[Samba] ADS Authentication
Christoph Scheeder
christoph.scheeder at scheeder.de
Wed Dec 8 08:01:46 GMT 2004
Hi,
Your pam.d/logon file locks nice, mostly......
as you stated, the winbind part is authenticating correct, so you would
be able to login with an ADS account, if not the pam system would try to
verify the posix-account too.
This is why you get asked for the second password.
As i'm running linux and you FreeBSD there are differences in the syntax
of the pam-files.
There must be an option like "use_first_pass" in your system too, and i
guess it would apply to the lines calling the "system"-module.
You'll have to check your pam documentation for this.
It is definitly not a samba problem.
After winbind authenticated the user there is no part of samba involved
in the login process anymore.
Christoph
Tom Skeren schrieb:
> Christoph Scheeder wrote:
>
>> Hi,
>> 2 points:
>> 1.) use the smb.conf which gives you a working wbinfo.
>> 2.) this sounds like missconfigured pam to me.
>> -you have to tell pam that winbind is "sufficient" for "auth" and
>> "account" with the lines
>
>
> Here's the /etc/pam.d/logon file info. This must be working because of
> the dual authentication when logging in at the terminal. In fact if you
> open a new terminal sessions and log in there, the primary [F1] screen
> will show "pam_winbind[451]: user 'root' granted access".
>
> Further, when attempting to log on with an ADS account, although the log
> in fails, pam_winbind grants access.
> Here's the file info:
>
> #
> # $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
> #
> # PAM configuration for the "login" service
> #
>
> # auth
> auth required pam_nologin.so no_warn
> auth sufficient pam_self.so no_warn
> auth include system
> auth sufficient /usr/local/lib/pam_winbind.so
> # account
> account requisite pam_securetty.so
> account include system
> account sufficient /usr/local/lib/pam_winbind.so
>
> # session
> session include system
>
> # password
> password include system
>
>>
>> "account sufficient pam_winbind.so" and
>> "auth sufficient pam_winbind.so"
>>
>> this drops the need for the local posix-account.
>> -And for the "auth" modify the line with pam_unix.so to read like
>>
>> "auth required pam_unix.so use_first_pass nullok"
>>
>> this gets you rid of the second password-prompt.
>>
More information about the samba
mailing list