[Samba] samba + kerberos + active directory with multiple domains
Winkel, Richard J.
winkelr at missouri.edu
Thu Oct 31 07:16:30 MDT 2013
I think it must be something with /etc/pam.d/password-auth (immediately
included from pam.d/sshd) because there are no messages from pam_winbind
in the syslog except for the connections for the domain admin. The
other users are rejected seemingly without any pam_winbind involvement
(only messages from sshd).
This is password-auth:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
On 10/30/13 6:05 PM, Winkel, Richard J. wrote:
> Many thanks Dale! Sorry I missed it earlier. Now I have wbinfo -a
> working with "domain+user" for the primary as
> well as the trusted domain, but I still can't "ssh domain+user at hostname"
> except for the user that joined the
> machine to the domain (it even created the home dir for that user). But
> for the others it says invalid user in the logs.
> Sorry to be a pain, I'm sure the answer is obvious but the amount of
> documentation is overwhelming :<
>
> Rich
>
> On 10/29/13 1:24 PM, Dale Schroeder wrote:
>> Richard,
>>
>> See if the example for multiple domains as shown on this page is what
>> you are looking for:
>>
>> http://www.samba.org/samba/docs/man/manpages/idmap_rid.8.html
>>
>> Dale
More information about the samba
mailing list