[Samba] ADS Authentication

Tom Skeren tms3 at fsklaw.net
Tue Dec 7 17:31:06 GMT 2004 

Christoph Scheeder wrote:

> Hi,
> 2 points:
> 1.) use the smb.conf which gives you a working wbinfo.
> 2.) this sounds like missconfigured pam to me.
>    -you have to tell pam that winbind is "sufficient" for "auth" and
>     "account" with the lines

Here's the /etc/pam.d/logon file info.  This must be working because of 
the dual authentication when logging in at the terminal.  In fact if you 
open a new terminal sessions and log in there, the primary [F1] screen 
will show "pam_winbind[451]: user 'root' granted access".

Further, when attempting to log on with an ADS account, although the log 
in fails, pam_winbind grants access.
Here's the file info:

#
# $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
#
# PAM configuration for the "login" service
#

# auth
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_self.so             no_warn
auth            include         system
auth            sufficient      /usr/local/lib/pam_winbind.so
# account
account         requisite       pam_securetty.so
account         include         system
account         sufficient      /usr/local/lib/pam_winbind.so

# session
session         include         system

# password
password        include         system

>
>     "account   sufficient pam_winbind.so" and
>     "auth      sufficient pam_winbind.so"
>
>     this drops the need for the local posix-account.
>    -And for the "auth" modify the line with pam_unix.so to read like
>
>     "auth required pam_unix.so use_first_pass nullok"
>
>     this gets you rid of the second password-prompt.
>
> hope it helps.
> Christoph
>
> Tom Skeren schrieb:
>
>> Jeremy Allison wrote:
>>
>>> On Mon, Dec 06, 2004 at 02:29:29PM -0800, Tom Skeren wrote:
>>>  
>>>
>>>> I'm about ready to smash my head through a wall...I could use a few 
>>>> answers.
>>>>
>>>> 1.  When using security = ads, and completing net ads join, it was 
>>>> my understanding that samba authenticated username/pword against 
>>>> ads, and local posix accounts were nolonger needed, is this true?
>>>>   
>>>
>>>
>>>
>>> Yes, so long as you have nsswitch and pam set up correctly. It sounds
>>> like you don't.
>>>  
>>>
>> Well, I've followed every how to that I can find.  I have some 
>> strangeness.  When I log into the unix terminal I have to supply 2 
>> root passwords...the posix one and the one for root in ADS (they're 
>> different)....to login.  The same for a user with both posix and ADS 
>> accounts.  Non posix account users cannot login with an ADS account 
>> to the terminal.
>>
>> Depending on changes to the smb.conf file I get wild results with 
>> winbindd.  One config gives users and groups with a wbinfo -u/g 
>> command.  Others error out with differing reasons for the errors.
>>
>> I'm really not sure where the error is...it should be working, but it 
>> is not.
>>
>>> Jeremy.
>>>  
>>>
>>
>
>

More information about the samba mailing list