[Samba] Problem with pam_winbind
Oliver Thinnes
O.Thinnes at pulsaar.de
Mon Jun 3 23:09:02 GMT 2002
I have the same situation as you have (redhat 7.2, samba 2.2.4 compiled
with winbind, acl support and as a member of a NT 4 domain).
I did not change /etc/pam.d/system-auth.
I configured /etc/nsswitch.conf like this:
passwd: files winbind nisplus
shadow: files winbind nisplus
group: files winbind nisplus
After compiling I had noticed with ftp login that the file
"/lib/security/pam_winbind.so" was missing. This isn't created when doing
make && make install
I had to do
# cd samba/source
# make nsswitch/pam_winbind.so
# cp nsswitch/pam_winbind.so /lib/security
Besides the login shell is per default "/bin/false" in smb.conf. This has
to be changed. Also the home dir.
template homedir = /home/%D/%U/
template shell = /bin/bash
Here's my configuration for SSH, SU, FTP login as a NT user:
-- /etc/pam.d/sshd --
#%PAM-1.0
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_limits.so
session optional /lib/security/pam_console.so
-- /etc/pam.d/sshd --
-- /etc/pam.d/ftp --
#%PAM-1.0
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_listfile.so item=user sense=deny
file=/etc/ftpusers onerr=succeed
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_shells.so
auth sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
-- /etc/pam.d/ftp --
Works fine.
There's something to know about winbindd.
When rebooting the linux box the mapping of NT users to UNIX user ids has
changed after reboot. Only for NT users, not for NT groups. Thus before
reboot a NT user has i.e uid 10000 and after reboot 10013 and therefore he
can't access his files. After the reboot the NT users seem to be ordered in
alphabetical order and the numbering begins with the winbind uid configured
in smb.conf.
I tar the two tdb files
/var/lock/winbindd_cache.tdb
/var/lock/winbindd_idmap.tdb
before reboot, extract them after reboot and restart winbindd.
-----Original Message-----
From: John McCawley [SMTP:jmccawley at worleyco.com]
Sent: Tuesday, June 04, 2002 1:26 AM
To: samba at lists.samba.org
Subject: [Samba] Problem with pam_winbind
I'm on a redhat 7.2 box, and I am trying to configure PAM to use winbind
to authenticate against an NT4 PDC. I followed the instructions I
found at:
http://de.samba.org/samba/ftp/docs/htmldocs/Samba-HOWTO-Collection.html#
WINBIND
I compiled the 2.2.4 source and have tried several permutations of the
setup they suggest, and have tried many solutions I've seen suggested on
different mailing lists, but nothing seems to work.
I have smb.conf setup as suggested in the document, and have succeeded
in joining my NT domain with smbpasswd. The command 'getent passwd'
properly returns the list of users on my PDC. The problem comes in when
I try to use the pam_winbind.so module for logins or ssh (I have not
tried anything else) My current configuration is this:
/etc/pam.d/system-auth
-----------------------------
auth sufficient /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_winbind.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_winbind.so use_first_pass
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
-----------------------------
/etc/nsswitch.conf
-----------------------------
passwd: files nisplus winbind
shadow: files nisplus
group: files nisplus winbind
-----------------------------
If I login as:
mydomain+username
It fails. My Linux system log reports: (machine names changed)
Jun 3 16:12:42 casey pam_winbind[11588]: request failed, PAM error was
4, NT error was NT_STATUS_NO_TRUST_SAM_ACCOUNT
Jun 3 16:12:42 casey pam_winbind[11588]: internal module error (retval
= 4, user = `mydomain+username'
My NT PDC reports:
The session setup from the computer CASEY failed because there is no
trust account in the security database for this computer. The name of
the account referenced in the security database is CASEY$.
Note that I had originally put the reference to pam_winbind in the login
file, but put in in system-auth after that didn't work. Note also that
I tried it with pam_env and pam_unix both set to required.
I have tried removing and re-adding casey from the PDC, I have tried
adding at the PDC first, and then using smbpasswd. I've tried this in
reverse order. I've tried only using smbpasswd, I've tried only adding
it at the PDC. I've tried deleting the /etc/samba/secrets.tdb file and
re-adding.
The only odd thing about my setup is that I installed from source over
the redhat RPM install, and the files are a little messy. I've tried to
go through and make sure all of the stuff in /usr/sbin and /usr/bin are
symlinks to the stuff in /usr/local/samba/bin, but I may have missed
something. At any rate I don't think that's the problem.
Any ideas?
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list