Success: Samba4 alpha20 on Ubuntu Precise + Install script

Sergey Urushkin urushkin at telros.ru
Tue May 15 13:12:34 MDT 2012 


On Tue May 15 06:13:05 MDT 2012, steve wrote:
> On 05/14/2012 03:19 PM, David Feurle wrote:
>>
>>
>> I documented the whole process of configuration/installation in a
>> script and a blog entry.
>> So if you want to see what I've done (wrong?) take a look at it on
>> http://spore.sodgeit.de/sporeblog-samba4EN.html .
>>
>> Thanks for all your efforts on samba(4)!
>>
>> Best regards,
>>
>> David Feurle
> Hi David
> Thanks for a good post. It finally made us have a go at winbind and 
> S4.
>
> The only bit I had problems with (also on a precice DC) was the pam
> config. I kept getting locked out with the pam settings you suggested
> but this may be due to us having some ldap stuff in there too.
>
> We ended up installing libpam-winbind using apt-get to see what it
> produced in /etc/pam.d and it came up with this:
>
> /etc/pam.d/common-account
>
> account    [success=2 new_authtok_reqd=done default=ignore]    
> pam_unix.so
> account    [success=1 new_authtok_reqd=done default=ignore]
> pam_winbind.so
> account    requisite            pam_deny.so
> account    required            pam_permit.so
> account    required            pam_krb5.so minimum_uid=1000
> account    [success=ok new_authtok_reqd=done ignore=ignore
> user_unknown=ignore authinfo_unavail=ignore default=bad]    
> pam_ldap.so
> minimum_uid=1000
>
> /etc/pam.d/common-auth
>
> auth    [success=4 default=ignore]    pam_krb5.so minimum_uid=1000
> auth    [success=3 default=ignore]    pam_unix.so nullok_secure
> try_first_pass
> auth    [success=2 default=ignore]    pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass
> auth    [success=1 default=ignore]    pam_ldap.so minimum_uid=1000
> use_first_pass
> auth    requisite            pam_deny.so
> auth    required            pam_permit.so
> auth    optional            pam_cap.so
>
> /etc/pam.d/common-session
>
> session    [default=1]            pam_permit.so
> session    requisite            pam_deny.so
> session    required            pam_permit.so
> session optional            pam_umask.so
> session    optional            pam_krb5.so minimum_uid=1000
> session    required    pam_unix.so
> session    optional            pam_winbind.so
> session    [success=ok default=ignore]    pam_ldap.so 
> minimum_uid=1000
> session    optional            pam_ck_connector.so nox11
>
> We took a backup, deleted the Ubuntu versions of winbind and copied 
> the
> backup back: bingo:-)
>
> The main limitation of it for us is having to have home directories 
> all
> in the same folder, but that's another matter. I'm sure that there's 
> a
> simple solution to that lurking here. . .
> Cheers,
> Steve

Hi.
About pam. For ubuntu I found a nice solution - writing my own 
pam-auth-update modules (/usr/share/pam-configs/*)
It's described in my messages here (at the end): 
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944
I wrote modules like winbind (mentioned there) for ldap, sss, krb5 and 
with this method I got working combined setups containing all these 
pam-modules. By changing "Priority" you can control the order of modules 
in pam.d configuration.
Winbind module seems to work with s4's winbind too.

May be this info would be helpful for someone.

-- 
Best regards,
Sergey Urushkin

More information about the samba-technical mailing list