We have a working samba file server using winbind to authenticate with a Win2003 server in native mode. [2008/05/10 18:22:54, 5] nsswitch/winbindd_cm.c:set_dc_type_and_flags(1651) set_dc_type_and_flags: domain STARTREK is in native mode. [2008/05/10 18:22:54, 5] nsswitch/winbindd_cm.c:set_dc_type_and_flags(1654) set_dc_type_and_flags: domain STARTREK is running active directory.
I now want to allow the apache web server (running on the same machine as samba) to utilize winbind to authenticate users with domain credentials. I have installed and configured apache with mod_auth_pam. When I access a protected website I get a login box but it doesn't allow me to login with my domain user/pass. The apache log gives the following error: [Sat May 10 22:47:20 2008] [error] [client 192.168.1.48] PAM: user 'matt.humrick' - not authenticated: User not known to the underlying authentication module This along with an strace of apache shows that winbind is being used via mod_auth_pam for authentication with no obvious errors. Tcpdump also shows packets being exchanged between winbind and the AD Windows server. The following error appears in the winbind log: [2008/05/10 22:39:09, 6] nsswitch/winbindd.c:new_connection(628) accepted socket 19 [2008/05/10 22:39:09, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn INTERFACE_VERSION [2008/05/10 22:39:09, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491) [31171]: request interface version [2008/05/10 22:39:09, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2008/05/10 22:39:09, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524) [31171]: request location of privileged pipe [2008/05/10 22:39:09, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn PAM_AUTH [2008/05/10 22:39:09, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(751) [31171]: pam auth matt.humrick [2008/05/10 22:39:09, 5] nsswitch/winbindd_pam.c:winbindd_pam_auth(764) Plain text authentication for matt.humrick returned NT_STATUS_NO_SUCH_USER (PAM: 10) I get a similar plaintext authentication error with wbinfo -a: wbinfo -a matt.humrick%xxxxx plaintext password authentication failed error code was NT_STATUS_ACCESS_DENIED (0xc0000022) error messsage was: Access denied Could not authenticate user matt.humrick%xxxxx with plaintext password challenge/response password authentication succeeded So, challenge/response authentication succeeded but plaintext authentication fails. This appears to be a configuration issue to me. Obviously apache gives a plaintext user/pass to winbind vs. the challenge/response method used by an WinXP client (which is working fine). What do I need to do to allow apache to authenticate with winbind? I've read through the smb.conf man page and looked at several settings relating to plaintext passwords. However, I'm a bit confused as to when these settings should be used and whether they will break the existing functionality between the WinXP clients, winbind, and Win2003 AD server. Thanks, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
