Hi all, I have been trying to setup authentication of users on a Linux server against Windows server 2003 using winbind.
I am at the point where an su - ADUSERNAME works, but sshing as that user still doesn't work. When I try to ssh as an AD user as follows: ssh -l "RILINUX+testuser" server.domain.com I get the following output in /var/log/messages: server pam_winbind[5906]: request failed: No such user, PAM error was 10, NT error was NT_STATUS_NO_SUCH_USER server sshd(pam_unix)[5906]: check pass; user unknown server sshd(pam_unix)[5906]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=server.domain.com At the same time, I see this Failure Audit in the Security section of Event viewer on the AD server: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: NOUSER Source Workstation: \\LONLT-SVR9 Error Code: 0xC0000064 I then changed my setup to use winbid use default domain = yes and tried with ssh -l testuser server.domain.com I got the same result as when using the DOMAIN+user syntax wbinfo -u shows this test user in the list. My smb.conf is as follows: [global] workgroup = MYADDOMAIN netbios name = servername winbind separator = + winbind use default domain = yes idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/bash security = ads encrypt passwords = yes realm = MYKERBEROSREALM.COM password server = 10.xxx.xxx.xxx My various pam configs are as follows: /etc/pam.d/login auth required pam_securetty.so auth sufficient pam_winbind.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account sufficient pam_winbind.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session optional pam_console.so /etc/pam.d/sshd auth required pam_stack.so service=system-auth auth sufficient pam_winbind.so auth required pam_nologin.so account sufficient pam_winbind.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_limits.so session optional pam_console.so I'm using Red Hat EL AS 3 which I believe tries to centralise most of this in system-auth, and this is what I have there: auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_winbind.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account sufficient /lib/security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_unix.so password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so I'm not sure if this is related to my problem, but I see quite a few of the following messages in my security section of event viewer: Pre-authentication failed: User Name: servername$ User ID: MYDOMAIN\servername$ Service Name: krbtgt/MYKERBEROSREALM.COM Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 10.xxx.xxx.xxx Can anyone advise how to rectify this problem ? Thanks in advance, -- Wayne Pascoe -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba