[Samba] Help with Winbind
Khanh Tran
khanh at slc.edu
Thu Feb 20 14:11:44 GMT 2003
Sure, I'll let you know, but could you pass along what you have for
pam_mount? I didn't even start down that path yet. I'm glad to here I'm
not alone though. Additionally, this may sound really naive, but what's the
point of logging into a domain if you can't get anywhere?
Khanh Tran
Network Operations
Sarah Lawrence College
-----Original Message-----
From: Aaron Bennett [mailto:aaron.bennett at olin.edu]
Sent: Thursday, February 20, 2003 9:11 AM
To: Khanh Tran
Cc: 'samba at lists.samba.org'
Subject: Re: [Samba] Help with Winbind
Kanh --
I'm currently beating my head against the pam_mount wall, with no luck.
It's the only way I can think of to do this w/o storing the password
in plain text. pam_mount is supposed to be able to mount using the
login credentials, but I haven't been able to make it work. I'll report
any results I find. If you come across any other solutions, could you
let me know?
Cheers,
Aaron Bennett
Khanh Tran wrote:
> OK, so I got all pam problems sorted out. For those interested, this
> pam/gdm worked on my RH 8.0 box:
>
> auth sufficient /lib/security/pam_winbind.so
> auth sufficient /lib/security/pam_unix.so likeauth use_first_pass
> nullok
> auth required /lib/security/pam_stack.so service=system-auth
> auth required /lib/security/pam_nologin.so
> account sufficient /lib/security/pam_winbind.so
> account required /lib/security/pam_stack.so service=system-auth
> password required /lib/security/pam_stack.so service=system-auth
> session required /lib/security/pam_stack.so service=system-auth
> session optional /lib/security/pam_console.so
>
> The only difference from what I had been using was the addition of the
> likeauth and nullok options on the pam_unix.so library.
>
> Now on to my next issue with home directories! I've tried two methods.
>
> First, I've used what the Winbind docs says for template homedir in
> smb.conf: /home/%D/%U. When my user logs in, i get an error that the home
> directory does not exist and then logs the user out. This is expected
> because they don't exist locally :)
>
> Second, I tried first mounting all my users' home directories (we mount
them
> here under windows like Novell used to) under /home.DOMAIN. Then, I
changed
> template homdir to /home/home.%D and restarted the Samba daemons. The
user
> can log in, but I get the following permission error because I've got the
> home dirs mounted as root.
>
> Feb 20 08:12:26 Martyr gdm[849]: gdm_slave_session_start: Directory
> /home.DOMAIN/user/.gnome2 does not exist.
> Feb 20 08:12:26 Martyr gdm[849]: gdm_slave_session_start: Directory
> /home.DOMAIN/user/.gnome2 does not exist.
> Feb 20 08:12:26 Martyr gdm[849]: gdm_auth_user_add: /home.DOMAIN/user is
not
> owned by uid 10173.
> Feb 20 08:12:47 Martyr gdm(pam_unix)[849]: session closed for user
> DOMAIN\user
>
> So, I guess my question is, is there a way to mount each user's home
> directory with their proper auth credentials under unix? I've read
through
> the MARC archives and seen brief mentions of a hacked pam_mount, but
nothing
> detailed or a more "standard" solution.
>
> Thanks again for everyone's help.
>
> Khanh Tran
> Network Operations
> Sarah Lawrence College
>
>
> -----Original Message-----
> From: Aaron Bennett [mailto:aaron.bennett at olin.edu]
> Sent: Wednesday, February 19, 2003 4:51 PM
> To: Khanh Tran
> Cc: 'samba at lists.samba.org'
> Subject: Re: [Samba] Help with Winbind
>
>
> For debugging purposes, put the machine in console mode (init 4 or
> whatever, just kill kdm/xdm/kdm), and modify /etc/pam.d/login as
> directed in the Howto. Login is much simpler then gdm, so you don't
> have to worry about multiple levels of pam stuf.
>
> best luck,
>
> Aaron Bennett
> UNIX Administrator
> Franklin W. Olin College of Engineering
>
> Khanh Tran wrote:
>
>>OK, so I added the lines to /etc/pam.d/gdm file. It's not a big deal for
>
> me
>
>>to re-install RH on this box, so I didn't bother with the telnet test.
>>
>>Anyway, I put in my username and password, and get this error:
>>Feb 19 14:33:31 Martyr gdm(pam_unix)[835]: authentication failure;
>
> logname=
>
>>uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost
>>
>>But RH doesn't return to the username prompt, it asks for the password
>>again, so I enter the same password again, and get:
>>Feb 19 14:33:45 Martyr pam_winbind[835]: user 'ADMIN+khanh' granted acces
>>Feb 19 14:33:45 Martyr gdm(pam_unix)[835]: check pass; user unknown
>>Feb 19 14:33:48 Martyr gdm-binary[835]: Couldn't authenticate user
>>Feb 19 14:33:48 Martyr gdm(pam_unix)[835]: 1 more authentication failure;
>>logname= uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost
>>
>>I'm guessing from the error that the box is trying to authenticate the
>
> user
>
>>to the local passwd file? Anyway, thanks again for the help, but any more
>>ideas?
>>
>>Khanh Tran
>>Network Operations
>>Sarah Lawrence College
>>
>>
>>-----Original Message-----
>>From: bin wen [mailto:wen_bin at yahoo.com]
>>Sent: Wednesday, February 19, 2003 2:24 PM
>>To: Khanh Tran; 'samba at lists.samba.org'
>>Subject: RE: [Samba] Help with Winbind
>>
>>
>>Looks like you are login through GDM, so you probably
>>have to change the /etc/pam/gdm file too. Before you
>>do that, you may want to just do a telnet to the RH
>>see what happens.
>>--- Khanh Tran <khanh at slc.edu> wrote:
>>
>>
>>>I changed the pam conf per the 12.5.3.6 section.
>>>Here's what I've got:
>>>
>>>pam.d/login:
>>>#%PAM-1.0
>>>auth required
>>>/lib/security/pam_securetty.so
>>>auth sufficient /lib/security/pam_winbind.so
>>>auth sufficient /lib/security/pam_unix.so
>>>use_first_pass
>>>auth required /lib/security/pam_stack.so
>>>service=system-auth
>>>auth required /lib/security/pam_nologin.so
>>>account sufficient /lib/security/pam_winbind.so
>>>account required /lib/security/pam_stack.so
>>>service=system-auth
>>>password required /lib/security/pam_stack.so
>>>service=system-auth
>>>session required /lib/security/pam_stack.so
>>>service=system-auth
>>>session optional /lib/security/pam_console.so
>>>
>>>Khanh Tran
>>>Network Operations
>>>Sarah Lawrence College
>>>
>>>
>>>-----Original Message-----
>>>From: bin wen [mailto:wen_bin at yahoo.com]
>>>Sent: Wednesday, February 19, 2003 1:58 PM
>>>To: Khanh Tran; 'samba at lists.samba.org'
>>>Subject: Re: [Samba] Help with Winbind
>>>
>>>
>>
>>>From your log file, it looks like the RH still uses
>>
>>>the pam_unix module to authenticate. Have you
>>>changed
>>>the pam configuration to use winbindd following the
>>>isntruction in section 12.5.3.6 ?
>>>--- Khanh Tran <khanh at slc.edu> wrote:
>>>
>>>
>>>>I've been trying for weeks to get winbind working
>>>>with RedHat Linux 8.0.
>>>>I've got everything setup per the winbind docs on
>>>>
>>>
>>http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html#WINBIND.
>>
>>
>>>>
>>>>I've successfully joined my NT4 domain with
>>>>smbpasswd -j DOMAIN -r PDC -U
>>>>Administrator. Running wbinfo -u returns my
>>>
>>>domain
>>>
>>>
>>>>user list, as well as
>>>>wbinfo -g returning my domain groups. getent
>>>
>>>passwd
>>>
>>>
>>>>returns the domain user
>>>>list in the passwd format, and getent group does
>>>
>>>the
>>>
>>>
>>>>same. I've then set up
>>>>my /etc/pam.d/login to match the one on the HOWTO.
>>>>
>>>>The problem is that when I go to login (username:
>>>>DOMAIN+user), the
>>>>workstation won't log me in. My messages log
>>>>returns only:
>>>>
>>>>Feb 19 13:20:46 Martyr gdm(pam_unix)[835]: check
>>>>pass; user unknown
>>>>Feb 19 13:20:46 Martyr gdm(pam_unix)[835]:
>>>>authentication failure; logname=
>>>>uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost
>>>>Feb 19 13:20:47 Martyr gdm-binary[835]: Couldn't
>>>>authenticate user
>>>>
>>>>Any help is greatly appreciated, and thanks in
>>>>advance!
>>>>
>>>>Khanh Tran
>>>>Network Operations
>>>>Sarah Lawrence College
>>>>
>>>>--
>>>>To unsubscribe from this list go to the following
>>>>URL and read the
>>>>instructions:
>>>
>>>http://lists.samba.org/mailman/listinfo/samba
>>>
>>>
>>>__________________________________________________
>>>Do you Yahoo!?
>>>Yahoo! Shopping - Send Flowers for Valentine's Day
>>>http://shopping.yahoo.com
>>>
>>
>>
>>
>>__________________________________________________
>>Do you Yahoo!?
>>Yahoo! Shopping - Send Flowers for Valentine's Day
>>http://shopping.yahoo.com
>>
>
>
>
>
More information about the samba
mailing list