W2K Domain Login Problem with 2.2.0
vorlon at netexpress.net
Sun Apr 22 15:10:41 GMT 2001
On Sun, 22 Apr 2001, Jeremy Allison wrote:
> On Sun, Apr 22, 2001 at 06:41:06PM +1000, Andrew Bartlett wrote:
> > There seems to be a bug in the interaction between Win2k domain logons
> > and PAM account managment. It is not present for my NT4 (no SP) VMware
> > session.
> > I currently don't have access to a Win2k machine, so can't particuarly
> > test any further. I suspect that the username being passed to PAM is in
> > some way slightly malformed, such that the account management fails.
> I have a w2k vmware session and can test that at home
> tomorrow (it's very late here California time). Are
> you meaning setting up Samba as a PDC configured as
> --with-pam ? If so I'll test that tomorrow....
> I'm running on RedHat 6.2, without the pam_stack modile.
> My current pam.d/samba file looks like :
> auth required /lib/security/pam_pwdb.so nullok shadow
> account required /lib/security/pam_pwdb.so
> session required /lib/security/pam_pwdb.so
> password required /lib/security/pam_pwdb.so
> - is this enough to reproduce it, or do I need to use
> the pam_stack stuff ?
That should be enough to let you debug and determine why we're getting a
PAM_USER_UNKNOWN error, unless it's a problem specifically with Solaris's
pam_unix module. I wouldn't recommend the above configuration on a production
system, though; pam_pwdb is abysmally slow.
pam_stack isn't needed. Well, I'd argue that pam_stack is never needed, and
RedHat should've addressed the issue by setting sane defaults for the 'other'
service, but that's another tale for another time.
More information about the samba-technical