I've double checked a number of items and tried several different configurations, but I still can't get vsftpd (orwu-ftp) to authenticate via winbind. The winbind account setup works fine (wbinfo -t, wbinfo -u wbinfo -g all work and getent <whatever> works fine as well) with Samba authenticated with pam_winbind.so setup either through pam.d/samba or through pam.d/system-auth (via pam_stack.so).
I have tried putting pam_winbind.so and pam_pwdb.so in various lines of vsftp without success (the file below does not contain any particular configuration, but be assured I have tried everything permutation of what is below and adding in pam_winbind.so and pam_pwdb.so). Proper linux accounts work fine, but winbind accounts do not even though I get all accounts listed by 'getent passwd' (although there is a 3-5 second delay for that information to display).
Additional information:
- shadow password file does not contain the winbind generated users that are displayed through getent users i.e. shadow password file is not synced with the passwd file (should it be?).
If someone has this working (or wu-ftp or proftp), please send me your pam.d files! I'm getting deperate.
Here is the error message from /var/log/messages:
Apr 21 10:36:36 star vsftpd(pam_unix)[15463]: check pass; user unknown
Apr 21 10:36:36 star vsftpd(pam_unix)[15463]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=XXX.XXX.XXX.XXX
Apr 21 10:36:36 star pam_winbind[15463]: request failed, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER
Apr 21 10:36:36 star pam_winbind[15463]: internal module error (retval = 4, user = `joeuser'
Here is system-auth:
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
#This is here to give all services access to authenticate with winbind and works for Samba
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
Here is vsftpd:
auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
#I tried inserting 'auth sufficient pam_winbind.so' here and below this line
auth required /lib/security/pam_stack.so service=system-auth
#I tried inserting 'auth required pam_pwdb.so' here and above
auth required /lib/security/pam_shells.so
account required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
Here is samba (works perfect - and also works if I remove pam_winbind from system-auth and put it in here:
auth required pam_nologin.so
auth required pam_pwdb.so nullok shadow
auth required pam_stack.so service=system-auth
account required pam_winbind.so
account required pam_pwdb.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
_______________________________________________ Pam-list@xxxxxxxxxx https://listman.redhat.com/mailman/listinfo/pam-list
