Date: Wed, 4 Jun 2003 09:18:45 +0200 From: Guy Antony Halse <guy@rucus.net> To: freebsd-questions@freebsd.org Subject: FreeBSD + winbindd + PAM Message-ID: <20030604071845.GA24584@rucus.ru.ac.za>
next in thread | raw e-mail | index | archive | help
I've been trying for a couple of weeks to get FreeBSD + winbindd + PAM working, without success. I'm hoping that someone here has bumped into my problem before and has some advice to give. My current setup is winbindd from Samba 2.8.8a on both FreeBSD 4.8-RELEASE and 5.1-BETA. I've configured Samba with the following options: syslog, nocups, utmp, msdfs, quota, recycle, audit, winbind, wbauth. On the 5.1-BETA box, I've also added the WITH_WINBIND_NSS=yes option. My smb.conf has the following entries: [global] workgroup = ICT netbios name = VARK security = domain password server = MADAM EVE encrypt passwords = yes winbind separator = . winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template shell = /usr/local/bin/ftponly template homedir = /tmp/raid/%D.%U I run winbindd, and set a domain admin password using wbinfo -A. With this I can successfully enumerate the domain's users and groups: guy@vark:~$ wbinfo -u | wc -l 675 On the 5.1-BETA box, I've edited nsswitch.conf to include winbindd and can see winbindd users with pw(8). guy@vark:~$ pw usershow ICT.admingah ICT.admingah:*:10004:10013::0:0:Guy Antony Halse:/tmp/raid/ICT.admingah:/usr/local/bin/ftponly I realise this won't work on anything prior to the commitment of the new nsswitch implementation by Jacques A. Vidrine, so I haven't bothered to try this on the 4.8-RELEASE box. So far, so good. Everything works as I want to to, so I moved on to trying to get PAM authentication working. The first thing I noticed was that the pam_winbind.so from the port was not installed (I checked the Makefile for PAM-related options and saw none), so I manually copied this file into /usr/local/lib/compat and ran ldconfig(8). I have subsequently tried /usr/lib/compat too, but that shouldn't matter. I edited {pam.conf,pam.d/ftpd} to create entries for my FTP server, that looked like: auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_winbind.so debug try_first_pass auth required pam_unix.so no_warn try_first_pass account sufficient pam_winbind.so debug account required pam_unix.so session required pam_permit.so This is where things start falling apart for me. Authentication always fails, and I get the following in my logs: Jun 4 09:07:07 vark ftpd[97485]: connection from omniscient (146.231.120.1) Jun 4 09:07:15 vark pam_winbind[97485]: Could not retrive user's password Jun 4 09:07:15 vark kernel: Jun 4 09:07:15 vark pam_winbind[97485]: Could not retrive user's password Jun 4 09:07:15 vark ftpd[97485]: in _openpam_check_error_code(): pam_sm_authenticate(): unexpected return value 20 Jun 4 09:07:15 vark kernel: Jun 4 09:07:15 vark ftpd[97485]: in _openpam_check _error_code(): pam_sm_authenticate(): unexpected return value 20 Jun 4 09:07:15 vark ftpd[97485]: FTP LOGIN FAILED FROM omniscient Jun 4 09:07:15 vark kernel: Jun 4 09:07:15 vark ftpd[97485]: FTP LOGIN FAILED FROM omniscient Jun 4 09:07:15 vark ftpd[97485]: FTP LOGIN FAILED FROM omniscient, ICT.admingah This problem isn't just restricted to FTP. If I try and set up PAM for the login service, I get the same _openpam_check_error_code() error. I've tried reducing my PAM config so that it was completely minimal, consisting of only required pam_winbind.so lines, but this doesn't appear to make a difference. Using winbindd -i -d3, I've watched for connections to winbindd while PAM authentication is happening, and no connections are ever logged by it. (They are when nsswitch is in use, and when I use wbinfo). I've also tried recompiling the Samba suite with no optimizations (and various stages of optimizations) as suggested by the pkg-message. None of this seems to make any difference to my problem whatsoever. Anyone have any ideas as to how I can get this to work? - Guy -- Dept of Computer Science, Rhodes University, Grahamstown, South Africa Email: guy@mombe.org Web: http://mombe.org/ IRC: rm-rf@irc.zanet.net *** ANSI Standard Disclaimer *** J.A.P.H
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030604071845.GA24584>