[Samba] winbind problems solved!

George Lenzer George.Lenzer at cpl.org
Wed Dec 4 18:53:00 GMT 2002


OK.  I have winbind up and working most of the way.  I can log in to the
console, gdm, as well as mount shares on Windows boxes in my NT domain,
and let Windows boxes mount shares on my Linux box.  Here were the
problems I ran into and a few notes.  Pretty much user error:

1. The symbolic link from /lib/libnss_winbind.so was wrong.  I changed
it to reflect the right name. /lib/libnss_winbind.so -->
/lib/libnss_winbind.so.2

2. I hadn't created the directory to store domain user's home dirs in. 
In my smb.conf file I specified /home/winnt/%D/%U  But 'winnt' didn't
exist.  This prevented any logons from working.  Once I create
/home/winnt, I could log on.

3. I discovered that if you want to use a more "Windows-ish" separator,
you could make the seprator line in smb.conf look like this:

winbind separator = "\"

Now I can use DOMAIN\username to access resources with the NT Domain
accounts

4. The gdm picture browser (Gnome 2.0 RH 8.0) will display all of your
domain users.  If you are using gdm to log into X, you will want to set
it to the graphical greeter.

5. Although it says not to hand edit it... I found that editing
/etc/system-auth like this, works:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        sufficient    /lib/security/pam_winbind.so
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
use_first_pass
auth        required      /lib/security/pam_deny.so

account     sufficient    /lib/security/pam_winbind.so
account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shado
w
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_mkhomedir.so umask=0022
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

The 'use_first_pass' option for pam_unis.so gets around the problem of
double password prompts.

Anyone here think there is anything wrong with using \ as the winbind
separator?  Will it cause problems later?




More information about the samba mailing list