I upgraded winbind/samba from 3.0.33 to 3.6.24 in a 32-bit RHEL4 box.
The problem now is that any NT user cannot login. The error message found in /var/log/messages is
Sep 3 09:05:20 node2 sshd[7209]: pam_winbind(sshd): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
Sep 3 09:05:20 node2 sshd[7209]: pam_winbind(sshd): user 'user2' denied access (incorrect password or invalid membership)
The wbinfo command suggests everything is OK:
# wbinfo -t
checking the trust secret for domain MYDOMAIN via RPC calls succeeded
# wbinfo -a user2%mypassword
plaintext password authentication succeeded
challenge/response password authentication succeeded
# wbinfo -K user2%mypassword
plaintext kerberos password authentication for [user2%mypassword] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
I guess there is no problem with the NT user because this user 'user2' logins successfully in other 32-bit RHEL4 with samba 3.0.33 not upgraded yet.
Thanx in advance
UPDATE 1
I realized that the user2 can login in the system from the console and using a FTP client. Therefore, SSH is the only way the user2 cannot login.
I found an "AllowGroups" directive in the /etc/ssh/sshd_config file:
AllowGroups root MYusers
When I comment out that directive, the user2 logins succesfully.
UPDATE 2
Finally, after a lot of trials, I realized that the winbind 3.6.24 show NT group names in lowercase, not keeping the original case of every group name characters:
$ id
uid=10000(user2) gid=10000(myusers)
In other box using winbind 3.0.33:
$ id
uid=10009(user2) gid=10006(MYusers)
Then I changed the AllowGroups directive in the sshd_config file:
AllowGroups root myusers
and restarted the sshd. Then user2 can login succesfully by means of SSH.
Maybe a new winbind parameter to convert the case?
Maybe a bug?
