Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working(even closer)

Adam Ranville adam at mks.com
Thu Oct 25 10:28:40 GMT 2001


Hello All,

Still no luck. I'll leave you all with my final configuration, please let me
know if anyone has any ideas on getting my Linux installation to allow
domain logons via telnet.

What doesn't work:
Telnet authentication against our PDC

What does work:
joining the domain
genent passwd
getent group
wbinfo -u
share authentication against our PDC (works great :(???)

Thanks for all your help so far,

Adam

Environment:
winNT4 PDC
REdhat 7.1 basic install (no patches)
samba 2.2.2


/etc/pam.d/system-auth:
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_winbind.so
auth        sufficient    /lib/security/pam_unix.so use_first_pass
likeauth nullok
auth        required      /lib/security/pam_deny.so
 
account     sufficient    /lib/security/pam_winbind.so
account     required      /lib/security/pam_unix.so
 
password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password    required      /lib/security/pam_deny.so
 
session     optional      /lib/security/pam_mkhomedir.so umask=0077
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

/usr/local/samba/lib/smb.conf:
[global]
workgroup = MKS
server string = hqnis1
printcap name = /etc/printcap
printing = bsd
guest account = nobody
max log size = 50
security = domain
password server = *
encrypt passwords = Yes
update encrypted = Yes
netbios name = hqnis1
socket options = TCP_NODELAY
local master = No
os level = 0
domain master = False
preferred master = False
wins server = 1.0.0.101
dns proxy = no
smb passwd file = /usr/local/samba/private/smbpasswd
debug level = 1
name resolve order =  wins host bcast
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /usr/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[adamdir]
comment = Adam Directory
path = /home/meatball
valid users = MKS\adam
public = no
writable = yes
printable = no

/var/log/messages:
Oct 24 13:14:39 hqnis1 pam_winbind[1583]: user 'MKS\adam' granted acces  


-----Original Message-----
From: Adam Ranville [mailto:adam at mks.com]
Sent: Wednesday, October 24, 2001 1:42 PM
To: samba at lists.samba.org
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working


[root at hqnis1 pam.d]# getent passwd MKS\\adam
MKS\adam:x:10002:10000:Adam Ranville:/home/MKS/adam:/bin/bash

Seems to be in order... I created /home/MKS.Wish the logs could give me an
area to work on.

Adam
-----Original Message-----
From: Rogelio J. Baucells [mailto:rogelio at ats-corp.com]
Sent: Wednesday, October 24, 2001 1:21 PM
To: Adam Ranville
Cc: samba at lists.samba.org
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working


I had that problem before and was the "template shell".

Check it is getting that value with:

getent passwd DOMAIN\\username

it should say the shell at the end of the line


Rogelio J.

-----Original Message-----
From: Adam Ranville [mailto:adam at mks.com]
Sent: Wednesday, October 24, 2001 1:16 PM
To: samba at lists.samba.org
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working



I did put the template shell line in before, it hasn't really changed
anything.
/usr/local/samba/lib/smb.conf:
template shell = /bin/bash

I added "session     optional      /lib/security/pam_mkhomedir.so
umask=0077"

Still no luck, it just pauses then closes the session.

Adam
-----Original Message-----
From: Rogelio J. Baucells [mailto:rogelio at ats-corp.com]
Sent: Wednesday, October 24, 2001 1:04 PM
To: samba at lists.samba.org
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working


Did you change the "template shell" to "bin/bash" or another shell?

If you want to create the home dir on the fly, try this

session     optional      /lib/security/pam_mkhomedir.so umask=0077

in your system-auth

It is working for me without any problem in my RH 7.0 and 7.1 boxes

Rogelio J.

-----Original Message-----
From: Adam Ranville [mailto:adam at mks.com]
Sent: Wednesday, October 24, 2001 12:45 PM
To: Samba (E-mail)
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working


	Well that seems to have moved me one step closer. I now get a
positive authentication not in /var/messages but it just hangs after I
input
the password. Missing a home directory? Invalid shell maybe? I checked
the
logs and I've been getting nothing negative.

Almost there...

Adam

tail /var/log/messages:
	Oct 24 12:36:19 hqnis1 pam_winbind[1552]: user 'MKS\adam'
granted
acces  


/etc/pam.d/system-auth:

auth      sufficient    /lib/security/pam_winbind.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok md5
shadow use_first_pass
auth        required      /lib/security/pam_deny.so
account     sufficient    /lib/security/pam_unix.so
account     sufficient  /lib/security/pam_winbind.so
account     required      /lib/security/pam_deny.so
password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5
shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so


-----Original Message-----
From: Anthony J. Breeds-Taurima [mailto:tony at cantech.net.au]
Sent: Tuesday, October 23, 2001 10:00 PM
To: Adam Ranville
Cc: Samba (E-mail)
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working


On Tue, 23 Oct 2001, Adam Ranville wrote:

> original file. 

Thanks.
 
> 	I can access a share without domain\username and it works fine.
Do I
> require domain\(or +) username for telnet? I have tried that as well. 

Yes you will need to login as:
DOMAIN\user   (or DOMAIN+user)
 
> 	With the attempted system-auth it would kick me out right after
> entering the login. It doesn't even prompt for a password. (single
user
got
> me out of it).
> 
> Thanks for the help,
> 
> Adam
> 
> attempted /etc/pam.d/system-auth:

<snip>

> account     required      /lib/security/pam_deny.so
> account     required      /lib/security/pam_winbind.so

Like Andrew said swap these 2 lines and you should be happy.

Yours Tony.

/*
 * "The significant problems we face cannot be solved at the 
 * same level of thinking we were at when we created them."
 * --Albert Einstein
 */

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba




More information about the samba mailing list