Success: Samba4 alpha20 on Ubuntu Precise + Install script

Sergey Urushkin urushkin at
Tue May 15 13:12:34 MDT 2012

On Tue May 15 06:13:05 MDT 2012, steve wrote:
> On 05/14/2012 03:19 PM, David Feurle wrote:
>> I documented the whole process of configuration/installation in a
>> script and a blog entry.
>> So if you want to see what I've done (wrong?) take a look at it on
>> .
>> Thanks for all your efforts on samba(4)!
>> Best regards,
>> David Feurle
> Hi David
> Thanks for a good post. It finally made us have a go at winbind and 
> S4.
> The only bit I had problems with (also on a precice DC) was the pam
> config. I kept getting locked out with the pam settings you suggested
> but this may be due to us having some ldap stuff in there too.
> We ended up installing libpam-winbind using apt-get to see what it
> produced in /etc/pam.d and it came up with this:
> /etc/pam.d/common-account
> account    [success=2 new_authtok_reqd=done default=ignore]    
> account    [success=1 new_authtok_reqd=done default=ignore]
> account    requisite  
> account    required  
> account    required   minimum_uid=1000
> account    [success=ok new_authtok_reqd=done ignore=ignore
> user_unknown=ignore authinfo_unavail=ignore default=bad]    
> minimum_uid=1000
> /etc/pam.d/common-auth
> auth    [success=4 default=ignore] minimum_uid=1000
> auth    [success=3 default=ignore] nullok_secure
> try_first_pass
> auth    [success=2 default=ignore] krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass
> auth    [success=1 default=ignore] minimum_uid=1000
> use_first_pass
> auth    requisite  
> auth    required  
> auth    optional  
> /etc/pam.d/common-session
> session    [default=1]  
> session    requisite  
> session    required  
> session optional  
> session    optional   minimum_uid=1000
> session    required
> session    optional  
> session    [success=ok default=ignore] 
> minimum_uid=1000
> session    optional   nox11
> We took a backup, deleted the Ubuntu versions of winbind and copied 
> the
> backup back: bingo:-)
> The main limitation of it for us is having to have home directories 
> all
> in the same folder, but that's another matter. I'm sure that there's 
> a
> simple solution to that lurking here. . .
> Cheers,
> Steve

About pam. For ubuntu I found a nice solution - writing my own 
pam-auth-update modules (/usr/share/pam-configs/*)
It's described in my messages here (at the end):
I wrote modules like winbind (mentioned there) for ldap, sss, krb5 and 
with this method I got working combined setups containing all these 
pam-modules. By changing "Priority" you can control the order of modules 
in pam.d configuration.
Winbind module seems to work with s4's winbind too.

May be this info would be helpful for someone.

Best regards,
Sergey Urushkin

More information about the samba-technical mailing list