[Samba] Help with Winbind

Khanh Tran khanh at slc.edu
Thu Feb 20 14:11:44 GMT 2003 

Sure, I'll let you know, but could you pass along what you have for
pam_mount?  I didn't even start down that path yet.  I'm glad to here I'm
not alone though.  Additionally, this may sound really naive, but what's the
point of logging into a domain if you can't get anywhere?

Khanh Tran
Network Operations
Sarah Lawrence College


-----Original Message-----
From: Aaron Bennett [mailto:aaron.bennett at olin.edu]
Sent: Thursday, February 20, 2003 9:11 AM
To: Khanh Tran
Cc: 'samba at lists.samba.org'
Subject: Re: [Samba] Help with Winbind


Kanh --

I'm currently beating my head against the pam_mount wall, with no luck. 
  It's the only way I can think of to do this w/o storing the password 
in plain text.  pam_mount is supposed to be able to mount using the 
login credentials, but I haven't been able to make it work.  I'll report 
any results I find.  If you come across any other solutions, could you 
let me know?

Cheers,

Aaron Bennett

Khanh Tran wrote:
> OK, so I got all pam problems sorted out.  For those interested, this
> pam/gdm worked on my RH 8.0 box:
> 
> auth       sufficient   /lib/security/pam_winbind.so
> auth       sufficient   /lib/security/pam_unix.so likeauth use_first_pass
> nullok
> auth       required     /lib/security/pam_stack.so service=system-auth
> auth       required     /lib/security/pam_nologin.so
> account    sufficient   /lib/security/pam_winbind.so
> account    required     /lib/security/pam_stack.so service=system-auth
> password   required     /lib/security/pam_stack.so service=system-auth
> session    required     /lib/security/pam_stack.so service=system-auth
> session    optional     /lib/security/pam_console.so
> 
> The only difference from what I had been using was the addition of the
> likeauth and nullok options on the pam_unix.so library.
> 
> Now on to my next issue with home directories!  I've tried two methods.  
> 
> First, I've used what the Winbind docs says for template homedir in
> smb.conf: /home/%D/%U.  When my user logs in, i get an error that the home
> directory does not exist and then logs the user out.  This is expected
> because they don't exist locally :)
> 
> Second, I tried first mounting all my users' home directories (we mount
them
> here under windows like Novell used to) under /home.DOMAIN.  Then, I
changed
> template homdir to /home/home.%D and restarted the Samba daemons.  The
user
> can log in, but I get the following permission error because I've got the
> home dirs mounted as root.
> 
> Feb 20 08:12:26 Martyr gdm[849]: gdm_slave_session_start: Directory
> /home.DOMAIN/user/.gnome2 does not exist.
> Feb 20 08:12:26 Martyr gdm[849]: gdm_slave_session_start: Directory
> /home.DOMAIN/user/.gnome2 does not exist.
> Feb 20 08:12:26 Martyr gdm[849]: gdm_auth_user_add: /home.DOMAIN/user is
not
> owned by uid 10173.
> Feb 20 08:12:47 Martyr gdm(pam_unix)[849]: session closed for user
> DOMAIN\user
> 
> So, I guess my question is, is there a way to mount each user's home
> directory with their proper auth credentials under unix?  I've read
through
> the MARC archives and seen brief mentions of a hacked pam_mount, but
nothing
> detailed or a more "standard" solution.
> 
> Thanks again for everyone's help.
> 
> Khanh Tran
> Network Operations
> Sarah Lawrence College
> 
> 
> -----Original Message-----
> From: Aaron Bennett [mailto:aaron.bennett at olin.edu]
> Sent: Wednesday, February 19, 2003 4:51 PM
> To: Khanh Tran
> Cc: 'samba at lists.samba.org'
> Subject: Re: [Samba] Help with Winbind
> 
> 
> For debugging purposes, put the machine in console mode (init 4 or 
> whatever, just kill kdm/xdm/kdm), and modify /etc/pam.d/login as 
> directed in the Howto.  Login is much simpler then gdm, so you don't 
> have to worry about multiple levels of pam stuf.
> 
> best luck,
> 
> Aaron Bennett
> UNIX Administrator
> Franklin W. Olin College of Engineering
> 
> Khanh Tran wrote:
> 
>>OK, so I added the lines to /etc/pam.d/gdm file.  It's not a big deal for
> 
> me
> 
>>to re-install RH on this box, so I didn't bother with the telnet test.
>>
>>Anyway, I put in my username and password, and get this error:
>>Feb 19 14:33:31 Martyr gdm(pam_unix)[835]: authentication failure;
> 
> logname=
> 
>>uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost
>>
>>But RH doesn't return to the username prompt, it asks for the password
>>again, so I enter the same password again, and get: 
>>Feb 19 14:33:45 Martyr pam_winbind[835]: user 'ADMIN+khanh' granted acces
>>Feb 19 14:33:45 Martyr gdm(pam_unix)[835]: check pass; user unknown
>>Feb 19 14:33:48 Martyr gdm-binary[835]: Couldn't authenticate user
>>Feb 19 14:33:48 Martyr gdm(pam_unix)[835]: 1 more authentication failure;
>>logname= uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost
>>
>>I'm guessing from the error that the box is trying to authenticate the
> 
> user
> 
>>to the local passwd file?  Anyway, thanks again for the help, but any more
>>ideas?
>>
>>Khanh Tran
>>Network Operations
>>Sarah Lawrence College
>>
>>
>>-----Original Message-----
>>From: bin wen [mailto:wen_bin at yahoo.com]
>>Sent: Wednesday, February 19, 2003 2:24 PM
>>To: Khanh Tran; 'samba at lists.samba.org'
>>Subject: RE: [Samba] Help with Winbind
>>
>>
>>Looks like you are login through GDM, so you probably
>>have to change the /etc/pam/gdm file too. Before you
>>do that, you may want to just do a telnet to the RH
>>see what happens.
>>--- Khanh Tran <khanh at slc.edu> wrote:
>>
>>
>>>I changed the pam conf per the 12.5.3.6 section. 
>>>Here's what I've got:
>>>
>>>pam.d/login:
>>>#%PAM-1.0
>>>auth       required    
>>>/lib/security/pam_securetty.so
>>>auth       sufficient   /lib/security/pam_winbind.so
>>>auth       sufficient   /lib/security/pam_unix.so
>>>use_first_pass
>>>auth       required     /lib/security/pam_stack.so
>>>service=system-auth
>>>auth       required     /lib/security/pam_nologin.so
>>>account    sufficient   /lib/security/pam_winbind.so
>>>account    required     /lib/security/pam_stack.so
>>>service=system-auth
>>>password   required     /lib/security/pam_stack.so
>>>service=system-auth
>>>session    required     /lib/security/pam_stack.so
>>>service=system-auth
>>>session    optional     /lib/security/pam_console.so
>>>
>>>Khanh Tran
>>>Network Operations
>>>Sarah Lawrence College
>>>
>>>
>>>-----Original Message-----
>>>From: bin wen [mailto:wen_bin at yahoo.com]
>>>Sent: Wednesday, February 19, 2003 1:58 PM
>>>To: Khanh Tran; 'samba at lists.samba.org'
>>>Subject: Re: [Samba] Help with Winbind
>>>
>>>
>>
>>>From your log file, it looks like the RH still uses
>>
>>>the pam_unix module to authenticate. Have you
>>>changed
>>>the pam configuration to use winbindd following the
>>>isntruction in section 12.5.3.6 ?
>>>--- Khanh Tran <khanh at slc.edu> wrote:
>>>
>>>
>>>>I've been trying for weeks to get winbind working
>>>>with RedHat Linux 8.0.
>>>>I've got everything setup per the winbind docs on
>>>>
>>>
>>http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html#WINBIND.
>>
>>
>>>>
>>>>I've successfully joined my NT4 domain with
>>>>smbpasswd -j DOMAIN -r PDC -U
>>>>Administrator.  Running wbinfo -u returns my
>>>
>>>domain
>>>
>>>
>>>>user list, as well as
>>>>wbinfo -g returning my domain groups.  getent
>>>
>>>passwd
>>>
>>>
>>>>returns the domain user
>>>>list in the passwd format, and getent group does
>>>
>>>the
>>>
>>>
>>>>same.  I've then set up
>>>>my /etc/pam.d/login to match the one on the HOWTO.
>>>>
>>>>The problem is that when I go to login (username:
>>>>DOMAIN+user), the
>>>>workstation won't log me in.  My messages log
>>>>returns only:
>>>>
>>>>Feb 19 13:20:46 Martyr gdm(pam_unix)[835]: check
>>>>pass; user unknown
>>>>Feb 19 13:20:46 Martyr gdm(pam_unix)[835]:
>>>>authentication failure; logname=
>>>>uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost 
>>>>Feb 19 13:20:47 Martyr gdm-binary[835]: Couldn't
>>>>authenticate user
>>>>
>>>>Any help is greatly appreciated, and thanks in
>>>>advance!
>>>>
>>>>Khanh Tran
>>>>Network Operations
>>>>Sarah Lawrence College
>>>>
>>>>-- 
>>>>To unsubscribe from this list go to the following
>>>>URL and read the
>>>>instructions: 
>>>
>>>http://lists.samba.org/mailman/listinfo/samba
>>>
>>>
>>>__________________________________________________
>>>Do you Yahoo!?
>>>Yahoo! Shopping - Send Flowers for Valentine's Day
>>>http://shopping.yahoo.com
>>>
>>
>>
>>
>>__________________________________________________
>>Do you Yahoo!?
>>Yahoo! Shopping - Send Flowers for Valentine's Day
>>http://shopping.yahoo.com
>>
> 
> 
> 
>

More information about the samba mailing list