winbind network authentication troubleshooting

Elia Pinto gitter.spiros at gmail.com
Tue May 7 17:49:42 MDT 2013 

Hi

are you sure that auth required pam unix,
or in any case putting required to pam unix, is it the right thing to
do if you are using winbind ? If the user is not local but remote
only, sufficient is a better way to express this requisite in pam .

Best

2013/5/7, C.J. Adams-Collier KF7BMP <cjac at colliertech.org>:
> Hello folks,
>
> I'm working on a project to replace NIS with winbind on FreeBSD 6.3.
> I've not worked with nss before, as all of my own systems authenticate
> against local files, so both NIS and winbind are relatively new to me.
> I have built samba 3.5.21 for the target environment and am currently
> exercising the ssh use case.  You can also assume that I'm new to
> FreeBSD.
>
> I have modified /etc/nsswitch.conf to query libnss_winbind.so after
> files:
>
> # grep -E '^(group|passwd):' /etc/nsswitch.conf
> group: files winbind
> passwd: files winbind
>
> I have also modified /etc/pam.d/sshd to make use of the functions in
> pam_winbind.so:
>
> # grep -E '^(auth|account|session|password)' /etc/pam.d/sshd
> auth		sufficient	pam_opie.so		no_warn no_fake_prompts
> auth		requisite	pam_opieaccess.so	no_warn allow_local
> auth		required	pam_unix.so		no_warn try_first_pass
> auth            sufficient      pam_winbind.so try_first_pass
> account		required	pam_nologin.so
> account		required	pam_login_access.so
> account		required	pam_unix.so
> account         sufficient      pam_winbind.so try_first_pass
> session		required	pam_permit.so
> session         sufficient      pam_winbind.so mkhomedir
> session         sufficient      pam_winbind.so
> password        sufficient      pam_winbind.so try_first_pass
> password	required	pam_unix.so		no_warn try_first_pass
>
> From what I have observed with gdb, based on the nsswitch.conf changes,
> libc will dlopen /lib/nss_winbind.so.1 (not /lib/libnss_winbind.so.2)
> and (eventually) call the _nss_winbind_getpwnam_r, which is defined in
> nsswitch/winbind_nss_linux.[co] and extern defined in
> nsswitch/winbind_nss_freebsd.c.  gdb 6.1.1 doesn't much like the
> indirect way we get to winbind_nss_freebsd.c, so it's a bit difficult
> for me to step through the code once it gets to this point.
>
> Anybody got any tips?
>
> Cheers,
>
> C.J.
>
>

-- 
Inviato dal mio dispositivo mobile

More information about the samba-technical mailing list