[Samba] winbind pam.d cofigurations

Elshair, Ferras elshair at uillinois.edu
Tue Nov 26 00:26:01 GMT 2002


Hello,
 
 
I currently have samba configured with winbind so that I can login using NT
authentication with my domain controller.   Winbind is working perfectly
with the domain,  I have /etc/pam.d/login configured perfectly and I can
login through the console.etc..
 
However, when I try to use passwd, it doesn't prompt for a new password, it
does this:
 
bash-2.05b$ passwd
Changing password for user ELSHAIR.
passwd: Authentication token manipulation error
bash-2.05b$
 
Here is my system auth-file:
 
# cat system-auth 
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_winbind.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
use_first_pass
auth        required      /lib/security/pam_deny.so
 
account     sufficient    /lib/secutiry/pam_winbind.so
account     required      /lib/security/pam_unix.so
 
password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
shadow
password    required      /lib/security/pam_deny.so
 
session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0022 
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so[ 
 
 
My /etc/pam.d/passwd file is as follows:
 
bash-2.05b$ cat /etc/pam.d/passwd
#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth

account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
 
 
 
What exactly do I need to change in passwd or system-auth so that a domain
user can change his or her password in linux and for it to update the
password in the domain controller.  Please reply with an example of how the
entire file should be like.  It tends to be a bit confusing when someone
says "the auth line should be so and so"  because there are so many auth
lines.
 
 
Also, I am having problems getting domain users to login through ssh, my
/etc/pam.d/sshd file is this:
 
#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so
 
 
I have tried using the same configuration of /etc/pam.d/login (which works
for console login and telnet) but it doesn't seem to work with ssh.  
 
/var/log/messages doesn't show any login attempts what so ever when I use
the aits+domainUser  as login.  But obviously when I use a normal user, it
does display the login attempt in the log.
 
If anyone knows how to configure the /etc/pam.d/sshd to work with domain
logins, I would appreciate that too.  Please include an example of the whole
file.
 
 
 
Thanks,
Ferras Elshair
-------------- next part --------------
HTML attachment scrubbed and removed


More information about the samba mailing list