samba - Aug 2009 - FreeBSD 7.2 and Samba 3.3.7 AD 2003 Authentication Problem

I am having problems upgrading samba 3.0.36 to 3.3.7. I have a working
installation of Samba 3.0.36 on FreeBSD 7.2 amd64, configured as a
domain member in a 2003 AD, running in native mode. Domain controllers
have Services for Unix 3.5 installed and I am using idmap backend with
SFU schema mode. I have enclosed my configuration files and compile
options further down. When I upgrade to version 3.3.7 I can see user
information (pw user show -a) and they have correct info, but when I try
to login using ssh, connection breaks after I enter username and I get
the following error messages in the /var/log/messages: 
sshd[44500]: in openpam_load_module(): no /usr/local/lib/pam_winbind.so
found
sshd[44500]: fatal: PAM: initialisation failed

Also there is a following message in /var/log/messages:
winbindd[44685]:   request_len_recv: Invalid request size received: 2088
(expected 2096)

Logging using system console fails as well, but not as verbosely. I can
use root account to log on console, not through ssh (I enabled it for
testing purposes). 

Upgrade steps are:
# /usr/local/etc/rc.d/samba stop
# net ads leave -U adminuser
# rm /usr/local/etc/samba/*tdb
# rm /var/db/samba/*tdb
# cd /usr/ports/net/samba3/
# make deinstall distclean
# cd /usr/ports/net/samba33/
# make KRB5_HOME=/usr/local/ reinstall distclean 
# net ads join -U adminuser 
# /usr/local/etc/rc.d/samba start 

I test the installation with: 
# net ads testjoin 
# wbinfo -u 
# wbinfo -g 
# pw user show -a 
And I can see all users with their uids set on the SFU PDC

If I comment out the following lines from config file I still get the
same problem:
idmap backend = ad
idmap uid = 50001 - 100000
idmap gid = 50001 - 100000
  
I hope you can help me resolve this issue. Please let me know if you
need any additional info.
Thanks,
Vladimir Orlic 

# more /var/db/ports/samba3/options
_OPTIONS_READ=samba-3.0.35,1
WITH_LDAP=true
WITH_ADS=true
WITHOUT_CUPS=true
WITH_WINBIND=true
WITH_ACL_SUPPORT=true
WITHOUT_AIO_SUPPORT=true
WITHOUT_FAM_SUPPORT=true
WITH_SYSLOG=true
WITHOUT_QUOTAS=true
WITH_UTMP=true
WITH_PAM_SMBPASS=true
WITHOUT_CLUSTER=true
WITH_DNSUPDATE=true
WITH_EXP_MODULES=true
WITH_POPT=true
WITH_PCH=true
WITHOUT_MAX_DEBUG=true
WITHOUT_SMBTORTURE=true

# more /var/db/ports/samba33/options
# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for samba-3.3.7
_OPTIONS_READ=samba-3.3.7
WITH_LDAP=true
WITH_ADS=true
WITHOUT_CUPS=true
WITH_WINBIND=true
WITHOUT_SWAT=true
WITH_ACL_SUPPORT=true
WITHOUT_AIO_SUPPORT=true
WITHOUT_FAM_SUPPORT=true
WITH_SYSLOG=true
WITHOUT_QUOTAS=true
WITH_UTMP=true
WITH_PAM_SMBPASS=true
WITH_DNSUPDATE=true
WITHOUT_DNSSD=true
WITH_EXP_MODULES=true
WITH_POPT=true
WITHOUT_MAX_DEBUG=true
WITHOUT_SMBTORTURE=true

I use this line to compile Samba and I make sure that samba daemons are
not running and that I've left the domain.

# make reinstall distclean

# more smb.conf
#======================= Global Settings
====================================[global]
security = ads
realm = MYDOMAIN.UCSD.EDU
workgroup = MYDOMAIN
password server = pdc.mydomain.ucsd.edu 
server string = Samba File Server 
encrypt passwords = yes 
netbios name = MACHINENAME 
ldap ssl = no 
unix extensions = no

# Log settings
log level = 1
log file = /var/log/samba/log.%m
max log size = 50
syslog = 1

# Browser settings
local master = no
domain master = no
preferred master = no

# ACL settings
inherit acls = yes
acl compatibility = auto
acl check permissions = true
acl map full control = true
dos filemode = yes

# Config domain security
idmap backend = ad
idmap alloc config: range = 50001 - 100000
#idmap uid = 50001 - 100000
#idmap gid = 50001 - 100000

idmap config MYDOMAIN:default      = yes
idmap config MYDOMAIN:backend      = ad
idmap config MYDOMAIN:range        = 10000 - 50000
idmap config MYDOMAIN:schema_mode  = sfu

# Winbind settings
# Enable offline logon support
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nss info = sfu
winbind nested groups = yes
winbind separator = /
winbind use default domain = yes
allow trusted domains = no

#============================ Share Definitions
============================== [Files]
   comment = My File Server
   browseable = yes
   writable = yes
   path = /usr/local/smbmnt/Files
   printable = no

   create mask = 0664
   directory mask = 0775
   delete read only = yes

# more /etc/krb5.conf
[libdefaults]
        deafult_realm = MYDOMAIN.UCSD.EDU
        forwardable = yes

[realms]
        MYDOMAIN.UCSD.EDU = {
                kdc = pdc.mydomain.ucsd.edu
                admin_server = pdc. mydomain.ucsd.edu
                default_domain = mydomain.ucsd.edu
        }

[domain_realm]
        mydomain.ucsd.edu = MYDOMAIN.UCSD.EDU
        .mydomain.ucsd.edu = MYDOMAIN.UCSD.EDU


# more /etc/nsswitch.conf
group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files


# more /etc/pam.d/sshd
# auth
auth            sufficient      pam_opie.so             no_warn
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn
allow_local
auth            sufficient      /usr/local/lib/pam_winbind.so
try_first_pass
#auth           sufficient      pam_krb5.so             no_warn
try_first_pass
#auth           sufficient      pam_ssh.so              no_warn
try_first_pass
auth            required        pam_unix.so             no_warn
try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         sufficient      /usr/local/lib/pam_winbind.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
#session         required       /usr/local/lib/pam_mkhomedir.so
session         required        pam_permit.so

# password
password        sufficient      /usr/local/lib/pam_winbind.so
try_first_pass
#password       sufficient      pam_krb5.so             no_warn
try_first_pass
password        required        pam_unix.so             no_warn
try_first_pass

# more /etc/pam.d/system
# auth
auth            sufficient      pam_opie.so             no_warn
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn
allow_local
auth            sufficient      /usr/local/lib/pam_winbind.so
try_first_pass
#auth           sufficient      pam_krb5.so             no_warn
try_first_pass
#auth           sufficient      pam_ssh.so              no_warn
try_first_pass
auth            required        pam_unix.so             no_warn
try_first_pass nullok

# account
account         sufficient      /usr/local/lib/pam_winbind.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        pam_lastlog.so          no_fail

# password
password        sufficient      /usr/local/lib/pam_winbind.so
try_first_pass
#password       sufficient      pam_krb5.so             no_warn
try_first_pass
password        required        pam_unix.so             no_warn
try_first_pass

On Fri, Aug 28, 2009 at 11:36:38AM -0700, Vladimir Orlic
wrote:
> sshd[44500]: fatal: PAM: initialisation failed
> 
> Also there is a following message in /var/log/messages:
> winbindd[44685]:   request_len_recv: Invalid request size received: 2088
> (expected 2096)
You have to replace the pam_module with the one from 3.3.7
as well.

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20090828/fa95b2ad/attachment.pgp>