info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Pam-logon failure for AD users
51 views
Skip to first unread message
VigneshDhanraj G
Nov 3, 2015, 7:30:04 AM11/3/15
to
Hi Team,
when i am running this command i am getting the following error
/usr/local/samba/bin/wbinfo --pam-logon="DOMAIN\testusr1"
Enter DOMAIN\testusr1's password:
plaintext password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error message was: Access denied
pam_logon failed for DOMAIN\testusr1
FTP and Cifs uses pam. Ftp authentication using domain working fine. But,
Cifs showing ACCESS_DENIED error.
Samba version : 4.1.17
In winbindd.log i could see
[2015/11/03 11:59:46.377088, 10, pid=435, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:755(wb_request_done)
wb_request_done[559:PAM_AUTH_CRAP]: NT_STATUS_ACCESS_DENIED
My smb.conf is
available= yes
restrict anonymous= 0
server string= LenovoEMC™ px6-300d
Workgroup= DOMAIN
netbios name= Debian
realm= DOMAIN.LOCAL
password server= 192.168.1.100, *
idmap backend= tdb
idmap uid= 5000-9999999
idmap gid= 5000-9999999
security= ADS
name resolve order= wins host bcast lmhosts
client use spnego= yes
dns proxy= no
winbind use default domain= no
winbind nested groups= yes
inherit acls= yes
winbind enum users= yes
winbind enum groups= yes
winbind separator= \\
winbind cache time= 300
winbind offline logon= true
template shell= /bin/sh
map to guest= Bad User
host msdfs= yes
strict allocate= yes
encrypt passwords= yes
passdb backend= smbpasswd
printcap name= lpstat
printable= no
load printers= yes
max smbd processes= 500
getwd cache= yes
syslog= 0
use sendfile= yes
log level= 0
max log size= 50
unix extensions= no
dos charset= ascii
state directory= /mnt/system/samba/system
Windows client from which i am trying to access cifs is also connected to
the domain.
Could anybody help me regarding this issue. Ftp and cifs both uses samba
authentication but cifs authentication alone showing authentication error.
Regards,
Vigneshdhanraj G
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
when i am running this command i am getting the following error
/usr/local/samba/bin/wbinfo --pam-logon="DOMAIN\testusr1"
Enter DOMAIN\testusr1's password:
plaintext password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error message was: Access denied
pam_logon failed for DOMAIN\testusr1
FTP and Cifs uses pam. Ftp authentication using domain working fine. But,
Cifs showing ACCESS_DENIED error.
Samba version : 4.1.17
In winbindd.log i could see
[2015/11/03 11:59:46.377088, 10, pid=435, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:755(wb_request_done)
wb_request_done[559:PAM_AUTH_CRAP]: NT_STATUS_ACCESS_DENIED
My smb.conf is
available= yes
restrict anonymous= 0
server string= LenovoEMC™ px6-300d
Workgroup= DOMAIN
netbios name= Debian
realm= DOMAIN.LOCAL
password server= 192.168.1.100, *
idmap backend= tdb
idmap uid= 5000-9999999
idmap gid= 5000-9999999
security= ADS
name resolve order= wins host bcast lmhosts
client use spnego= yes
dns proxy= no
winbind use default domain= no
winbind nested groups= yes
inherit acls= yes
winbind enum users= yes
winbind enum groups= yes
winbind separator= \\
winbind cache time= 300
winbind offline logon= true
template shell= /bin/sh
map to guest= Bad User
host msdfs= yes
strict allocate= yes
encrypt passwords= yes
passdb backend= smbpasswd
printcap name= lpstat
printable= no
load printers= yes
max smbd processes= 500
getwd cache= yes
syslog= 0
use sendfile= yes
log level= 0
max log size= 50
unix extensions= no
dos charset= ascii
state directory= /mnt/system/samba/system
Windows client from which i am trying to access cifs is also connected to
the domain.
Could anybody help me regarding this issue. Ftp and cifs both uses samba
authentication but cifs authentication alone showing authentication error.
Regards,
Vigneshdhanraj G
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
Nov 3, 2015, 8:10:03 AM11/3/15
to
your smb.conf a bit differently, I would have a look here:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
adjust your smb.conf with reference to the above page and then follow
the various links.
Rowland
VigneshDhanraj G
Dec 10, 2015, 3:00:04 AM12/10/15
to
Hi,
This issue not solved, ftp and cifs using same way of authentication. but
when trying to access cifs it always shows the same ACCESS_DENIED error.
Regards,
Vigneshdhanraj G
On Tue, Nov 3, 2015 at 6:36 PM, Rowland Penny <rowlandpe...@gmail.com>
wrote:
This issue not solved, ftp and cifs using same way of authentication. but
when trying to access cifs it always shows the same ACCESS_DENIED error.
Regards,
Vigneshdhanraj G
On Tue, Nov 3, 2015 at 6:36 PM, Rowland Penny <rowlandpe...@gmail.com>
wrote:
Rowland penny
Dec 10, 2015, 4:20:03 AM12/10/15
to
VigneshDhanraj G
Dec 12, 2015, 4:00:04 AM12/12/15
to
sorry for the late response Rowland,
I didn't change the smb.conf with the same smb.conf, i configured new AD
that works fine. Do you need to change the smb.conf could you please tell
me what i need to change specifically. And i also suspect that problem with
my AD server. But i am not able to find the exact problem, The confusion is
Ftp works with same pam working fine but cifs always shows access denied.
if password is wrong it shows Wrong password.
Regards,
Vigneshdhanraj G
I didn't change the smb.conf with the same smb.conf, i configured new AD
that works fine. Do you need to change the smb.conf could you please tell
me what i need to change specifically. And i also suspect that problem with
my AD server. But i am not able to find the exact problem, The confusion is
Ftp works with same pam working fine but cifs always shows access denied.
if password is wrong it shows Wrong password.
Regards,
Vigneshdhanraj G
Rowland penny
Dec 12, 2015, 4:40:04 AM12/12/15
to
On 12/12/15 08:53, VigneshDhanraj G wrote:
> sorry for the late response Rowland,
>
> I didn't change the smb.conf with the same smb.conf, i configured new
> AD that works fine. Do you need to change the smb.conf could you
> please tell me what i need to change specifically. And i also suspect
> that problem with my AD server. But i am not able to find the exact
> problem, The confusion is Ftp works with same pam working fine but
> cifs always shows access denied. if password is wrong it shows Wrong
> password.
>
> Regards,
>
> Vigneshdhanraj G
>
> On Thu, Dec 10, 2015 at 2:41 PM, Rowland penny <rpe...@samba.org
> <mailto:rpe...@samba.org>> wrote:
>
> On 10/12/15 07:49, VigneshDhanraj G wrote:
>
> Hi,
>
> This issue not solved, ftp and cifs using same way of
> authentication. but
> when trying to access cifs it always shows the same
> ACCESS_DENIED error.
>
> Regards,
>
> Vigneshdhanraj G
>
>
> On Tue, Nov 3, 2015 at 6:36 PM, Rowland Penny
> <rowlandpe...@gmail.com
> <mailto:rowlandpe...@gmail.com>>
> sorry for the late response Rowland,
>
> I didn't change the smb.conf with the same smb.conf, i configured new
> AD that works fine. Do you need to change the smb.conf could you
> please tell me what i need to change specifically. And i also suspect
> that problem with my AD server. But i am not able to find the exact
> problem, The confusion is Ftp works with same pam working fine but
> cifs always shows access denied. if password is wrong it shows Wrong
> password.
>
> Regards,
>
> Vigneshdhanraj G
>
> On Thu, Dec 10, 2015 at 2:41 PM, Rowland penny <rpe...@samba.org
> <mailto:rpe...@samba.org>> wrote:
>
> On 10/12/15 07:49, VigneshDhanraj G wrote:
>
> Hi,
>
> This issue not solved, ftp and cifs using same way of
> authentication. but
> when trying to access cifs it always shows the same
> ACCESS_DENIED error.
>
> Regards,
>
> Vigneshdhanraj G
>
>
> On Tue, Nov 3, 2015 at 6:36 PM, Rowland Penny
> <rowlandpe...@gmail.com
default settings and a lot of settings that really shouldn't be there,
this is what it really should have looked like:
[global]
Workgroup= DOMAIN
security= ADS
realm= DOMAIN.LOCAL
netbios name= Debian
server string= LenovoEMC™ px6-300d
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 2000-4999
idmap config DOMAIN:backend = rid
idmap config DOMAIN:range = 5000-9999999
winbind nss info = template
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
winbind offline logon= true
dns proxy= no
template shell= /bin/sh
map to guest= Bad User
strict allocate= yes # really meant to be used in a share
map to guest= Bad User
printcap name = lpstat
max smbd processes= 500
syslog= 0
max log size= 50
use sendfile= yes
unix extensions= no
state directory= /mnt/system/samba/system # why are you moving this
to what I presume is a share
on another system?????
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
The 'tabbed' lines are yours, the others are what I would add.
VigneshDhanraj G
Dec 16, 2015, 7:30:04 AM12/16/15
to
Thanks rowland, I understand that there was a mess. and now i changed the
smb.conf with the above as you instructed to be. But still i found same
issue. I have two systems which connect to same AD. i found to different
winbind logs. One uses pam_auth and other one which is not working uses
pam_auth_crap while using pam logon. I browsed on this but unfortunately i
am not able to find anything useful.
May i know please, whats the difference between pam_auth and pam_auth_crap.
may this would be the problem?
could you please help me regarding this.
Regards,
Vigneshdhanraj G
smb.conf with the above as you instructed to be. But still i found same
issue. I have two systems which connect to same AD. i found to different
winbind logs. One uses pam_auth and other one which is not working uses
pam_auth_crap while using pam logon. I browsed on this but unfortunately i
am not able to find anything useful.
May i know please, whats the difference between pam_auth and pam_auth_crap.
may this would be the problem?
could you please help me regarding this.
Regards,
Vigneshdhanraj G
Rowland penny
Dec 16, 2015, 8:10:06 AM12/16/15
to
On 16/12/15 12:24, VigneshDhanraj G wrote:
> Thanks rowland, I understand that there was a mess. and now i changed
> the smb.conf with the above as you instructed to be. But still i found
> same issue. I have two systems which connect to same AD. i found to
> different winbind logs. One uses pam_auth and other one which is not
> working uses pam_auth_crap while using pam logon. I browsed on this
> but unfortunately i am not able to find anything useful.
>
> May i know please, whats the difference between pam_auth and
> pam_auth_crap. may this would be the problem?
>
> could you please help me regarding this.
>
> Regards,
>
> Vigneshdhanraj G
>
Are you using debian ? if so what does 'pam-auth-update' show? mine
> Thanks rowland, I understand that there was a mess. and now i changed
> the smb.conf with the above as you instructed to be. But still i found
> same issue. I have two systems which connect to same AD. i found to
> different winbind logs. One uses pam_auth and other one which is not
> working uses pam_auth_crap while using pam logon. I browsed on this
> but unfortunately i am not able to find anything useful.
>
> May i know please, whats the difference between pam_auth and
> pam_auth_crap. may this would be the problem?
>
> could you please help me regarding this.
>
> Regards,
>
> Vigneshdhanraj G
>
shows this:
Kerberos authentication
Unix authentication
Winbind NT/Active Directory authentication
GNOME Keyring Daemon - Login keyring management
ConsoleKit Session Management
Inheritable Capabilities Management
L.P.H. van Belle
Dec 16, 2015, 8:20:04 AM12/16/15
to
I see 2 things here which are strange.
Self compiled samba
> >> /usr/local/samba/bin/wbinfo --pam-logon="DOMAIN\testusr1"
Debian samba ? or older version installed and not latest.
> >> Samba version : 4.1.17
Which is it? self compiled or debian samba?
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens VigneshDhanraj G
> Verzonden: woensdag 16 december 2015 13:25
> Aan: Rowland penny
> CC: sa...@lists.samba.org
> Onderwerp: Re: [Samba] Pam-logon failure for AD users
Self compiled samba
> >> /usr/local/samba/bin/wbinfo --pam-logon="DOMAIN\testusr1"
Debian samba ? or older version installed and not latest.
> >> Samba version : 4.1.17
Which is it? self compiled or debian samba?
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens VigneshDhanraj G
> Verzonden: woensdag 16 december 2015 13:25
> Aan: Rowland penny
> CC: sa...@lists.samba.org
> Onderwerp: Re: [Samba] Pam-logon failure for AD users
VigneshDhanraj G
Dec 17, 2015, 2:10:04 AM12/17/15
to
Hi,
I complied samba from source and i am using pam from debian. But, i
confused why pam uses pam_auth_crap instead of pam_auth.
may i know the basic difference between pam_auth and pam_auth_crap.
Regards,
Vigneshdhanraj G
I complied samba from source and i am using pam from debian. But, i
confused why pam uses pam_auth_crap instead of pam_auth.
may i know the basic difference between pam_auth and pam_auth_crap.
Regards,
Vigneshdhanraj G
Rowland penny
Dec 17, 2015, 5:40:03 AM12/17/15
to
On 17/12/15 06:58, VigneshDhanraj G wrote:
> Hi,
>
> I complied samba from source and i am using pam from debian. But, i
> confused why pam uses pam_auth_crap instead of pam_auth.
>
> may i know the basic difference between pam_auth and pam_auth_crap.
>
> Regards,
>
> Vigneshdhanraj G
>
>
>
>
When you find out, please let me know :-D or putting it another way,
> Hi,
>
> I complied samba from source and i am using pam from debian. But, i
> confused why pam uses pam_auth_crap instead of pam_auth.
>
> may i know the basic difference between pam_auth and pam_auth_crap.
>
> Regards,
>
> Vigneshdhanraj G
>
>
>
>
I do not know, never heard of it until you mentioned it.
If you are using a self compiled version of Samba and you haven't
created the libnss_winbind links, this may be your problem, but until
you tell us what 'pam-auth-update' says you are using, we will not know.
0 new messages