[Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
mroper at westcoastdhb.org.nz
Sun Feb 2 19:53:58 GMT 2003
Thanks for your help, still no luck though. More info for you.
with no debug statements in my /etc/pam.conf I get in sys log the following.
Feb 2 14:43:02 coastdr pam_winbind: user 'traininguser' granted acces
with debug turned on I get
Feb 2 14:47:49 coastdr pam_winbind: Verify user `traininguser'
Feb 2 14:47:49 coastdr pam_winbind: user 'traininguser' granted acces
the user is still logging out.
incidentlally, when I log in as a unix user, rather than a win2k user I
don't get anything in sys log. I've included my pam.conf below.
Also, I checked for /etc/shells, no such file, and I have set my smb.conf
shell line to
template shell = /sbin/sh
and also tried
template shell = /usr/bin/sh
both files exist.
# PAM configuration
# Authentication management
login auth sufficient /usr/lib/security/libpam_unix.1 debug
login auth sufficient /usr/lib/security/libpam_winbind.1
#login auth sufficient /usr/lib/security/libpam_smb.1 nolocal
su auth required /usr/lib/security/libpam_unix.1 debug
dtlogin auth required /usr/lib/security/libpam_unix.1 debug
dtaction auth required /usr/lib/security/libpam_unix.1 debug
ftp auth required /usr/lib/security/libpam_unix.1 debug
OTHER auth required /usr/lib/security/libpam_unix.1 debug
# Account management
login account sufficient /usr/lib/security/libpam_unix.1 debug
login account sufficient /usr/lib/security/libpam_winbind.1
su account required /usr/lib/security/libpam_unix.1 debug
dtlogin account required /usr/lib/security/libpam_unix.1 debug
dtaction account required /usr/lib/security/libpam_unix.1 debug
ftp account required /usr/lib/security/libpam_unix.1 debug
OTHER account required /usr/lib/security/libpam_unix.1 debug
# Session management
login session sufficient /usr/lib/security/libpam_unix.1 debug
login session sufficient /usr/lib/security/libpam_winbind.1
dtlogin session required /usr/lib/security/libpam_unix.1 debug
dtaction session required /usr/lib/security/libpam_unix.1 debug
OTHER session required /usr/lib/security/libpam_unix.1 debug
# Password management
login password sufficient /usr/lib/security/libpam_unix.1 debug
login password sufficient /usr/lib/security/libpam_winbind.1
passwd password required /usr/lib/security/libpam_unix.1 debug
passwd password required /usr/lib/security/libpam_winbind.1
dtlogin password required /usr/lib/security/libpam_unix.1 debug
dtaction password required /usr/lib/security/libpam_unix.1 debug
OTHER password required /usr/lib/security/libpam_unix.1 debug
From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall at hp.com]
Sent: Saturday, 1 February 2003 04:53 a.m.
To: 'John H Terpstra'; Miles Roper
Cc: 'samba-technical at lists.samba.org'; 'samba at lists.samba.org'; Esh,
Andrew; Ronan Waide; STEFFENS,MICHAEL (HP-Germany,ex1); MCCALL,DON
(HP-USA,ex1); 'Richard Sharpe'
Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
Actually on HP-UX, you will need to add the word 'debug' at the end of each
the lines in you /etc/pam.conf file, to enable more debugging to go into the
One thing that I have seen something like this happen on is if the
/etc/shells file is corrupt, or if the shell that is defined for the user
(since they don't have a /etc/passwd entry, this would be whatever you put
template in the smb.conf) does not exactly match one of the lines in
or the defaults, if this file does not exist.
The defaults for 11.0 are:
Hope this helps,
> -----Original Message-----
> From: John H Terpstra [mailto:jht at samba.org]
> Sent: Friday, January 31, 2003 1:36
> To: Miles Roper
> Cc: 'samba-technical at lists.samba.org'; 'samba at lists.samba.org'; Esh,
> Andrew; Ronan Waide; STEFFENS,MICHAEL (HP-Germany,ex1); 'MCCALL,DON
> (HP-USA,ex1)'; 'Richard Sharpe'
> Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck, Please Help
> On Fri, 31 Jan 2003, Miles Roper wrote:
> > Hi Everyone,
> > I'm forgetting about the password one at the moment, thanks
> for all your
> > input :o)
> > I still don't have a clue how to solve my main problem.
> I'm assuming that
> > its not actually winbind related now, as I've recently
> tried pam_smb and get
> > the same basic problem.
> > Basically, when I log into the UNIX box, the
> username/password of a NT user
> > is being authenticated, but doesn't actually log in. It
> doesn't get past
> > the password line. I know it accepts the password. Its
> almost as if it
> > can't find the shell. But the template variable is set
> within the smb.conf
> > file. Permissions are fine. I have exactly the same
> problem with the
> > pam_smb module.
> So what does PAM report into your /var/log files?
> Have you tried adding to each line in your /etc/pam.d/login
> (after the .so
> file name) the word 'audit' - this will increase the volume
> of debugging
> info spit out into /var/log/messages, or wherever PAM send
> this on your
> - John T.
> > If there is any further information I can send let me know.
> > Ideas?
> > Thanks
> > Miles
> > -----Original Message-----
> > From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall at hp.com]
> > Sent: Friday, 31 January 2003 07:06 a.m.
> > To: STEFFENS,MICHAEL (HP-Germany,ex1); Ronan Waide
> > Cc: 'samba at lists.samba.org'; Esh, Andrew; Miles Roper;
> > 'samba-technical at lists.samba.org'; 'Richard Sharpe'
> > Subject: RE: [Samba] RE: Winbind on HPUX11, Totally Stuck,
> Please Help
> > Hi Everyone,
> > This whole problem with the password command not working
> when winbind
> > is included as a method in the nsswitch.conf can probably
> be worked around
> > by simply using the -r files (or -r nis or -r nisplus)
> switch. Take a look
> > at the man page for passwd on HP-UX 11.x and see if this
> won't help you
> > out.
> > Hope this helps,
> > Don
> > > -----Original Message-----
> > > From: Michael Steffens [mailto:michael.steffens at hp.com]
> > > Sent: Tuesday, January 28, 2003 11:52
> > > To: Ronan Waide
> > > Cc: 'samba at lists.samba.org'; Esh, Andrew; Miles Roper;
> > > 'samba-technical at lists.samba.org'; 'Richard Sharpe'
> > > Subject: Re: [Samba] RE: Winbind on HPUX11, Totally
> Stuck, Please Help
> > >
> > >
> > > Ronan Waide wrote:
> > > > On January 28, Andrew_Esh at adaptec.com said:
> > > >
> > > >>I don't have HPUX, so I don't know what to suggest for
> > > that. I just know
> > > >>getent won't work without winbindd in nsswitch.conf on Linux.
> > > >
> > > >
> > > > I think the point that was being made is that NSS support
> > > on HPUX only
> > > > supports a few known types, of which one is LDAP. The
> discussion was
> > > > basically about faking out the system so that what it
> thinks is LDAP
> > > > is actually winbind.
> > >
> > > Yep. It's a HP-UX specific workaround. Please ignore it
> > > everywhere else.
> > >
> > > Michael
> > >
> > >
> John H Terpstra
> Email: jht at samba.org
More information about the samba-technical