Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 4 Jun 2003 09:18:45 +0200
From:      Guy Antony Halse <guy@rucus.net>
To:        freebsd-questions@freebsd.org
Subject:   FreeBSD + winbindd + PAM
Message-ID:  <20030604071845.GA24584@rucus.ru.ac.za>

next in thread | raw e-mail | index | archive | help

I've been trying for a couple of weeks to get FreeBSD + winbindd + PAM
working, without success.  I'm hoping that someone here has bumped into my
problem before and has some advice to give.

My current setup is winbindd from Samba 2.8.8a on both FreeBSD 4.8-RELEASE
and 5.1-BETA.  I've configured Samba with the following options: syslog,
nocups, utmp, msdfs, quota, recycle, audit, winbind, wbauth.  On the
5.1-BETA box, I've also added the WITH_WINBIND_NSS=yes option.

My smb.conf has the following entries:

[global]
  workgroup = ICT
  netbios name = VARK
  security = domain
  password server = MADAM EVE
  encrypt passwords = yes
  winbind separator = .
  winbind uid = 10000-20000
  winbind gid = 10000-20000
  winbind enum users = yes
  winbind enum groups = yes
  template shell = /usr/local/bin/ftponly
  template homedir = /tmp/raid/%D.%U


I run winbindd, and set a domain admin password using wbinfo -A.  With this
I can successfully enumerate the domain's users and groups:

guy@vark:~$ wbinfo -u | wc -l
     675

On the 5.1-BETA box, I've edited nsswitch.conf to include winbindd and can
see winbindd users with pw(8).

guy@vark:~$ pw usershow ICT.admingah
ICT.admingah:*:10004:10013::0:0:Guy Antony Halse:/tmp/raid/ICT.admingah:/usr/local/bin/ftponly

I realise this won't work on anything prior to the commitment of the new
nsswitch implementation by Jacques A. Vidrine, so I haven't bothered to try
this on the 4.8-RELEASE box.

So far, so good.  Everything works as I want to to, so I moved on to trying
to get PAM authentication working.

The first thing I noticed was that the pam_winbind.so from the port was not
installed (I checked the Makefile for PAM-related options and saw none), so
I manually copied this file into /usr/local/lib/compat and ran ldconfig(8). 
I have subsequently tried /usr/lib/compat too, but that shouldn't matter.

I edited {pam.conf,pam.d/ftpd} to create entries for my FTP server, that
looked like:

auth     required        pam_nologin.so          no_warn
auth     sufficient      pam_opie.so             no_warn no_fake_prompts
auth     requisite       pam_opieaccess.so       no_warn allow_local
auth     sufficient      pam_winbind.so          debug try_first_pass
auth     required        pam_unix.so             no_warn try_first_pass
account  sufficient      pam_winbind.so          debug
account  required        pam_unix.so
session  required        pam_permit.so

This is where things start falling apart for me.  Authentication always
fails, and I get the following in my logs:

Jun  4 09:07:07 vark ftpd[97485]: connection from omniscient (146.231.120.1)
Jun  4 09:07:15 vark pam_winbind[97485]: Could not retrive user's password
Jun  4 09:07:15 vark kernel: Jun  4 09:07:15 vark pam_winbind[97485]: Could not retrive user's password
Jun  4 09:07:15 vark ftpd[97485]: in _openpam_check_error_code(): pam_sm_authenticate(): unexpected return value 20
Jun  4 09:07:15 vark kernel: Jun  4 09:07:15 vark ftpd[97485]: in _openpam_check _error_code(): pam_sm_authenticate(): unexpected return value 20
Jun  4 09:07:15 vark ftpd[97485]: FTP LOGIN FAILED FROM omniscient
Jun  4 09:07:15 vark kernel: Jun  4 09:07:15 vark ftpd[97485]: FTP LOGIN FAILED FROM omniscient
Jun  4 09:07:15 vark ftpd[97485]: FTP LOGIN FAILED FROM omniscient, ICT.admingah

This problem isn't just restricted to FTP.  If I try and set up PAM for
the login service, I get the same _openpam_check_error_code() error.

I've tried reducing my PAM config so that it was completely minimal,
consisting of only required pam_winbind.so lines, but this doesn't appear to
make a difference.

Using winbindd -i -d3, I've watched for connections to winbindd while PAM
authentication is happening, and no connections are ever logged by it. 
(They are when nsswitch is in use, and when I use wbinfo).

I've also tried recompiling the Samba suite with no optimizations (and
various stages of optimizations) as suggested by the pkg-message.  None of
this seems to make any difference to my problem whatsoever.


Anyone have any ideas as to how I can get this to work?

- Guy
-- 
Dept of Computer Science, Rhodes University, Grahamstown, South Africa
Email: guy@mombe.org  Web: http://mombe.org/  IRC: rm-rf@irc.zanet.net
*** ANSI Standard Disclaimer ***                               J.A.P.H



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030604071845.GA24584>