I have test 3.0.21b Samba DC with ldapsam backend called JPJLIN1. When trying to authenticate via PAM on the DC with pam_winbind I get the following errors: from log.wb-JPJLIN1: [2006/05/24 15:16:11.386764, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1248) Failed to get password policies: NT_STATUS_NOT_IMPLEMENTED [2006/05/24 15:16:11.386828, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1274) Plain-text authentication for user jpjtest1 returned NT_STATUS_NOT_IMPLEMENTED (PAM: 4) [2006/05/24 15:16:11.386891, 10] nsswitch/winbindd_cache.c:cache_store_response(1912) Storing response for pid 27804, len 3192 from /var/log/messages: May 24 15:16:11 jpjlin pam_winbind[27810]: request failed: Not implemented, PAM error was System error (4), NT error was NT_STATUS_NOT_IMPLEMENTED May 24 15:16:11 jpjlin pam_winbind[27810]: internal module error (retval = 4, user = `jpjtest1') Looking in nsswitch/winbind_util.c it looks like the methods to get the password policy are only implemented in the case that the role is ROLE_DOMAIN_MEMBER. From a quick look at the new code in pam_winbindd.c:winbind_auth_request it relies on being able to get the password policy.
Created attachment 1920 [details] lookup password policies when on a PDC That patch should fix that wrong behaviour (untested yet, I'll do that next)
I tried the patch and it is still failing even though things look OK in log.wb-JPJLIN1: [2006/05/30 11:39:59.792883, 10] lib/account_pol.c:account_policy_get(337) account_policy_get: name: minimum password age, val: 0 [2006/05/30 11:39:59.793019, 5] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1274) Plain-text authentication for user jpjtest1 returned NT_STATUS_OK (PAM: 0) [2006/05/30 11:39:59.793087, 10] nsswitch/winbindd_cache.c:cache_store_response(1912) Storing response for pid 15615, len 3192 From /var/log/messages: May 30 11:39:59 jpjlin pam_winbind[15635]: user 'jpjtest1' granted access May 30 11:39:59 jpjlin pam_winbind[15635]: request failed, but PAM error 0! May 30 11:39:59 jpjlin pam_winbind[15635]: internal module error (retval = 3, user = `jpjtest1') Also I noticed a new problem - If I try to su to a user right after starting smbd/nmbd/winbindd then I get auth failures that look like this in log.wb-JPJLIN1: [2006/05/30 11:34:30.705222, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1101) winbindd_dual_pam_auth: domain: JPJLIN1 last was offline [2006/05/30 11:34:30.705318, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1274) Plain-text authentication for user jpjtest1 returned NT_STATUS_LOGON_FAILURE (PAM: 7) [2006/05/30 11:34:30.705380, 10] nsswitch/winbindd_cache.c:cache_store_response(1912) Storing response for pid 15472, len 3192 Doing wbinfo -t before trying the su makes this go away. Want me to open a new bug on this one?
(In reply to comment #2) > I tried the patch and it is still failing even though things look OK in > log.wb-JPJLIN1: > > [2006/05/30 11:39:59.792883, 10] lib/account_pol.c:account_policy_get(337) > account_policy_get: name: minimum password age, val: 0 > [2006/05/30 11:39:59.793019, 5] > nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1274) > Plain-text authentication for user jpjtest1 returned NT_STATUS_OK (PAM: 0) > [2006/05/30 11:39:59.793087, 10] > nsswitch/winbindd_cache.c:cache_store_response(1912) > Storing response for pid 15615, len 3192 > > > From /var/log/messages: > May 30 11:39:59 jpjlin pam_winbind[15635]: user 'jpjtest1' granted access > May 30 11:39:59 jpjlin pam_winbind[15635]: request failed, but PAM error 0! > May 30 11:39:59 jpjlin pam_winbind[15635]: internal module error (retval = 3, > user = `jpjtest1') Can you please describe the exact scenario how to reproduce that (including the smb.conf you're using) ? > Also I noticed a new problem - If I try to su to a user right after starting > smbd/nmbd/winbindd then I get auth failures that look like this in > log.wb-JPJLIN1: > [2006/05/30 11:34:30.705222, 10] > nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1101) > winbindd_dual_pam_auth: domain: JPJLIN1 last was offline > [2006/05/30 11:34:30.705318, 2] > nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1274) > Plain-text authentication for user jpjtest1 returned NT_STATUS_LOGON_FAILURE > (PAM: 7) > [2006/05/30 11:34:30.705380, 10] > nsswitch/winbindd_cache.c:cache_store_response(1912) > Storing response for pid 15472, len 3192 > > Doing wbinfo -t before trying the su makes this go away. Want me to open a new > bug on this one? Not necessary, that should be fixed with revision 15976.
(In reply to comment #2) > From /var/log/messages: > May 30 11:39:59 jpjlin pam_winbind[15635]: user 'jpjtest1' granted access > May 30 11:39:59 jpjlin pam_winbind[15635]: request failed, but PAM error 0! > May 30 11:39:59 jpjlin pam_winbind[15635]: internal module error (retval = 3, > user = `jpjtest1') Ok, this happens in the pam_sm_acct_mgmt() of pam_winbind where we clearly need to indentify whether a user belongs to winbindd or to the local system (to handle password policies for users in other modules in the PAM stack). It will fail when WINBINDD_GETPWNAM won't return the user. As the getpwnam for winbindd accounts on a PDC with "winbindd trusted domains only" set won't return anything, make sure to not mark your account block as "requisite" for pam_winbind.
ok, making changes to my PAM config worked with this patch. But this should probably be documented in the release notes because my PAM config worked with the last version of Samba.
Can you please post your PAM config (along with your smb.conf)?
Created attachment 1933 [details] JPJLIN1 Test Domain smb.conf
Created attachment 1934 [details] Working PAM config
Created attachment 1935 [details] Broken PAM config I created this pam config by copying the redhat system-auth pam config and replacing pam_unix.so with pam_winbind.so. I did this because I wanted the radius service to only authenticate users in the Samba domain via winbindd and not local users.
Is this still a problem after the config file parsing fixes in 3.0.23a?
I tested both PAM configuration files from comments #8 and #9 and neither work on my test samba 3.0.23a domain controller. I have had to rebuild my test environment since I opened this bug so the configuration may not be exactly the same. Here is what I see when using the PAM config I previously found to work after applying Guenther's patch to enable looking up password policies when running on a DC. [root@jpjlin var]# /bin/su - user1 Password: /bin/su: incorrect password [root@jpjlin var]# tail /var/log/messages Aug 7 15:12:44 jpjlin pam_winbind[16678]: user 'user1' granted access Aug 7 15:12:44 jpjlin pam_winbind[16678]: request failed, but PAM error 0! Aug 7 15:12:44 jpjlin pam_winbind[16678]: internal module error (retval = 3, user = `user1') From log.wb-JPJLIN3: [2006/08/07 15:12:44.357394, 10] lib/account_pol.c:account_policy_get(337) account_policy_get: name: minimum password age, val: 0 [2006/08/07 15:12:44.357452, 5] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1319) Plain-text authentication for user user1 returned NT_STATUS_OK (PAM: 0) [2006/08/07 15:12:44.357501, 10] nsswitch/winbindd_cache.c:cache_store_response(1913) Storing response for pid 16534, len 3240
I realized the correct pam config after my last comment. The following works on my 3.0.23a test DC: #%PAM-1.0 auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_winbind.so debug auth required /lib/security/pam_deny.so account sufficient /lib/security/pam_ldap.so account sufficient /lib/security/pam_winbind.so password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/security/pam_winbind.so debug password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_winbind.so debug This bug has been resolved since Guenther's patch to add password policy handling on a DC. I thought this should have been mentioned in the release notes since PAM configs that worked on pre-3.0.23 DCs could be broken on upgrade, but it is late for that now.
Thanks for following up John. Closing this one out now.