Samba cannot authenticate against 2003 ADS. pdb_init_sam failed!

Posted on 2005-04-07
Last Modified: 2008-01-09
I'm trying to get Samba to connect to a 2003 Server ADS.  I have successfully joined the computer to the domain by doing a "net ads join" and can see users with "wbinfo -u".  I can authenticate correctly using kinit.

However, whenever I try to connect from a XP client I get

         System error 1326 has occurred.
         Logon failure: unknown user name or bad password.

on the client and

         [2005/04/07 13:52:06, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)  
           Username DDS\aclient$ is invalid on this system
        [2005/04/07 13:52:08, 0] auth/auth_util.c:make_server_info_info3(1134)
          make_server_info_info3: pdb_init_sam failed!

in the server log, where  "aclient" is the client machine name.

Any ideas?

I'm using 2003 Server with SP2 & all hotfixes & the standard build of Samba &winbind from Centos-4 (AKA RHEL 4).
Question by:DrBeaker
    LVL 2

    Author Comment


            workgroup = DDS
            server string = ddsunx02
            printcap name = /etc/printcap
            load printers = yes
            cups options = raw
    #       log file = /var/log/samba/%m.log
            log file = /var/log/samba/my.log
            max log size = 50
            socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
            dns proxy = no
            idmap uid = 20000000-33554431
            idmap gid = 20000000-33554431
            template shell = /bin/false
            password server = office1.ourdomain.dom
            realm = OURDOMAIN.DOM
            security = ADS
            encrypt passwords = yes
            winbind use default domain = no
            client use spnego = yes
            comment = Home Directories
            browseable = no
            writeable = yes
    #       comment = All Printers
    #       path = /var/spool/samba
    #       browseable = no
    #       printable = yes
            path = /var/SAMBA/public
            public = yes
            only guest = yes
            writable = yes
            printable = no
            browseable = yes
    LVL 2

    Author Comment

    my kbr5.conf:

     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log

     default_realm = OURDOMAIN.DOM
     dns_lookup_realm = true
     dns_lookup_kdc = true

      kdc = office1.ourdomain.dom
      admin_server = office1.ourdomain.dom
      default_domain = ourdomain.dom

     .ourdomain.dom = OURDOMAIN.DOM
     ourdomain.dom = OURDOMAIN.DOM

     profile = /var/kerberos/krb5kdc/kdc.conf

     pam = {
       debug = false
       ticket_lifetime = 36000
       renew_lifetime = 36000
       forwardable = true
       krb4_convert = false

    LVL 2

    Author Comment

    I just noticed that when I do a "service winbind start" I get
    [2005/04/07 14:03:16, 0] sam/idmap_tdb.c:db_idmap_init(506)
      idmap_init: Unable to open idmap database
    [2005/04/07 14:03:16, 0] sam/idmap.c:idmap_init(113)
      idmap_init: could not initialise tdb cache backend!
    [2005/04/07 14:03:16, 1] nsswitch/winbindd.c:main(897)
      Could not init idmap -- netlogon proxy only
    [2005/04/07 14:03:16, 0] nsswitch/winbindd_cache.c:wcache_flush_cache(64)
      Failed to open winbindd_cache.tdb!

    In the samba log.  This might give somene a clue?
    LVL 38

    Expert Comment

    > Logon failure: unknown user name or bad password.
    1. Check /etc/nsswitch.conf for "winbind"
    passwd:      files winbind
    shadow:      files winbind
    group:       files winbind
    hosts:       files dns
    bootparams: nisplus [NOTFOUND=return] files
    ethers:      files
    netmasks:    files
    networks:    files
    protocols:   files winbind
    rpc:         files
    services:    files winbind
    netgroup:    files winbind
    publickey:   nisplus
    automount:   files
    aliases:     files nisplus

    2. Use "<domain>\user" as login name, not just "user".

    3. Make sure the diretory is created:

    LVL 38

    Expert Comment

    LVL 2

    Author Comment

    Thanks Wes, but that didn't help.  I read through the reference you gave & checked everything but still no joy,

    I'm sure the " idmap_init: Unable to open idmap database " etc on starting winbind must be significant.
    LVL 38

    Expert Comment

    What's your version of SAMBA?

    Expert Comment

    Samba Version / OS would be helpful.  This definately looks like a PAM/Winbind problem.  Here's what I did for FreeBSD 5.3/Samba 3.0.9+

    /etc/pam.d/login (itallics are changes):

    cd /etc/pam.d
    cp login old.login
    ee or vi login:

    # auth
    auth            required          no_warn
    auth            sufficient             no_warn
    auth            include         system
    auth            sufficient      /usr/local/lib/
    # account
    account         requisite
    account         include         system
    account         sufficient      /usr/local/lib/

    # session
    session         include         system

    onfigure nsswitch.conf

    ee or vi /etc/nsswitch.conf

    passwd: files winbind
    shadow: files winbind
    group:  files winbind
    hosts:  dns winbind ldap files nis
    automount:      files winbind ldap nisplus
    aliases:        files winbind ldap nisplus

    The whole article is viewable at

    Expert Comment

    Oh yeah.  I haven't updated this yet.  Dunno if Linux is doing something like this, but you can also use a file called pam.conf in /etc.  For samba-ldap I have done this.  Use as an example of configing PAM not as the exact config:

    login   auth sufficient /usr/local/lib/

    telnet auth sufficient /usr/local/lib/
    telnet  auth required   /usr/lib/security/ try_first_pass

    sshd    auth sufficient /usr/local/lib/ try_first_pass

    ftp     auth sufficient /usr/local/lib/

    rlogin  auth sufficient /usr/local/lib/
    rlogin  auth required   /usr/lib/security/ try_first_pass

    dtlogin auth sufficient /usr/local/lib/
    dtlogin auth required   /usr/lib/security/ try_first_pass

    rsh     auth required   /usr/lib/security/

    other   auth sufficient /usr/local/lib/ try_first_pass

    # Account management
    login   account required  /usr/local/lib/
    login   account sufficient /usr/lib/security/

    dtlogin account required  /usr/local/lib/
    dtlogin account required /usr/lib/security/
    other   account required  /usr/local/lib/
    other   account sufficient /usr/lib/security/

    # Session management, not implemented by pam_ldap
    other   session required /usr/lib/security/

    # Password management
    #other  password required /usr/lib/security/
    #other   password required /usr/lib/security/
    other   password required /usr/local/lib/
    LVL 2

    Author Comment

    Back from vacation - I'll try this & advise
    LVL 2

    Author Comment

    smbd --version reports
    Version 3.0.10-1.4E
    LVL 2

    Author Comment

    I eventually tracked the problem.  There is an issue with the "targeted" policy not allowing winbind to create its working files etc, so it fails.  Turning off SELinux solved the problem.  Less drastic solutions include:

    1) turning it off just for winbind
    2) setting it to permissive mode
    3) correcting the profile.

    Having done 1) I'm now looking at doing 3) (and trying to find if anyone's done it already).    
    LVL 38

    Expert Comment

    Did you need SELinux, which is still buggy and troublesome?
    Why not just leave it off?
    LVL 2

    Author Comment

    Aside from this issue. it's given me no problems & seems worthwhile.
    LVL 1

    Accepted Solution

    PAQed with points refunded (250)

    Community Support Moderator

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
    Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now