[Samba] Solaris Winbind LDAP pam_mkhomedir.so

Ganguly, Sapan Sapan.Ganguly at thalesgroup.com
Wed Dec 17 16:43:15 GMT 2003

OK, I definitely know that winbind is working now, I tried logging in at the
console and a message comes up -

Pam_winbind[413]: user 'nt_user' granted access

But that is as far as it goes, I don't get a shell prompt.  I eventually
have to do a 'stop + A' and reboot the machine, from now on I'll do a
'telnet localhost' to test it.

Here is what my pam.conf looks like, can you see any errors? 

#ident	"@(#)pam.conf	1.20	02/01/23 SMI"
# Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login	auth requisite		pam_authtok_get.so.1
login   auth sufficient         pam_dhkeys.so.1
login   auth sufficient         pam_unix_auth.so.1
login   auth sufficient         pam_dial_auth.so.1
login   auth sufficient         /usr/lib/security/pam_winbind.so.1

# rlogin service (explicit because of pam_rhost_auth)
rlogin	auth sufficient		pam_rhosts_auth.so.1
rlogin	auth requisite		pam_authtok_get.so.1
rlogin	auth sufficient		pam_dhkeys.so.1
rlogin	auth sufficient		pam_unix_auth.so.1
rlogin	auth sufficient		/usr/lib/security/pam_winbind.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh	auth sufficient		pam_rhosts_auth.so.1
rsh	auth required		pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
ppp	auth requisite		pam_authtok_get.so.1
ppp	auth required		pam_dhkeys.so.1
ppp	auth required		pam_unix_auth.so.1
ppp	auth required		pam_dial_auth.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
other	auth requisite		pam_authtok_get.so.1
other	auth sufficient		pam_dhkeys.so.1
other	auth sufficient		pam_unix_auth.so.1
other	auth sufficient		/usr/lib/security/pam_winbind.so.1
# passwd command (explicit because of a different authentication module)
passwd	auth required		pam_passwd_auth.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron	account required	pam_projects.so.1
cron	account required	pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other	account requisite	pam_roles.so.1
other	account sufficient	pam_projects.so.1
other	account sufficient	pam_unix_account.so.1
other	account sufficient	/usr/lib/security/pam_winbind.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other	session required	pam_unix_session.so.1
other	session sufficient	/usr/lib/security/pam_winbind.so.1
#other session sufficient	/usr/lib/security/pam_mkhomedir.so.1
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
other	password required	pam_dhkeys.so.1
other	password requisite	pam_authtok_get.so.1
other	password requisite	pam_authtok_check.so.1
other	password required	pam_authtok_store.so.1
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin		auth optional		pam_krb5.so.1 try_first_pass
#login		auth optional		pam_krb5.so.1 try_first_pass
#other		auth optional		pam_krb5.so.1 try_first_pass
#cron		account optional 	pam_krb5.so.1
#other		account optional 	pam_krb5.so.1
#other		session optional 	pam_krb5.so.1
#other		password optional 	pam_krb5.so.1 try_first_pass

-----Original Message-----
From: Ganguly, Sapan [mailto:Sapan.Ganguly at thalesgroup.com] 
Sent: 15 December 2003 08:23
To: 'samba at lists.samba.org'
Cc: 'samba at samba.org'
Subject: [Samba] Solaris Winbind LDAP pam_mkhomedir.so

Dear list,

How do I test whether I have access to my winbind LDAP backend from my
Solaris 9 machine?  My LDAP database is held on a Redhat 9.0 machine also
running Samba 3.0.0.

I know winbind works because getent and wbinfo show up my NT users and

I would also like to have people log into my Solaris 9 machine with their NT
usernames, I have this working on Redhat already but Solaris is proving to
be a little more tricky.  I've copied a pam.conf from another post on this
mailing list but when I try to log in with an NT user name the process just
hangs after I type the password.  I don't see anything in the logs either.

I would also like to use pam_mkhomedir.so in my pam.conf so that when people
log in a home directory is automatically created but that's not going to
work until I can actually log in anyway.  
It was easy under Redhat.

Does anyone have any advice?  I'm going to look a bit silly if I can't make
this work.

To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list