View the Most Wanted LQ Wiki articles.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 07-31-2008, 10:55 AM   #1
LQ Newbie
Registered: Jul 2008
Posts: 8

Rep: Reputation: 0
PAM Active Directory user authentication for Samba shares in RHEL 4

I'm having trouble getting user authentication working for Samba shares in RHEL 4.

Basically the way it is set up is as follows:
We have a RHEL 4 server which authenticates users against an Active Directory controller via LDAP/Winbind. The AD server is running W2k3 Server R2 with Microsoft Identity Management for Unix installed. I can getent group/passwd and see the AD users. wbinfo works as well.

The problem we are having is that when we share folders from the RHEL 4 server via samba, it does not authenticate users properly. We have a RHEL 5 server set up exactly the same way and it works just fine. I have narrowed the problem down to the Samba pam module but I don't understand why it works in RHEL 5 and not 4.

Here is the /etc/pam.d/samba file:
auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 10000 quiet
auth        sufficient use_first_pass
auth        required

account     required broken_shadow
account     sufficient
account     sufficient uid < 10000 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required

password    requisite try_first_pass retry=3
password    sufficient md5 shadow nis nullok try_first_pass use_authtok
password    sufficient use_authtok
password    required

session     optional revoke
session     required skel=/etc/skel umask=0022 quiet
session     required
session     required
session     optional
If I change "account ... ..." to 'sufficient' instead of 'required' or remove the line completely, users can connect to the server, but permissions for the shares are definitely not working properly.

In the samba log file for the client computer, I get the follow message when pam_unix is required for account:
[2008/07/31 15:48:40, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2008/07/31 15:48:40, 2] auth/pampass.c:smb_pam_account(560)
  smb_pam_account: PAM: There was an authentication error for user joe
[2008/07/31 15:48:40, 2] auth/pampass.c:smb_pam_error_handler(73)
  smb_pam_error_handler: PAM: Account Check Failed : Authentication failure
[2008/07/31 15:48:40, 0] auth/pampass.c:smb_pam_accountcheck(780)
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User joe!
[2008/07/31 15:48:40, 1] smbd/sesssetup.c:reply_spnego_kerberos(416)
  PAM account restriction prevents user login
Any suggestions on what I'm doing wrong?

Old 11-27-2008, 11:41 AM   #2
LQ Newbie
Registered: Nov 2008
Posts: 1

Rep: Reputation: 0

I have exactly the same problem...
If you have some news please up the thread !

Old 11-27-2008, 04:24 PM   #3
LQ Newbie
Registered: Sep 2008
Posts: 6

Rep: Reputation: 0
I would suggest adding:
auth sufficient
account sufficient
Old 12-02-2008, 02:02 PM   #4
LQ Newbie
Registered: Jul 2008
Posts: 8

Original Poster
Rep: Reputation: 0
It's been a long time since then...

In my Samba PAM file, the session section is slightly different in my current working file (everything else for auth, account, and password entries are the same).

Try this and if it doesn't work, post your smb.conf, ldap.conf, krb5.conf and nsswitch.conf files because the problem is somewhere in there. Unfortunately I don't recall how exactly I solved my original problem.

session     optional revoke
session     required skel=/etc/skel umask=0022 quiet
session     required
session     [success=1 default=ignore] service in crond quiet use_uid
session     required
session     optional
Let me know if you solve it.


pam, rhel4, samba

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Getting pam working with samba (with active directory authentication) kcorupe Linux - Server 3 05-02-2008 11:04 AM
Active Directory integration on Samba shares Ziggie Linux - Enterprise 7 10-22-2007 08:58 AM
Samba with Active Directory authentication Ziggie Linux - Enterprise 5 02-02-2006 08:43 AM
Samba Active Directory Authentication zenix Linux - Networking 1 09-17-2005 05:26 AM
samba-authentication with Active Directory sanjeevsagoo Linux - Networking 2 05-07-2004 04:09 AM

All times are GMT -5. The time now is 09:59 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration