[Samba] help with winbind/pam

Ganguly, Sapan Sapan.Ganguly at thalesgroup.com
Fri Dec 19 10:43:24 GMT 2003


I use Redhat 9.0 and I have it working, I'm not sure if it's the same on
Debian but here are what my files look like.  They were generated by the
'authconfig' tool.  The only line I added manually was the pam_mkhomedir.so
line.

My /etc/pam.d/login looks like this - (Note: pam_mkhomedir.so automatically
makes home directories, you may not want that, it puts them in 'template
homedir' which is specified in smb.conf)

#%PAM-1.0
auth       required     pam_securetty.so
auth       sufficient   pam_UNIX.so use_first_pass
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_mkhomedir.so umask=0022
session    optional     pam_console.so

My /etc/pam.d/gdm looks like this -

#%PAM-1.0
auth       required     pam_env.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so
session    required     pam_mkhomedir.so skel=/etc/skel umask=0022

/etc/pam.d/system-auth looks like this -

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_smb_auth.so use_first_pass
nolocal
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so



-----Original Message-----
From: Charles McLaughlin [mailto:cmclaughlin at ucdavis.edu] 
Sent: 19 December 2003 05:19
To: samba at lists.samba.org
Subject: [Samba] help with winbind/pam


Hello,

I'm trying to get a debian sid box to authenticate against an NT4 domain.
I've followed the instructions in the winbindd man page and I think I'm on
the right track.  However, I'm having problems with PAM.

As the winbindd man page suggests, I edited the /etc/nsswitch.conf and added
some winbindd related stuff to my smb.conf file.

I also edited the /etc/pam.d/* files.  This is where I'm having problems...
more on that later.

I joined the domain using this:
net join -U Administrator
I was prompted for a password and was allowed to join the domain.

I ran the winbindd program just to make sure it is up and running, then I
did this: wbinfo -t And that told me that the trust relationship with the
domain is ok.

So, my linux box is part of the NT4 domain and things look good.  I can walk
over to the N4 domain controller and see a computer account for my linux
box.  I can do wbinfo -u on my linux box and see a list of all the windows
domain users... and I'm starting to smell success.  But wait...

Here is where the problem starts.  I want use a Windows domain account to
login to the linux box.  For instance, I should be able to use the windows
Administrator account to login on my linux box.

So I go to a terminal and try to log in as Administrator and it says
"permission denied".  I've screwed around with the /etc/pam.d/* files enough
to allow me to login via a linux terminal using the Windows Administrator
account, but I haven't been able to do the same with GDM/Gnome.  I
eventually screwed around with these files enough to lock myself out of my
system, but got back in.  ;-)

So, I guess I need help understanding the /etc/pam.d/* files.

The winbindd man page says this:

-------
 In /etc/pam.d/* replace the  auth lines with something like this:

 auth       required /lib/security/pam_securetty.so
 auth       required /lib/security/pam_nologin.so
 auth       sufficient /lib/security/pam_winbind.so
 auth       required /lib/security/pam_pwdb.so use_first_pass
shadow nullok

 Note  in  particular  the  use  of  the  sufficient   keyword  and  the
 use_first_pass keyword.

 Now replace the account lines with this:

 account required /lib/security/pam_winbind.so
-------

When I edited the pam.d files, anytime I saw a line that starts with auth, I
commented it out and inserted all of the above lines that start with auth.
Likewise, I made similar edits for lines that start with account.  I don't
really understand with this means though... Any suggestions?  Am I doing
something out of order?

Thanks!

Charles



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba


More information about the samba mailing list