[Samba] winbind problems solved!
George Lenzer
George.Lenzer at cpl.org
Wed Dec 4 18:53:00 GMT 2002
OK. I have winbind up and working most of the way. I can log in to the
console, gdm, as well as mount shares on Windows boxes in my NT domain,
and let Windows boxes mount shares on my Linux box. Here were the
problems I ran into and a few notes. Pretty much user error:
1. The symbolic link from /lib/libnss_winbind.so was wrong. I changed
it to reflect the right name. /lib/libnss_winbind.so -->
/lib/libnss_winbind.so.2
2. I hadn't created the directory to store domain user's home dirs in.
In my smb.conf file I specified /home/winnt/%D/%U But 'winnt' didn't
exist. This prevented any logons from working. Once I create
/home/winnt, I could log on.
3. I discovered that if you want to use a more "Windows-ish" separator,
you could make the seprator line in smb.conf look like this:
winbind separator = "\"
Now I can use DOMAIN\username to access resources with the NT Domain
accounts
4. The gdm picture browser (Gnome 2.0 RH 8.0) will display all of your
domain users. If you are using gdm to log into X, you will want to set
it to the graphical greeter.
5. Although it says not to hand edit it... I found that editing
/etc/system-auth like this, works:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
use_first_pass
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shado
w
password required /lib/security/pam_deny.so
session required /lib/security/pam_mkhomedir.so umask=0022
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
The 'use_first_pass' option for pam_unis.so gets around the problem of
double password prompts.
Anyone here think there is anything wrong with using \ as the winbind
separator? Will it cause problems later?
More information about the samba
mailing list