[Samba] ADS Authentication
Tom Skeren
tms3 at fsklaw.net
Tue Dec 7 17:31:06 GMT 2004
Christoph Scheeder wrote:
> Hi,
> 2 points:
> 1.) use the smb.conf which gives you a working wbinfo.
> 2.) this sounds like missconfigured pam to me.
> -you have to tell pam that winbind is "sufficient" for "auth" and
> "account" with the lines
Here's the /etc/pam.d/logon file info. This must be working because of
the dual authentication when logging in at the terminal. In fact if you
open a new terminal sessions and log in there, the primary [F1] screen
will show "pam_winbind[451]: user 'root' granted access".
Further, when attempting to log on with an ADS account, although the log
in fails, pam_winbind grants access.
Here's the file info:
#
# $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
#
# PAM configuration for the "login" service
#
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_self.so no_warn
auth include system
auth sufficient /usr/local/lib/pam_winbind.so
# account
account requisite pam_securetty.so
account include system
account sufficient /usr/local/lib/pam_winbind.so
# session
session include system
# password
password include system
>
> "account sufficient pam_winbind.so" and
> "auth sufficient pam_winbind.so"
>
> this drops the need for the local posix-account.
> -And for the "auth" modify the line with pam_unix.so to read like
>
> "auth required pam_unix.so use_first_pass nullok"
>
> this gets you rid of the second password-prompt.
>
> hope it helps.
> Christoph
>
> Tom Skeren schrieb:
>
>> Jeremy Allison wrote:
>>
>>> On Mon, Dec 06, 2004 at 02:29:29PM -0800, Tom Skeren wrote:
>>>
>>>
>>>> I'm about ready to smash my head through a wall...I could use a few
>>>> answers.
>>>>
>>>> 1. When using security = ads, and completing net ads join, it was
>>>> my understanding that samba authenticated username/pword against
>>>> ads, and local posix accounts were nolonger needed, is this true?
>>>>
>>>
>>>
>>>
>>> Yes, so long as you have nsswitch and pam set up correctly. It sounds
>>> like you don't.
>>>
>>>
>> Well, I've followed every how to that I can find. I have some
>> strangeness. When I log into the unix terminal I have to supply 2
>> root passwords...the posix one and the one for root in ADS (they're
>> different)....to login. The same for a user with both posix and ADS
>> accounts. Non posix account users cannot login with an ADS account
>> to the terminal.
>>
>> Depending on changes to the smb.conf file I get wild results with
>> winbindd. One config gives users and groups with a wbinfo -u/g
>> command. Others error out with differing reasons for the errors.
>>
>> I'm really not sure where the error is...it should be working, but it
>> is not.
>>
>>> Jeremy.
>>>
>>>
>>
>
>
More information about the samba
mailing list