I'm having trouble getting user authentication working for Samba shares in RHEL 4.
Basically the way it is set up is as follows:
We have a RHEL 4 server which authenticates users against an Active Directory controller via LDAP/Winbind. The AD server is running W2k3 Server R2 with Microsoft Identity Management for Unix installed. I can getent group/passwd and see the AD users. wbinfo works as well.
The problem we are having is that when we share folders from the RHEL 4 server via samba, it does not authenticate users properly. We have a RHEL 5 server set up exactly the same way and it works just fine. I have narrowed the problem down to the Samba pam module but I don't understand why it works in RHEL 5 and not 4.
Here is the /etc/pam.d/samba file:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 10000 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 10000 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nis nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_mkhomedir.so skel=/etc/skel umask=0022 quiet
session required pam_limits.so
session required pam_unix.so
session optional pam_krb5.so
If I change "account ... pam_unix.so ..." to 'sufficient' instead of 'required' or remove the line completely, users can connect to the server, but permissions for the shares are definitely not working properly.
In the samba log file for the client computer, I get the follow message when pam_unix is required for account:
[2008/07/31 15:48:40, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2008/07/31 15:48:40, 2] auth/pampass.c:smb_pam_account(560)
smb_pam_account: PAM: There was an authentication error for user joe
[2008/07/31 15:48:40, 2] auth/pampass.c:smb_pam_error_handler(73)
smb_pam_error_handler: PAM: Account Check Failed : Authentication failure
[2008/07/31 15:48:40, 0] auth/pampass.c:smb_pam_accountcheck(780)
smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User joe!
[2008/07/31 15:48:40, 1] smbd/sesssetup.c:reply_spnego_kerberos(416)
PAM account restriction prevents user login
Any suggestions on what I'm doing wrong?