[Samba] samba + kerberos + active directory with multiple domains
Dale Schroeder
dale at BriannasSaladDressing.com
Thu Oct 31 12:53:42 MDT 2013
You are correct. I have an almost default /etc/pam.d/sshd that works;
all I have added is
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
HTH,
Dale
On 10/31/2013 8:16 AM, Winkel, Richard J. wrote:
> I think it must be something with /etc/pam.d/password-auth (immediately
> included from pam.d/sshd) because there are no messages from pam_winbind
> in the syslog except for the connections for the domain admin. The
> other users are rejected seemingly without any pam_winbind involvement
> (only messages from sshd).
> This is password-auth:
>
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_winbind.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_winbind.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3 type=
> password sufficient pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password sufficient pam_winbind.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session optional pam_oddjob_mkhomedir.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
>
>
> On 10/30/13 6:05 PM, Winkel, Richard J. wrote:
>> Many thanks Dale! Sorry I missed it earlier. Now I have wbinfo -a
>> working with "domain+user" for the primary as
>> well as the trusted domain, but I still can't "ssh domain+user at hostname"
>> except for the user that joined the
>> machine to the domain (it even created the home dir for that user). But
>> for the others it says invalid user in the logs.
>> Sorry to be a pain, I'm sure the answer is obvious but the amount of
>> documentation is overwhelming :<
>>
>> Rich
>>
>> On 10/29/13 1:24 PM, Dale Schroeder wrote:
>>> Richard,
>>>
>>> See if the example for multiple domains as shown on this page is what
>>> you are looking for:
>>>
>>> http://www.samba.org/samba/docs/man/manpages/idmap_rid.8.html
>>>
>>> Dale
> .
>
More information about the samba
mailing list