From 3.0.2 to 3.0.5pre1, winbind service cannot be stop/restarted using root. It requires NT domain users. /var/log/messages shows, Jun 24 10:17:01 proxy pam_winbind[1656]: request failed: No such user, PAM error was 10, NT error was NT_STATUS_NO_SUCH_USER If I added root as a domain user to my NT 4.0 users, the error message disappears but I still can't stop/restart winbind. Also winbind forces users to authenticate against itself by default even /etc/nsswitch.conf is set as follows, passwd: files nisplus nis winbind shadow: files nisplus nis group: files nisplus nis winbind Thus causing swat login to fail for root and KDE, SSH login to fail for the first time. This never happened with 2.2.x. I have exhausted my google search, many users seem to be seeing the same thing under 3.0.x, but so far there's no resolution. Chapter 10 of Samba HOWTO mentions some backend services but doesn't cover this case. [global] workgroup = MYDOMAIN netbios name = Proxy server string = Samba Server %v security = DOMAIN encrypt passwords = Yes password server = BAKSERVER log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # character set = ISO8859-15 os level = 18 local master = No preferred master = No domain master = No dns proxy = No idmap uid = 10000-20000 idmap gid = 10000-20000 winbind separator = / template homedir = /home/%D/%U template shell = /bin/bash winbind enum users = yes winbind enum groups = yes winbind use default domain = yes
I think you have your pam setting misconfigured. Please attach the relavant pam configuration files referring to pam_winbind
If there's more info you need, I will be glad to post it. [root@proxy pam.d]# more system-auth-winbind #%PAM-1.0 auth required pam_env.so auth sufficient pam_winbind.so auth sufficient pam_unix.so likeauth nullok use_first_pass auth required pam_deny.so account sufficient pam_winbind.so account required pam_unix.so password required pam_cracklib.so retry=3 password sufficient pam_unix.so nullok use_authtok md5 shadow password required pam_deny.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_limits.so session required pam_unix.so [root@proxy pam.d]# more system-auth #%PAM-1.0 auth required pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pass auth sufficient /lib/security/pam_winbind.so auth required pam_deny.so account sufficient /lib/security/pam_unix.so use_first_pass account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_deny.so password required pam_cracklib.so retry=3 minlen=4 dcredit=0 ucredit=0 password sufficient pam_unix.so nullok use_authtok md5 shadow password required pam_deny.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_limits.so session required pam_unix.so [root@proxy pam.d]# slocate pam_winbind /lib/security/pam_winbind.so [root@proxy pam.d]# more sshd #%PAM-1.0 auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth
(In reply to comment #1) > I think you have your pam setting misconfigured. Please attach > the relavant pam configuration files referring to pam_winbind Hi Jerry, In addition to the pam_winbind files that I posted to the bugzilla. I'm posting the following /var/log/messages for the ssh login. It always fail for the first time. I suspect winbind service cannot be resolve to the local files for some services like stop/restart winbind. Do you see what's wrong? Regards, Norman Jul 8 11:45:36 proxy sshd(pam_unix)[6228]: auth could not identify password for [root] Jul 8 11:45:36 proxy pam_winbind[6228]: request failed: No such user, PAM error was 10, NT error was NT_STATUS_NO_SUCH_USER Jul 8 11:45:40 proxy sshd(pam_unix)[6228]: authentication failure; logname= uid =0 euid=0 tty=NODEVssh ruser= rhost=2d-052.hq.arkonnetworks.com user=root Jul 8 11:45:40 proxy pam_winbind[6228]: request failed: No such user, PAM error was 10, NT error was NT_STATUS_NO_SUCH_USER Jul 8 11:45:42 proxy sshd[6228]: Failed password for root from ::ffff:192.168.2 2.7 port 1835 ssh2 Jul 8 11:45:46 proxy sshd[6228]: Accepted password for root from ::ffff:192.168 .22.7 port 1835 ssh2 Jul 8 11:45:46 proxy sshd(pam_unix)[6228]: session opened for user root by (uid =0)
Bug found in drakauth from LM10.0. Workaround as follows. # more system-auth auth required pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_winbind.so try_first_pass auth required pam_deny.so account sufficient /lib/security/pam_unix.so account sufficient /lib/security/pam_winbind.so try_first_pass account required /lib/security/pam_deny.so password required pam_cracklib.so retry=3 minlen=4 dcredit=0 ucredit=0 password sufficient pam_unix.so nullok use_authtok md5 shadow password required pam_deny.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_limits.so session required pam_unix.so
originally against 3.0.5pre1 (which became 3.0.6pre1 due to security release))
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.