Greeting-
I have a mixed network of ms-windows, macintosh and freebsd systems.
I am setting up a FreeBSD 9.0 system as a PDC using samba.
I can from a FreeBSD box attach to the SMB server as a user that is defined
on the Samba Server.
[wynkoop at dt0 ~]$ smbclient -L hp1
Enter wynkoop's password:
Domain=[HARAPARTNERS] OS=[Unix] Server=[Samba 3.6.4]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (HP1 Samba Server)
wynkoop Disk Home Directories
Domain=[HARAPARTNERS] OS=[Unix] Server=[Samba 3.6.4]
Server Comment
--------- -------
HP1 HP1 Samba Server
Workgroup Master
--------- -------
DB HP4
HARAPARTNERS HP1
WORKGROUP PRINTSTATION
[wynkoop at dt0 ~]$
I was also able to join the FreeBSD workstation to the Samba Domain as
evidenced
by the output of wbinfo:
[wynkoop at dt0 ~]$ wbinfo -u
nobody
wynkoop
testme
www
alish
[wynkoop at dt0 ~]$
Note that users testme www and alish do not exist on the workstation.
They only
exist on the Samba Server which is FreeBSD 9 with samba 3.6.
I have the following in /etc/pam.d/sshd
#
# $FreeBSD: releng/9.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth sufficient /usr/local/lib/pam_winbind.so
auth requisite pam_opieaccess.so
no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
#auth sufficient /usr/local/lib/pam_winbind.so
auth required pam_unix.so no_warn try_first_pass
# account
account sufficient /usr/local/lib/pam_winbind.so
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
Here is /etc/security/pam_winbind.conf
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#
[global]
# turn on debugging
;debug = no
debug = yes
# turn on extended PAM state debugging
;debug_state = no
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = no
# authenticate using kerberos
;krb5_auth = no
# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type
# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of
# password expiry warning period in days
;warn_pwd_expire = 14
# omit pam conversations
;silent = no
# create homedirectory on the fly
;mkhomedir = no
mkhomedir = yes
When I attempt to ssh into the system as a user defined only in the Samba
domain
these are the results:
[testme at hp1 ~]$ id
uid=1003(testme) gid=1003(testme) groups=1003(testme)
[testme at hp1 ~]$ ssh dt0
Password:
Wrong Password
Password:
Wrong Password
Password:
Wrong Password
Permission denied (publickey,keyboard-interactive).
[testme at hp1 ~]$
And from the logs on the system dt0
[root at dt0 /var/log]# tail debug.log
Apr 16 12:17:08 dt0 sshd[80774]: pam_winbind(sshd): [pamh: 0x80300b840] LEAVE:
pam_sm_authenticate returning 9 (PAM_AUTH_ERR)
Apr 16 12:42:39 dt0 sshd[81031]: pam_winbind(sshd): [pamh: 0x80300b840] ENTER:
pam_sm_authenticate (flags: 0x0001)
Apr 16 12:42:39 dt0 sshd[81031]: pam_winbind(sshd): getting password
(0x00004001)
Apr 16 12:42:42 dt0 sshd[81031]: pam_winbind(sshd): [pamh: 0x80300b840] LEAVE:
pam_sm_authenticate returning 9 (PAM_AUTH_ERR)
Apr 16 12:42:42 dt0 sshd[81032]: pam_winbind(sshd): [pamh: 0x80300b840] ENTER:
pam_sm_authenticate (flags: 0x0001)
Apr 16 12:42:42 dt0 sshd[81032]: pam_winbind(sshd): getting password
(0x00004001)
Apr 16 12:42:44 dt0 sshd[81032]: pam_winbind(sshd): [pamh: 0x80300b840] LEAVE:
pam_sm_authenticate returning 9 (PAM_AUTH_ERR)
Apr 16 12:42:44 dt0 sshd[81033]: pam_winbind(sshd): [pamh: 0x80300b840] ENTER:
pam_sm_authenticate (flags: 0x0001)
Apr 16 12:42:44 dt0 sshd[81033]: pam_winbind(sshd): getting password
(0x00004001)
Apr 16 12:42:46 dt0 sshd[81033]: pam_winbind(sshd): [pamh: 0x80300b840] LEAVE:
pam_sm_authenticate returning 9 (PAM_AUTH_ERR)
[root at dt0 /var/log]#
Apr 16 12:42:42 dt0 sshd[81031]: pam_winbind(sshd): user 'testme'
denied access (incorrect password or invalid membership)
Apr 16 12:42:42 dt0 sshd[81029]: Failed keyboard-interactive/pam for invalid
user testme from 192.168.1.3 port 16746 ssh2
Apr 16 12:42:44 dt0 sshd[81032]: pam_winbind(sshd): Verify user
'testme'
Apr 16 12:42:44 dt0 sshd[81032]: pam_winbind(sshd): request wbcLogonUser
failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (9), NTSTATUS:
NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
Apr 16 12:42:44 dt0 sshd[81032]: pam_winbind(sshd): user 'testme'
denied access (incorrect password or invalid membership)
Apr 16 12:42:44 dt0 sshd[81029]: Failed keyboard-interactive/pam for invalid
user testme from 192.168.1.3 port 16746 ssh2
Apr 16 12:42:46 dt0 sshd[81033]: pam_winbind(sshd): Verify user
'testme'
Apr 16 12:42:46 dt0 sshd[81033]: pam_winbind(sshd): request wbcLogonUser
failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (9), NTSTATUS:
NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
Apr 16 12:42:46 dt0 sshd[81033]: pam_winbind(sshd): user 'testme'
denied access (incorrect password or invalid membership)
Apr 16 12:42:46 dt0 sshd[81029]: Failed keyboard-interactive/pam for invalid
user testme from 192.168.1.3 port 16746 ssh2
[root at dt0 /var/log]#
[root at dt0 /var/log]# tail messages
Apr 16 12:17:08 dt0 sshd[80774]: pam_winbind(sshd): request wbcLogonUser
failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (9), NTSTATUS:
NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
Apr 16 12:17:08 dt0 sshd[80774]: pam_winbind(sshd): user 'testme'
denied access (incorrect password or invalid membership)
Apr 16 12:20:18 dt0 login: 1 LOGIN FAILURE ON ttyv1
Apr 16 12:41:55 dt0 sudo: wynkoop : TTY=pts/4 ; PWD=/home/wynkoop ; USER=root
; COMMAND=/usr/local/bin/bash
Apr 16 12:42:42 dt0 sshd[81031]: pam_winbind(sshd): request wbcLogonUser
failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (9), NTSTATUS:
NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
Apr 16 12:42:42 dt0 sshd[81031]: pam_winbind(sshd): user 'testme'
denied access (incorrect password or invalid membership)
Apr 16 12:42:44 dt0 sshd[81032]: pam_winbind(sshd): request wbcLogonUser
failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (9), NTSTATUS:
NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
Apr 16 12:42:44 dt0 sshd[81032]: pam_winbind(sshd): user 'testme'
denied access (incorrect password or invalid membership)
Apr 16 12:42:46 dt0 sshd[81033]: pam_winbind(sshd): request wbcLogonUser
failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (9), NTSTATUS:
NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
Apr 16 12:42:46 dt0 sshd[81033]: pam_winbind(sshd): user 'testme'
denied access (incorrect password or invalid membership)
[root at dt0 /var/log]#
The odd thing here is that if I do an smbclient call as user testme to hp1
as shown above I can attach with no problem.
I do not know if I have found a bug or if I just have something configured
wrong.
One more datapoint.....I can not get a MS-Windows 7 Profesional system to join
the
domain, or authenticate, but I can map drives from the Samba box on both
MS-Windows
and using mount_smb on FreeBSD.
Any help would be appreciated.
Thank you.
-Brett
wynkoop at wynn.com