11:27:05, 0] auth/pampass.c:smb_pam_account(573)
smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management
for User: TEST\administrator
[2005/10/17 11:27:05, 0] auth/pampass.c:smb_pam_accountcheck(781)
smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
TEST\administrator!
On the windowsXP pc, i am logged in as phil and when i connect and i get
a logon, i tried TEST\Administrator
I don't find alot of good information about this error, but i hope that
someone can help me out.
Thnx & Grtz,
Phil.
Felipe Augusto van de Wiel
2005-Oct-17 13:21 UTC
[Samba] Unknown PAM failiure in WIN2003/ Active Directory + samba
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Philippe Dhont (Sea-ro) escreveu:> Hello, > I have an existing windows 2003 network and now try to add a > new linux server with samba/kerberos support for unified > logon authentication. Normally, everything is installed & this > is the configuration:> - Debian with 2.6.16.4 kernelAre you sure about this kernel version? :-) [...]> In my /etc/pam.d/samba file i have: > @include common-auth > @include common-account > @include common-session > auth required /lib/security/pam_winbind.so > account required /lib/security/pam_winbind.soI'm not sure, but I believe you should put auth options together, same for account, AFAIK, pam check the options line by line, after the auth area ends, there is no chance to "another auth area", you should put auth parameters all together, like this: @include common-auth auth required /lib/security/pam_winbind.so @include common-account account required /lib/security/pam_winbind.so [...]> In my loggings i get after trying:[...]> In the new added logfile from the windows pc i tried to connect:> [2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_account(573) > smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management > for User: TEST\phil > [2005/10/17 11:26:59, 0] auth/pampass.c:smb_pam_accountcheck(781) > smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User > TEST\phil![...] Yep, looks like pam stack problem. :-)> On the windowsXP pc, i am logged in as phil and when i connect and i get > a logon, i tried TEST\Administrator > I don't find alot of good information about this error, but i hope that > someone can help me out.Hope it helps, cheers, - -- ////////// // Felipe Augusto van de Wiel <felipe@paranacidade.org.br> // CTI/Suporte - SEDU/PARANACIDADE // http://www.paranacidade.org.br/ ////////// -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFDU6WKCj65ZxU4gPQRAtf2AJ9ScMX108VQIa8UGFvK8PwV1snmjgCeINPM qhLYUmS7CAf4UbvU0xemRQE=g45U -----END PGP SIGNATURE-----