[Samba] Gentoo, Pam, Sshd, Winbind + AD
mike cole
coley at linuxmail.org
Fri Aug 5 19:22:54 GMT 2005
Hi,
I've read through some of the posts and can't see an answer to my query so I'm throwing it here :)
GOAL: To use Winbind to authenticate users against directory,for Console Login, GDM, SSH etc
While this has been somewhat successful, there are a few errors that I would like to remove (if possible).
Firstly :
When I ssh with an AD user all appears to log in ok, except the ssh client in windows throws up 'Enter your Authentication Response', and in the syslog there are 2 entries :
pam_winbind[12657]: user 'bill' granted access
pam_winbind[12657]: user 'bill' granted access
sshd[12714]: Accepted keyboard-interactive/pam for bill from xx.xx.xx.xx port 1423 ssh2
sshd(pam_unix)[12720]: session opened for user bill by (uid=0)
Shouldn't there just be one pam_winbind entry?
Secondly :
When I ssh with a non AD user,such as root, windows still throws up 'Enter your Authentication Response', and in the syslog, the following :
pam_winbind[12682]: request failed: No such user, PAM error was 10, NT error was NT_STATUS_NO_SUCH_USER
pam_winbind[12682]: user 'root' granted access
sshd[12677]: Accepted keyboard-interactive/pam for root from xx.xx.xx.xx port 1413 ssh2
sshd(pam_unix)[12683]: session opened for user root by root(uid=0)
Now, although it did indeed log my root user in, I'm baffled as to why winbind even attempted to look in the AD. In the nsswitch.conf (below) it clearly states COMPAT WINBIND,which I took to believe, that it would look in files first (e.g passwd/group) and then winbind would query the AD,but clearly this error states otherwise.
# /etc/nsswitch.conf:
passwd: compat winbind
shadow: compat
group: compat winbind
# /etc/pam/sshd
#%PAM-1.0
auth required pam_stack.so service=system-auth-winbind
auth required pam_shells.so
auth required pam_nologin.so
account required pam_stack.so service=system-auth-winbind
password required pam_stack.so service=system-auth-winbind
session required pam_stack.so service=system-auth-winbind
# /etc/pam/system-auth-winbind
#%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pass
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
#session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
Any pointers or direct help would be gratefully received.
Thanks
--
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze
More information about the samba
mailing list