Success: Samba4 alpha20 on Ubuntu Precise + Install script
urushkin at telros.ru
Tue May 15 13:12:34 MDT 2012
On Tue May 15 06:13:05 MDT 2012, steve wrote:
> On 05/14/2012 03:19 PM, David Feurle wrote:
>> I documented the whole process of configuration/installation in a
>> script and a blog entry.
>> So if you want to see what I've done (wrong?) take a look at it on
>> http://spore.sodgeit.de/sporeblog-samba4EN.html .
>> Thanks for all your efforts on samba(4)!
>> Best regards,
>> David Feurle
> Hi David
> Thanks for a good post. It finally made us have a go at winbind and
> The only bit I had problems with (also on a precice DC) was the pam
> config. I kept getting locked out with the pam settings you suggested
> but this may be due to us having some ldap stuff in there too.
> We ended up installing libpam-winbind using apt-get to see what it
> produced in /etc/pam.d and it came up with this:
> account [success=2 new_authtok_reqd=done default=ignore]
> account [success=1 new_authtok_reqd=done default=ignore]
> account requisite pam_deny.so
> account required pam_permit.so
> account required pam_krb5.so minimum_uid=1000
> account [success=ok new_authtok_reqd=done ignore=ignore
> user_unknown=ignore authinfo_unavail=ignore default=bad]
> auth [success=4 default=ignore] pam_krb5.so minimum_uid=1000
> auth [success=3 default=ignore] pam_unix.so nullok_secure
> auth [success=2 default=ignore] pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass
> auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000
> auth requisite pam_deny.so
> auth required pam_permit.so
> auth optional pam_cap.so
> session [default=1] pam_permit.so
> session requisite pam_deny.so
> session required pam_permit.so
> session optional pam_umask.so
> session optional pam_krb5.so minimum_uid=1000
> session required pam_unix.so
> session optional pam_winbind.so
> session [success=ok default=ignore] pam_ldap.so
> session optional pam_ck_connector.so nox11
> We took a backup, deleted the Ubuntu versions of winbind and copied
> backup back: bingo:-)
> The main limitation of it for us is having to have home directories
> in the same folder, but that's another matter. I'm sure that there's
> simple solution to that lurking here. . .
About pam. For ubuntu I found a nice solution - writing my own
pam-auth-update modules (/usr/share/pam-configs/*)
It's described in my messages here (at the end):
I wrote modules like winbind (mentioned there) for ldap, sss, krb5 and
with this method I got working combined setups containing all these
pam-modules. By changing "Priority" you can control the order of modules
in pam.d configuration.
Winbind module seems to work with s4's winbind too.
May be this info would be helpful for someone.
More information about the samba-technical