3795 – problem testsaslauthd + winbind

Bug 3795 - problem testsaslauthd + winbind

Summary: problem testsaslauthd + winbind

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	winbind (show other bugs)
Version:	3.0.20b
Hardware:	x86 Linux

Importance:	P3 normal
Target Milestone:	none
Assignee:	Samba Bugzilla Account
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2006-05-22 10:09 UTC by Paco Martinez
Modified:	2006-07-05 15:10 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Paco Martinez 2006-05-22 10:09:04 UTC

My Server has installed postfix+sasl+winbindd+samba with SuSE 10.0

I have problems executing "testsaslauthd -u USER -p PASS -s smtp". 
Output is  0: NO "authentication failed"

DEBUG: auth_pam: pam_acct_mgmt failed: Permission denied
May 18 12:57:06 saslauthd[31381]: do_auth         : auth failure:
[user=USER] [service=smtp] [realm=] [mech=pam] [reason=PAM acct error]

However in winbind log appears:
Verify  user `USER`
User 'USER' granted access
User `USER' not found

Wbinfo -u, wbinfo -g, wbinfo -t executes ok

File /etc/pam.d/smtp is

auth      sufficient     /lib/security/pam_winbind.so 
account   sufficient     /lib/security/pam_winbind.so 

File /etc/sysconfig/saslauthd is

SASLAUTHD_AUTHMECH="pam"
SASLAUTHD_FLAGS="-d -V -n0"


And /etc/samba/smb.conf is

[global]
        workgroup = GROUP 
        winbind separator = _
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        password server = 192.168.1.1
        realm = 192.168.1.1
        interfaces = eth1
        auth methods = winbind
        template shell = /bin/false
        winbind use default domain = yes
        encrypt passwords = Yes
        wins server = 192.168.1.1

Thanks !!

Comment 1 Guenther Deschner 2006-06-13 11:29:42 UTC

(In reply to comment #0)
> My Server has installed postfix+sasl+winbindd+samba with SuSE 10.0
> 
> I have problems executing "testsaslauthd -u USER -p PASS -s smtp". 
> Output is  0: NO "authentication failed"
> 
> DEBUG: auth_pam: pam_acct_mgmt failed: Permission denied
> May 18 12:57:06 saslauthd[31381]: do_auth         : auth failure:
> [user=USER] [service=smtp] [realm=] [mech=pam] [reason=PAM acct error]
> 
> However in winbind log appears:
> Verify  user `USER`
> User 'USER' granted access
> User `USER' not found
^^^^^^^^^^^^^^^^^^^^^^^^

Do you have winbind in nsswitch.conf ?

> Wbinfo -u, wbinfo -g, wbinfo -t executes ok
> 
> File /etc/pam.d/smtp is
> 
> auth      sufficient     /lib/security/pam_winbind.so 
> account   sufficient     /lib/security/pam_winbind.so 

With this configuration 'account' can only succeed when USER is available over NSS calls. Please make sure "getpwnam USER" succeeds and reopen if this still an issue. (I verified this works with 3.0.23rc2).

Comment 2 Paco Martinez 2006-06-15 06:18:44 UTC

(In reply to comment #0)
> My Server has installed postfix+sasl+winbindd+samba with SuSE 10.0
> 
> I have problems executing "testsaslauthd -u USER -p PASS -s smtp". 
> Output is  0: NO "authentication failed"
> 
> DEBUG: auth_pam: pam_acct_mgmt failed: Permission denied
> May 18 12:57:06 saslauthd[31381]: do_auth         : auth failure:
> [user=USER] [service=smtp] [realm=] [mech=pam] [reason=PAM acct error]
> 
> However in winbind log appears:
> Verify  user `USER`
> User 'USER' granted access
> User `USER' not found
> 
> Wbinfo -u, wbinfo -g, wbinfo -t executes ok
> 
> File /etc/pam.d/smtp is
> 
> auth      sufficient     /lib/security/pam_winbind.so 
> account   sufficient     /lib/security/pam_winbind.so 
> 
> File /etc/sysconfig/saslauthd is
> 
> SASLAUTHD_AUTHMECH="pam"
> SASLAUTHD_FLAGS="-d -V -n0"
> 
> 
> And /etc/samba/smb.conf is
> 
> [global]
>         workgroup = GROUP 
>         winbind separator = _
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>         winbind enum users = yes
>         winbind enum groups = yes
>         password server = 192.168.1.1
>         realm = 192.168.1.1
>         interfaces = eth1
>         auth methods = winbind
>         template shell = /bin/false
>         winbind use default domain = yes
>         encrypt passwords = Yes
>         wins server = 192.168.1.1
> 
> Thanks !!
>

Comment 3 Paco Martinez 2006-06-15 06:21:34 UTC

In nsswitch.conf is there

passwd: compat winbind
group:  compat winbind
shadow: compat winbind

And I Cannot execute "getpwnam" 

In which rpm is  this command "getpwnam"?

> My Server has installed postfix+sasl+winbindd+samba with SuSE 10.0
> 
> I have problems executing "testsaslauthd -u USER -p PASS -s smtp". 
> Output is  0: NO "authentication failed"
> 
> DEBUG: auth_pam: pam_acct_mgmt failed: Permission denied
> May 18 12:57:06 saslauthd[31381]: do_auth         : auth failure:
> [user=USER] [service=smtp] [realm=] [mech=pam] [reason=PAM acct error]
> 
> However in winbind log appears:
> Verify  user `USER`
> User 'USER' granted access
> User `USER' not found
> 
> Wbinfo -u, wbinfo -g, wbinfo -t executes ok
> 
> File /etc/pam.d/smtp is
> 
> auth      sufficient     /lib/security/pam_winbind.so 
> account   sufficient     /lib/security/pam_winbind.so 
> 
> File /etc/sysconfig/saslauthd is
> 
> SASLAUTHD_AUTHMECH="pam"
> SASLAUTHD_FLAGS="-d -V -n0"
> 
> 
> And /etc/samba/smb.conf is
> 
> [global]
>         workgroup = GROUP 
>         winbind separator = _
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>         winbind enum users = yes
>         winbind enum groups = yes
>         password server = 192.168.1.1
>         realm = 192.168.1.1
>         interfaces = eth1
>         auth methods = winbind
>         template shell = /bin/false
>         winbind use default domain = yes
>         encrypt passwords = Yes
>         wins server = 192.168.1.1
> 
> Thanks !!
> 

(In reply to comment #1)
> (In reply to comment #0)
> > My Server has installed postfix+sasl+winbindd+samba with SuSE 10.0
> > 
> > I have problems executing "testsaslauthd -u USER -p PASS -s smtp". 
> > Output is  0: NO "authentication failed"
> > 
> > DEBUG: auth_pam: pam_acct_mgmt failed: Permission denied
> > May 18 12:57:06 saslauthd[31381]: do_auth         : auth failure:
> > [user=USER] [service=smtp] [realm=] [mech=pam] [reason=PAM acct error]
> > 
> > However in winbind log appears:
> > Verify  user `USER`
> > User 'USER' granted access
> > User `USER' not found
> ^^^^^^^^^^^^^^^^^^^^^^^^
> 
> Do you have winbind in nsswitch.conf ?
> 
> > Wbinfo -u, wbinfo -g, wbinfo -t executes ok
> > 
> > File /etc/pam.d/smtp is
> > 
> > auth      sufficient     /lib/security/pam_winbind.so 
> > account   sufficient     /lib/security/pam_winbind.so 
> 
> With this configuration 'account' can only succeed when USER is available over
> NSS calls. Please make sure "getpwnam USER" succeeds and reopen if this still
> an issue. (I verified this works with 3.0.23rc2).
>

Comment 4 Gerald (Jerry) Carter (dead mail address) 2006-07-05 15:10:01 UTC

* realms must be names and not IP addresses
* do not tweak the the 'auth methods' parameter.

This is a configuratio issue as far as I can tell and not a bug.
Please post to the mailing list for help.