Everything with my AD is set up OK, login via ntlm_auth works fine, nsswitch.conf: passwd: winbind compat group: winbind compat shadow: winbind compat I've tried to configure pam with both pam_unix and pam_winbind sufficient and with only pam_winbind required with the same result. wbinfo -u and -g shows me the AD users and groups, the only strange thing is that it's not shown as DOMAIN\user, the output only says the username/group. My AD is running on windows 2008 server in 2003 compability mode and I've tried both Vista and XP as client. When i try to log in with an AD user log.wb-DOMAINABC gets this error message: [2008/04/10 01:22:35, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1751) [ 5358]: pam auth crap domain: DOMAINABC user: userxyz [2008/04/10 01:22:35, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1927) NTLM CRAP authentication for user [DOMAINABC]\[userxyz] returned NT_STATUS_WRONG_PASSWORD (PAM: 4)
After playing around a bit more with another linux server and windows 2008 with ad in 2003 compability mode I discovered that getent passwd doesn't reveal any users when /etc/nsswitch.conf is set to winbind only. Running strace gives me this error: getpid() = 5640 lstat64("/tmp/.winbindd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat64("/tmp/.winbindd/pipe", {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 3 fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 fcntl64(3, F_GETFD) = 0 fcntl64(3, F_SETFD, FD_CLOEXEC) = 0 connect(3, {sa_family=AF_FILE, path="/tmp/.winbindd/pipe"}, 110) = 0 select(4, [3], NULL, NULL, {0, 0}) = 0 (Timeout) write(3, "$\10\0\0\0\0\0\0\10\26\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0"..., 2084) = 2084 select(4, [3], NULL, NULL, {5, 0}) = 1 (in [3], left {5, 0}) read(3, 0xbfb65ea0, 3240) = -1 ECONNRESET (Connection reset by peer) close(3) = 0 /tmp/.winbindd/pipe exists and tailing it says: # tail -f /tmp/.winbindd/pipe tail: cannot open `/tmp/.winbindd/pipe' for reading: No such device or address
current versions do not return NT_STATUS_WRONG_PASSWORD for each login. Also from comment #2 - a nsswitch with winbind only is not valid. I'm closing this bug as worksforme.