Success: Samba4 alpha20 on Ubuntu Precise + Install script
Sergey Urushkin
urushkin at telros.ru
Tue May 15 13:12:34 MDT 2012
On Tue May 15 06:13:05 MDT 2012, steve wrote:
> On 05/14/2012 03:19 PM, David Feurle wrote:
>>
>>
>> I documented the whole process of configuration/installation in a
>> script and a blog entry.
>> So if you want to see what I've done (wrong?) take a look at it on
>> http://spore.sodgeit.de/sporeblog-samba4EN.html .
>>
>> Thanks for all your efforts on samba(4)!
>>
>> Best regards,
>>
>> David Feurle
> Hi David
> Thanks for a good post. It finally made us have a go at winbind and
> S4.
>
> The only bit I had problems with (also on a precice DC) was the pam
> config. I kept getting locked out with the pam settings you suggested
> but this may be due to us having some ldap stuff in there too.
>
> We ended up installing libpam-winbind using apt-get to see what it
> produced in /etc/pam.d and it came up with this:
>
> /etc/pam.d/common-account
>
> account [success=2 new_authtok_reqd=done default=ignore]
> pam_unix.so
> account [success=1 new_authtok_reqd=done default=ignore]
> pam_winbind.so
> account requisite pam_deny.so
> account required pam_permit.so
> account required pam_krb5.so minimum_uid=1000
> account [success=ok new_authtok_reqd=done ignore=ignore
> user_unknown=ignore authinfo_unavail=ignore default=bad]
> pam_ldap.so
> minimum_uid=1000
>
> /etc/pam.d/common-auth
>
> auth [success=4 default=ignore] pam_krb5.so minimum_uid=1000
> auth [success=3 default=ignore] pam_unix.so nullok_secure
> try_first_pass
> auth [success=2 default=ignore] pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass
> auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000
> use_first_pass
> auth requisite pam_deny.so
> auth required pam_permit.so
> auth optional pam_cap.so
>
> /etc/pam.d/common-session
>
> session [default=1] pam_permit.so
> session requisite pam_deny.so
> session required pam_permit.so
> session optional pam_umask.so
> session optional pam_krb5.so minimum_uid=1000
> session required pam_unix.so
> session optional pam_winbind.so
> session [success=ok default=ignore] pam_ldap.so
> minimum_uid=1000
> session optional pam_ck_connector.so nox11
>
> We took a backup, deleted the Ubuntu versions of winbind and copied
> the
> backup back: bingo:-)
>
> The main limitation of it for us is having to have home directories
> all
> in the same folder, but that's another matter. I'm sure that there's
> a
> simple solution to that lurking here. . .
> Cheers,
> Steve
Hi.
About pam. For ubuntu I found a nice solution - writing my own
pam-auth-update modules (/usr/share/pam-configs/*)
It's described in my messages here (at the end):
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944
I wrote modules like winbind (mentioned there) for ldap, sss, krb5 and
with this method I got working combined setups containing all these
pam-modules. By changing "Priority" you can control the order of modules
in pam.d configuration.
Winbind module seems to work with s4's winbind too.
May be this info would be helpful for someone.
--
Best regards,
Sergey Urushkin
More information about the samba-technical
mailing list