Very Computer

I am attempting to run winbindd as an auth module but get conflicting
results; it appears the module just is not working, pam, in it's new
implementation does not accept it.

Here is a snip from the system during a ssh login:
Jan 19 10:27:00 testhost2 pam_winbind[17861]: [ID 467601 auth.error]
request failed: No such user, PAM error was 13, NT error was
NT_STATUS_NO_SUCH_USER

So something is happening at the pam_winbind layer.

And the winbindd log:
[2006/01/19 13:46:06, 6] nsswitch/winbindd.c:new_connection(638)
  accepted socket 17
[2006/01/19 13:46:06, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(454)
  [    0]: request interface version
[2006/01/19 13:46:06, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(487)
  [    0]: request location of privileged pipe
[2006/01/19 13:46:06, 6] nsswitch/winbindd.c:new_connection(638)
  accepted socket 18
[2006/01/19 13:46:06, 3]
nsswitch/winbindd_user.c:winbindd_getpwnam(336)
  [    0]: getpwnam TESTDOM+testuser
[2006/01/19 13:46:12, 3]
nsswitch/winbindd_user.c:winbindd_getpwnam(336)
  [    0]: getpwnam TESTDOM+testuser
[2006/01/19 13:46:12, 3]
nsswitch/winbindd_user.c:winbindd_getpwnam(336)
  [    0]: getpwnam TESTDOM+testuser
[2006/01/19 13:46:12, 3]
nsswitch/winbindd_user.c:winbindd_getpwnam(336)
  [    0]: getpwnam TESTDOM+testuser

Anyone have some ideas?

I have included a copy of my pam.conf for Solaris 10 as well as a copy
from my 'working' Solaris 9.

========BEGIN pam.conf Solaris 9 ==================
#
#ident  "@(#)pam.conf   1.20    02/01/23 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules # defined in
the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are #
relative to /usr/lib/security/$ISA. Absolute path names, as # present
in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth) #
login auth requisite            pam_authtok_get.so.1
login auth sufficient           pam_dhkeys.so.1
login auth sufficient           pam_unix_auth.so.1
login auth sufficient           pam_dial_auth.so.1
login auth sufficient           /usr/lib/security/pam_winbind.so.1
try_first_pass
#
# rlogin service (explicit because of pam_rhost_auth) #
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth sufficient         pam_dhkeys.so.1
rlogin  auth sufficient         pam_unix_auth.so.1
rlogin  auth sufficient         /usr/lib/security/pam_winbind.so.1
try_first_pass
#
# rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth
for meaningful
rsh     auth required           pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth) #
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management # Used when service
name is not #explicitly mentioned for authenctication #
other   auth requisite          pam_authtok_get.so.1
other auth sufficient           pam_dhkeys.so.1
other auth sufficient           pam_unix_auth.so.1
other auth sufficient           /usr/lib/security/pam_winbind.so.1
try_first_pass
#
# passwd command (explicit because of a different authentication
module) #
passwd  auth required           pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1) #
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management # Used when service name is
not explicitly mentioned for account management #
other   account requisite       pam_roles.so.1
other   account sufficient      pam_projects.so.1
other   account sufficient      pam_unix_account.so.1
#
# Default definition for Session management # Used when service name is
not explicitly mentioned for session management #
other   session required        pam_unix_session.so.1
other session sufficient        /usr/lib/security/pam_winbind.so.1
#
# Default definition for  Password management # Used when service name
is not explicitly mentioned for password management #
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos) #
#rlogin         auth optional           pam_krb5.so.1 try_first_pass
#login          auth optional           pam_krb5.so.1 try_first_pass
#other          auth optional           pam_krb5.so.1 try_first_pass
#cron           account optional        pam_krb5.so.1
#other          account optional        pam_krb5.so.1
#other          session optional        pam_krb5.so.1
#other          password optional       pam_krb5.so.1 try_first_pass
#========END pam.conf Solaris 9 ==================

#========BEGIN pam.conf Solaris 10 ==================
#
#ident  "@(#)pam.conf   1.28    04/04/21 SMI"
#
# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
#---- Begin Winbind -----#
#---- Notes: Pass, OK, stacked authtok_get first
login   auth binding            pam_winbind.so.1 try_first_pass
#---- End Winbind -------#
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
#---- Begin Winbind -----#
#---- Notes:  OK
rlogin  auth required           pam_winbind.so.1 try_first_pass
#---- End Winbind -------#
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth binding            pam_krb5.so.1
krlogin auth required           pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth binding            pam_krb5.so.1
krsh    auth required           pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth binding            pam_krb5.so.1
ktelnet auth required           pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
#---- Begin Winbind -----#
#---- Notes: Pass, OK, but asks for password twice and passes on the
scecond # try without the "try_first_pass"
other  auth binding            pam_winbind.so.1 try_first_pass debug
#---- End Winbind -------#
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
other auth required           pam_krb5.so.1 use_first_pass
#
# passwd command (explicit because of a different authentication
module)
#
#---- Begin Winbind -----#
#---- Notes: no problem for files users.
passwd  auth required   pam_winbind.so.1
#---- End Winbind -------#
passwd  auth required           pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
management
#
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
#---- Begin Winbind -----#
#---- Notes: Pass, OK
other   account sufficient      pam_winbind.so.1
#---- End Winbind -------#
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
management
#
#---- Begin Winbind -----#
#---- Notes: Causes
other   session required        pam_winbind.so.1 try_first_pass
#---- End Winbind -------#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password
management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
#---- Begin Winbind -----#
#---- Notes:
other   password sufficient     pam_winbind.so.1 try_first_pass
...

read more »

Have you checked the winbind nsswitch.conf entry?

(To get usernames from winbind, you will need to have an nsswitch.conf
plugin)

I can't comment on pam.conf too much but not that much other than
some modules.

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

as well as linking the winbind nss modules

/usr/local/samba/lib/libnss_winbind.so --> /usr/lib/libnss_winbind.so.1
/usr/local/samba/lib/libnss_winbind.so --> /usr/lib/libnss_winbind.so.2
/usr/local/samba/lib/libnss_winbind.so --> /usr/lib/nss_winbind.so.1
/usr/local/samba/lib/libnss_winbind.so --> /usr/lib/nss_winbind.so.2

I have a feeling that pam is not configured right. . but at the same
time the modules get called. So I am either loosing something along the
way in the pam mixing bowl or pam_winbind is not properly communicating
with winbind (which I know to be working) I have no problem with samba
shares and access. I have even used ACLs to assign default / effective
privileges for AD users to the file systems. .. that all works well.

I started this exercise in the attempt to make use of some new
pam_winbind functions, namely the function to allow only a certain
security group to access a shell login. At first that did not succeed
so I decided to start simple and went back to my 'working' Solaris 9
version.

e.g.

pam_winbind(7)

require_membership_of=[SID or NAME]
use_authtok
          Set the new password to the one provided by the  previ-
          ously  stacked  password  module. If this option is not
          set pam_winbind will ask the user for the new password.