Below is an email I was working on the list. I can authenticate using smbclient -k to a win2k box, but when trying to use winbind I get the error [root@maildev root]# wbinfo -a tschmidt%XXXXXXX plaintext password authentication failed error code was NT_STATUS_INVALID_PARAMETER (0xc000000d) error messsage was: Unexpected information received Could not authenticate user tschmidt%XXXXXXX with plaintext password challenge/response password authentication failed error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error messsage was: No logon servers Could not authenticate user tschmidt@TNCTEST.ORG with challenge/response This is what I get in the log.winbind with loglevel set to 10 for auth and winbind. [2003/06/12 16:54:24, 6] nsswitch/winbindd.c:new_connection(307) accepted socket 21 [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:winbind_client_read(422) client_read: read 1312 bytes. Need 0 more for a full request. [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:process_request(272) process_request: request fn INTERFACE_VERSION [2003/06/12 16:54:24, 3] nsswitch/winbindd_misc.c:winbindd_interface_version (207) [11591]: request interface version [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:client_write(469) client_write: wrote 1300 bytes. [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:winbind_client_read(422) client_read: read 1312 bytes. Need 0 more for a full request. [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:process_request(272) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2003/06/12 16:54:24, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(243) [11591]: request location of privileged pipe [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:client_write(469) client_write: wrote 1300 bytes. [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:client_write(514) client_write: need to write 37 extra data bytes. [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:client_write(469) client_write: wrote 37 bytes. [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:client_write(503) client_write: client_write: complete response written. [2003/06/12 16:54:24, 6] nsswitch/winbindd.c:new_connection(307) accepted socket 22 [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:winbind_client_read(422) client_read: read 0 bytes. Need 1312 more for a full request. [2003/06/12 16:54:24, 5] nsswitch/winbindd.c:winbind_client_read(427) read failed on sock 21, pid 11591: EOF [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:winbind_client_read(422) client_read: read 1312 bytes. Need 0 more for a full request. [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:process_request(272) process_request: request fn PAM_AUTH [2003/06/12 16:54:24, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(80) [11591]: pam auth tschmidt [2003/06/12 16:54:24, 5] nsswitch/winbindd_pam.c:winbindd_pam_auth(93) no domain separator (+) in username (tschmidt) - failing auth [2003/06/12 16:54:24, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth(167) Plain-text authentication for user tschmidt returned NT_STATUS_INVALID_PARAMETER (PAM: 4) [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:client_write(469) client_write: wrote 1300 bytes. [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:winbind_client_read(422) client_read: read 1312 bytes. Need 0 more for a full request. [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:process_request(272) process_request: request fn INFO [2003/06/12 16:54:24, 3] nsswitch/winbindd_misc.c:winbindd_info(194) [11591]: request misc info [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:client_write(469) client_write: wrote 1300 bytes. [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:winbind_client_read(422) client_read: read 1312 bytes. Need 0 more for a full request. [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:process_request(272) process_request: request fn DOMAIN_NAME [2003/06/12 16:54:24, 3] nsswitch/winbindd_misc.c:winbindd_domain_name(219) [11591]: request domain name [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:client_write(469) client_write: wrote 1300 bytes. [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:winbind_client_read(422) client_read: read 1312 bytes. Need 0 more for a full request. [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:process_request(272) process_request: request fn AUTH_CRAP [2003/06/12 16:54:24, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(237) [11591]: pam auth crap domain: TNCTEST user: tschmidt [2003/06/12 16:54:24, 10] nsswitch/winbindd_cm.c:cm_get_dc_name(167) returning positive get_dc_name_cache entry for TNCTEST [2003/06/12 16:54:24, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(238) IPC$ connections done by user TSCHMIDT\welcome123 [2003/06/12 16:54:24, 5] nsswitch/winbindd_cm.c:cm_open_connection(278) connecting to DCTEST from MAILDEV with username [TSCHMIDT]\[welcome123] [2003/06/12 16:54:24, 0] rpc_parse/parse_prs.c:prs_mem_get(528) prs_mem_get: reading data of size 2 would overrun buffer. [2003/06/12 16:54:24, 0] rpc_client/cli_pipe.c:rpc_pipe_bind(1484) rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA. [2003/06/12 16:54:24, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(292) could not open handle to NETLOGON pipe (error: NT_STATUS_UNSUCCESSFUL) [2003/06/12 16:54:24, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(342) NTLM CRAP authentication for user [TNCTEST]\[tschmidt] returned NT_STATUS_NO_LOGON_SERVERS (PAM: 4) [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:client_write(469) client_write: wrote 1300 bytes. [2003/06/12 16:54:24, 10] nsswitch/winbindd.c:winbind_client_read(422) client_read: read 0 bytes. Need 1312 more for a full request. [2003/06/12 16:54:24, 5] nsswitch/winbindd.c:winbind_client_read(427) read failed on sock 22, pid 11591: EOF
Hi, Tod! I just set up W2k PDC with winbind, and for me it works fine. We need more info to analyze this problem: Your smb.conf and a network sniff would be great. Volker
Created attachment 30 [details] Smb.conf
I too am having similar problems. However, I can 'su' to a user using the following syntax: su - DOMAIN/username and I can then login. However using sshd, I simply get Illegal User. SSHD logs spits out the following: Jun 16 09:13:29 mccoy sshd[17948]: Illegal user LIGHTSPEED/jlally from 172.22.4.97 Jun 16 09:13:29 mccoy sshd[17948]: Illegal user LIGHTSPEED/jlally from 172.22.4.97 Jun 16 09:13:38 mccoy xinetd[30092]: START: telnet pid=17950 from=172.22.4.97 Jun 16 09:13:43 mccoy pam_winbind[17951]: request failed: Unexpected information received, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jun 16 09:13:43 mccoy pam_winbind[17951]: request failed: Unexpected information received, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jun 16 09:13:43 mccoy pam_winbind[17951]: internal module error (retval = 4, user = `LIGHTSPEED/jlally' Jun 16 09:13:43 mccoy pam_winbind[17951]: internal module error (retval = 4, user = `LIGHTSPEED/jlally' Jun 16 09:13:43 mccoy login(pam_unix)[17951]: check pass; user unknown Jun 16 09:13:43 mccoy login(pam_unix)[17951]: check pass; user unknown Jun 16 09:13:43 mccoy login(pam_unix)[17951]: authentication failure; logname= uid=0 euid=0 tty=/dev/pts/5 ruser= rhost=impreza Jun 16 09:13:43 mccoy login(pam_unix)[17951]: authentication failure; logname= uid=0 euid=0 tty=/dev/pts/5 ruser= rhost=impreza Jun 16 09:13:44 mccoy login(pam_unix)[17951]: check pass; user unknown Jun 16 09:13:44 mccoy login(pam_unix)[17951]: check pass; user unknown Jun 16 09:13:46 mccoy login[17951]: FAILED LOGIN 1 FROM impreza FOR UNKNOWN, Authentication failure Jun 16 09:13:46 mccoy login[17951]: FAILED LOGIN 1 FROM impreza FOR UNKNOWN, Authentication failure And yes, everything is always in the logs twice for some reason. Here is my /etc/pam.d/sshd: #%PAM-1.0 auth required pam_stack.so service=system-auth auth sufficient /lib/security/pam_winbind.so auth required pam_shells.so auth required pam_nologin.so account sufficient /lib/security/pam_winbind.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth Also of possible interest, when I tried to initial join this linux machine to the AD domain I got this output: Administrator password: [2003/06/13 16:18:19, 1] libsmb/clikrb5.c:ads_krb5_mk_req(267) krb5_cc_get_principal failed (No credentials cache found) [2003/06/13 16:18:19, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password Administrator@LIGHTSPEEDRESEARCH.COM failed: KDC has no support for encryption type [2003/06/13 16:18:19, 1] libsmb/clikrb5.c:ads_krb5_mk_req(267) krb5_cc_get_principal failed (No credentials cache found) [2003/06/13 16:18:19, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password Administrator@LIGHTSPEEDRESEARCH.COM failed: KDC has no support for encryption type [2003/06/13 16:18:19, 1] libads/krb5_setpw.c:ads_krb5_set_password(520) Failed to get principal from ccache (No credentials cache found) ads_set_machine_password: No credentials cache found ADS join did not work, trying RPC... [2003/06/13 16:18:20, 1] utils/net.c:net_find_server(243) no server to connect to Unable to find a suitable server [2003/06/13 16:18:21, 1] utils/net.c:net_find_server(243) no server to connect to Unable to find a suitable server BUT, if i looked on the pdc, my computer account seemed to be successfully created. This seemed to always happen, I would get the above errors, but the command would succeed ... Anything I can do to help, as I'd really like people to be able to authenticate against the AD Domain controller, I'd be happy to provide.
Also, when attempting to log in, via something like telnet or ssh, should I be using: DOMAIN<winbind separator>username or DOMAIN/username Neither seems to work, sshd always says invalid user (twice, always), and idealy, i'd like to just be able to use 'username' ...
For starters, always use the winbind separator when you're specifying a domain on that samba box. From windows, if you need it, the separator is always '\'. But if you want to use the username with no domain, see the "winbind use default domain" parameter (and it seems to be spelled 'used' in some man pages, but it's really 'use'). It will stick the smb.conf domain in front of any user that doesn't specify one.
Ok, you have at some point done a wbinfo -A, I believe, with a domain of TSCHMIDT and userid of welcome123, so that's why it's failing to find a logon server. The log shows that it's trying to do its IPC$ connection using that stored userid. Try running 'wbinfo -A %' to clear it out and see if that fixes it.
Running wbinfo -A user%pass resolved this issue. I am now able to run wbinfo - a, wbinfo -t without errors.
originally reported against 3.0.0beta1. CLeaning out non-production release versions.
database cleanup