A Debian/Lenny-Server is connected to a PDC (using samba) and tries to authenticate logins via pam_winbind. User mapping and everything else needed works fine (i.e. especially getent shows all the accounts), however remote logins of domain users fail. I have: | gatekeeper:~# cat /etc/pam.d/common-auth | [...] | auth sufficient pam_unix.so nullok_secure | auth required pam_winbind.so debug use_first_pass and (limited to the winbind-relevant entries) in the smb.conf: | workgroup = [...] | netbios name = [...] | os level = 0 | preferred master = no | domain master = no | local master = no | security = domain | wins support = no | wins server = [...] | password server = [...] | passdb backend = tdbsam | obey pam restrictions = yes | idmap uid = 10000-20000 | idmap gid = 10000-20000 | template shell = /bin/bash | winbind enum groups = yes | winbind enum users = yes | winbind use default domain = yes and if someone tries to login, I get: | [...] sshd[19524]: pam_winbind(sshd:auth): [pamh: 0x7f4a5dd15040] ENTER: pam_sm_authenticate (flags: 0x0001) | [...] sshd[19524]: pam_winbind(sshd:auth): getting password (0x00000011) | [...] sshd[19524]: pam_winbind(sshd:auth): pam_get_item returned a password | [...] sshd[19524]: pam_winbind(sshd:auth): Verify user 'sfroehli' | [...] sshd[19524]: pam_winbind(sshd:auth): request failed: Invalid parameter, PAM error was System error (4), NT error was NT_STATUS_INVALID_PARAMETER | [...] sshd[19524]: pam_winbind(sshd:auth): internal module error (retval = 4, user = 'sfroehli') | [...] sshd[19524]: pam_winbind(sshd:auth): [pamh: 0x7f4a5dd15040] LEAVE: pam_sm_authenticate returning 4 | [...] sshd[19524]: Failed password for sfroehli from 192.168.1.245 port 49078 ssh2 Sounds to me like "almost working, but not quite". Looking for a solution on the net only brought up an IRC-log of the samba developers which is not really enlightening to me (plus a german clone of this posting sent by me a few days ago). The problem is, I do not even know where to start looking for an error (which I assume had been made by me at some place, as this is not such an uncommon setting). Any ideas? Ciao, Stefan
Stefan, I used the pam settings from this article as a starting point. http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1 It places the directives in the login file instead of common-auth. Otherwise, the basic differences are that I have "sufficient" on both; the order is reversed; and use_first_pass option is applied to pam_unix.so. Adapt as necessary for your environment. Dale On 09/09/2010 9:22 AM, Stefan Froehlich wrote:> A Debian/Lenny-Server is connected to a PDC (using samba) and tries to > authenticate logins via pam_winbind. User mapping and everything else > needed works fine (i.e. especially getent shows all the accounts), > however remote logins of domain users fail. I have: > > | gatekeeper:~# cat /etc/pam.d/common-auth > | [...] > | auth sufficient pam_unix.so nullok_secure > | auth required pam_winbind.so debug use_first_pass > > and (limited to the winbind-relevant entries) in the smb.conf: > > | workgroup = [...] > | netbios name = [...] > | os level = 0 > | preferred master = no > | domain master = no > | local master = no > | security = domain > | wins support = no > | wins server = [...] > | password server = [...] > | passdb backend = tdbsam > | obey pam restrictions = yes > | idmap uid = 10000-20000 > | idmap gid = 10000-20000 > | template shell = /bin/bash > | winbind enum groups = yes > | winbind enum users = yes > | winbind use default domain = yes > > > and if someone tries to login, I get: > > | [...] sshd[19524]: pam_winbind(sshd:auth): [pamh: 0x7f4a5dd15040] ENTER: pam_sm_authenticate (flags: 0x0001) > | [...] sshd[19524]: pam_winbind(sshd:auth): getting password (0x00000011) > | [...] sshd[19524]: pam_winbind(sshd:auth): pam_get_item returned a password > | [...] sshd[19524]: pam_winbind(sshd:auth): Verify user 'sfroehli' > | [...] sshd[19524]: pam_winbind(sshd:auth): request failed: Invalid parameter, PAM error was System error (4), NT error was NT_STATUS_INVALID_PARAMETER > | [...] sshd[19524]: pam_winbind(sshd:auth): internal module error (retval = 4, user = 'sfroehli') > | [...] sshd[19524]: pam_winbind(sshd:auth): [pamh: 0x7f4a5dd15040] LEAVE: pam_sm_authenticate returning 4 > | [...] sshd[19524]: Failed password for sfroehli from 192.168.1.245 port 49078 ssh2 > > Sounds to me like "almost working, but not quite". Looking for a solution on > the net only brought up an IRC-log of the samba developers which is not really > enlightening to me (plus a german clone of this posting sent by me a few days > ago). > > The problem is, I do not even know where to start looking for an error (which I > assume had been made by me at some place, as this is not such an uncommon > setting). > > Any ideas? > > Ciao, > Stefan
Stefan Froehlich
2010-Sep-09 19:06 UTC
[Samba] PCD domain menbership (was: winbind authentification trouble)
Dale, thanks for your response. On Thu, Sep 09, 2010 at 12:50:46PM -0500, Dale Schroeder wrote:> I used the pam settings from this article as a starting point. > http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1I know the mechanics of pam quite well and thus saw that the differences between my setup and the one of this article are neglectible. I kept on trying, however, and at some point I found out that the error messages are... misleading: the real problem is on the other end of the line. I did: | herkules:~# pdbedit -a -m -u gatekeeper | Unix username: gatekeeper$ | NT username: | Account Flags: [W ] | [...] and: | gatekeeper:~# net join member | Joined domain SYNTH. On herkules, this is (I assume) confirmed in the server logs: | secrets_store_schannel_session_info: stored schannel info with key SECRETS/SCHANNEL/GATEKEEPER | _netr_ServerPasswordSet: Server Password Set by remote machine:[GATEKEEPER] on account [GATEKEEPER$] However, as soon as the message "invalid parameter" is generated on client side, I can see in the server log: | _netr_LogonSamLogon: creds_server_step failed. Rejecting auth request from client GATEKEEPER machine account GATEKEEPER$ The reaseon for this can easily be googled: "Your machine thinks it is part of the domain, but your DC/sever does not". What I could not find is: the cause for such a behaviour (several other machines can authenticate with the same PDC quite well, so I assume the basic configuration to be fine). Ciao, Stefan
A simple setup: Samba 3.2.5 (Debian/Squeeze) set up as a PDC with a
couple of Windows XP (SP3) clients and roaming profiles. This has been
running for several years without trouble (thogh people did not really
roam but rather sticked to a single machine).
Now someone tried to log in on another PC and failed ("wrong login or
password"). Investigating this it turned out that NOBODY can
authenticate anywhere, EXCEPT those machines (in most cases just a
single one) where he did so in he past. BUT the samba server tells
"authentication succeeded" in its log files nevertheless.
So the situation is: everyone can work on at least one PC, on every PC
at least one login is possible (which suggests to me that the samba
setup is correct).
I have absolutely no clue what could cause this behaviour. Are there any
patches to Win-XP which prohibit logging in with a PC when there is not
yet a local copy of the user profile? Or anything else?
Where should I even start looking? Neither samba nor Windows XP is
providing me with any useful debug output.
Bye,
Stefan