Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working(even
closer)
Adam Ranville
adam at mks.com
Thu Oct 25 10:28:40 GMT 2001
Hello All,
Still no luck. I'll leave you all with my final configuration, please let me
know if anyone has any ideas on getting my Linux installation to allow
domain logons via telnet.
What doesn't work:
Telnet authentication against our PDC
What does work:
joining the domain
genent passwd
getent group
wbinfo -u
share authentication against our PDC (works great :(???)
Thanks for all your help so far,
Adam
Environment:
winNT4 PDC
REdhat 7.1 basic install (no patches)
samba 2.2.2
/etc/pam.d/system-auth:
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
likeauth nullok
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/pam_deny.so
session optional /lib/security/pam_mkhomedir.so umask=0077
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
/usr/local/samba/lib/smb.conf:
[global]
workgroup = MKS
server string = hqnis1
printcap name = /etc/printcap
printing = bsd
guest account = nobody
max log size = 50
security = domain
password server = *
encrypt passwords = Yes
update encrypted = Yes
netbios name = hqnis1
socket options = TCP_NODELAY
local master = No
os level = 0
domain master = False
preferred master = False
wins server = 1.0.0.101
dns proxy = no
smb passwd file = /usr/local/samba/private/smbpasswd
debug level = 1
name resolve order = wins host bcast
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /usr/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[adamdir]
comment = Adam Directory
path = /home/meatball
valid users = MKS\adam
public = no
writable = yes
printable = no
/var/log/messages:
Oct 24 13:14:39 hqnis1 pam_winbind[1583]: user 'MKS\adam' granted acces
-----Original Message-----
From: Adam Ranville [mailto:adam at mks.com]
Sent: Wednesday, October 24, 2001 1:42 PM
To: samba at lists.samba.org
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working
[root at hqnis1 pam.d]# getent passwd MKS\\adam
MKS\adam:x:10002:10000:Adam Ranville:/home/MKS/adam:/bin/bash
Seems to be in order... I created /home/MKS.Wish the logs could give me an
area to work on.
Adam
-----Original Message-----
From: Rogelio J. Baucells [mailto:rogelio at ats-corp.com]
Sent: Wednesday, October 24, 2001 1:21 PM
To: Adam Ranville
Cc: samba at lists.samba.org
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working
I had that problem before and was the "template shell".
Check it is getting that value with:
getent passwd DOMAIN\\username
it should say the shell at the end of the line
Rogelio J.
-----Original Message-----
From: Adam Ranville [mailto:adam at mks.com]
Sent: Wednesday, October 24, 2001 1:16 PM
To: samba at lists.samba.org
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working
I did put the template shell line in before, it hasn't really changed
anything.
/usr/local/samba/lib/smb.conf:
template shell = /bin/bash
I added "session optional /lib/security/pam_mkhomedir.so
umask=0077"
Still no luck, it just pauses then closes the session.
Adam
-----Original Message-----
From: Rogelio J. Baucells [mailto:rogelio at ats-corp.com]
Sent: Wednesday, October 24, 2001 1:04 PM
To: samba at lists.samba.org
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working
Did you change the "template shell" to "bin/bash" or another shell?
If you want to create the home dir on the fly, try this
session optional /lib/security/pam_mkhomedir.so umask=0077
in your system-auth
It is working for me without any problem in my RH 7.0 and 7.1 boxes
Rogelio J.
-----Original Message-----
From: Adam Ranville [mailto:adam at mks.com]
Sent: Wednesday, October 24, 2001 12:45 PM
To: Samba (E-mail)
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working
Well that seems to have moved me one step closer. I now get a
positive authentication not in /var/messages but it just hangs after I
input
the password. Missing a home directory? Invalid shell maybe? I checked
the
logs and I've been getting nothing negative.
Almost there...
Adam
tail /var/log/messages:
Oct 24 12:36:19 hqnis1 pam_winbind[1552]: user 'MKS\adam'
granted
acces
/etc/pam.d/system-auth:
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so likeauth nullok md5
shadow use_first_pass
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_unix.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_deny.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok
md5
shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
-----Original Message-----
From: Anthony J. Breeds-Taurima [mailto:tony at cantech.net.au]
Sent: Tuesday, October 23, 2001 10:00 PM
To: Adam Ranville
Cc: Samba (E-mail)
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working
On Tue, 23 Oct 2001, Adam Ranville wrote:
> original file.
Thanks.
> I can access a share without domain\username and it works fine.
Do I
> require domain\(or +) username for telnet? I have tried that as well.
Yes you will need to login as:
DOMAIN\user (or DOMAIN+user)
> With the attempted system-auth it would kick me out right after
> entering the login. It doesn't even prompt for a password. (single
user
got
> me out of it).
>
> Thanks for the help,
>
> Adam
>
> attempted /etc/pam.d/system-auth:
<snip>
> account required /lib/security/pam_deny.so
> account required /lib/security/pam_winbind.so
Like Andrew said swap these 2 lines and you should be happy.
Yours Tony.
/*
* "The significant problems we face cannot be solved at the
* same level of thinking we were at when we created them."
* --Albert Einstein
*/
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list