Winbind NT domain authentication

Thomas Fazekas tfa at
Fri Jun 24 10:48:01 GMT 2005

Hi list,

Sorry for the cros-post, I'm not sure which list is better for
me as I got a question related to samba, configuration, FreeBSD.

I'm trying to configure NT authentication on FreeBSD 5.4 with 
Samba 3.0.12 (installed form the ports collection).
I've folowed the Samba 3 howto I've managed the following :

wbinfo -g returns correctly the domain groups

wbinfo -u returns all the users (including those ones from the domain)

ntlm auth does authenticate the user correctly
ntlm_auth --username=usr1
NT_STATUS_OK: Success (0x0)
and in the winbind log I get :
        rpc: trusted_domains
        [ 3141]: request interface version
        [ 3141]: request location of privileged pipe
        [ 3141]: request domain name
        [ 3141]: request misc info
        [ 3141]: pam auth MYDOMAIN\usr1
        rpc_dc_name: Returning DC PASSV_SERV (_the_ip_) for domain MYDOMAIN
        IPC$ connections done anonymously
        Connecting to host=PASSV_SERV
        Connecting to _the_ip_ at port 445

I suspect this means that my samba/winbind configuration is correct.
The trouble is that I still can't login (login or ssh) with usernames
from the domain.
If I try with MYDOMAIN\usr1 I just get an Access Denied.
The worse is that I'm not sure that I'm looking for the logs in the 
right place, the auth.log of messages doesn't show any trace of
winbind beeing called.

My smb.conf :

workgroup = MYDOMAIN
netbios name = MY_BSD
password server = passwd_serv_ip
security = domain
encrypt passwords = yes
#passdb backend = tdbsam guest
server string = MY_BSD Samba Server

# separate domain and username with '\', like DOMAIN\username
winbind separator = \\
# use uids from 10000 to 20000 for domain users
idmap uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet access)
template homedir = /home/winnt/%D%U
template shell = /usr/local/bin/bash

My nsswitch.conf

group: compat winbind
group_compat: nis
hosts: files dns winbind
networks: files
passwd: compat winbind
passwd_compat: nis
shells: files

and finally my /etc/pam.d/sshd

# auth
auth            required          no_warn
#auth           sufficient             no_warn no_fake_prompts
#auth           requisite       no_warn allow_local
#auth           sufficient             no_warn try_first_pass
#auth           sufficient              no_warn try_first_pass
#auth           required             no_warn try_first_pass
auth            sufficient          debug try_first_pass
auth            sufficient             no_warn try_first_pass

# account
#account        required
account         required
account         sufficient          debug
account         sufficient

# session
#session        optional
session         required

# password
#password       sufficient             no_warn try_first_pass
password        sufficient          debug try_first_pass
password        sufficient             no_warn try_first_pass

I hope this question is not silly but only for NT authentication smbd/nmbd
is not necessary to run, isn't it ? Winbind should do de job.

This is the 2'nd week I keep trying setting this thing up, and one of the most
frustrating experience ever...
Can anybody give me some hints (other then going to a psychiatrist)


More information about the freebsd-stable mailing list