Bug 5382 - I get NT_STATUS_WRONG_PASSWORD for every login
Summary: I get NT_STATUS_WRONG_PASSWORD for every login
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.28a
Hardware: x86 Other
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-04-09 18:26 UTC by Rickard
Modified: 2022-03-14 15:01 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rickard 2008-04-09 18:26:34 UTC
Everything with my AD is set up OK, login via ntlm_auth works fine, nsswitch.conf:

passwd:         winbind compat
group:          winbind compat
shadow:         winbind compat

I've tried to configure pam with both pam_unix and pam_winbind sufficient and with only pam_winbind required with the same result. wbinfo -u and -g shows me the AD users and groups, the only strange thing is that it's not shown as DOMAIN\user, the output only says the username/group. 

My AD is running on windows 2008 server in 2003 compability mode and I've tried both Vista and XP as client.

When i try to log in with an AD user log.wb-DOMAINABC gets this error message:

[2008/04/10 01:22:35, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1751)
  [ 5358]: pam auth crap domain: DOMAINABC user: userxyz
[2008/04/10 01:22:35, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1927)
  NTLM CRAP authentication for user [DOMAINABC]\[userxyz] returned NT_STATUS_WRONG_PASSWORD (PAM: 4)
Comment 1 Rickard 2008-04-15 13:52:48 UTC
After playing around a bit more with another linux server and windows 2008 with ad in 2003 compability mode I discovered that getent passwd doesn't reveal any users when /etc/nsswitch.conf is set to winbind only. Running strace gives me this error:

getpid()                                = 5640
lstat64("/tmp/.winbindd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/tmp/.winbindd/pipe", {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 3
fcntl64(3, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
fcntl64(3, F_GETFD)                     = 0
fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0
connect(3, {sa_family=AF_FILE, path="/tmp/.winbindd/pipe"}, 110) = 0
select(4, [3], NULL, NULL, {0, 0})      = 0 (Timeout)
write(3, "$\10\0\0\0\0\0\0\10\26\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0"..., 2084) = 2084
select(4, [3], NULL, NULL, {5, 0})      = 1 (in [3], left {5, 0})
read(3, 0xbfb65ea0, 3240)               = -1 ECONNRESET (Connection reset by peer)
close(3)                                = 0


/tmp/.winbindd/pipe exists and tailing it says:

# tail -f /tmp/.winbindd/pipe
tail: cannot open `/tmp/.winbindd/pipe' for reading: No such device or address
Comment 2 Björn Jacke 2022-03-14 15:01:10 UTC
current versions do not return NT_STATUS_WRONG_PASSWORD for each login. Also from comment #2 - a nsswitch with winbind only is not valid. I'm closing this bug as worksforme.