[Samba] Re: pam settings for winbind

Chris de Vidal cdevidal at yahoo.com
Fri Feb 21 16:53:35 GMT 2003


--- Aaron Bennett <aaron.bennett at olin.edu> wrote:
> I'd also like to configure sshd to use this
> winbindd.  However, this 
> /etc/pam.d/sshd file doesn't work and I can't figure
> out why.  I've put 
> + signs to show the lines I added I added to the
> stock RHAT 8 sshd pam def.
> 
> 
> #%PAM-1.0
> + auth       sufficient  
> /lib/security/pam_winbind.so
> + auth       sufficient   /lib/security/pam_unix.so
> use_first_pass
> auth       required     /lib/security/pam_stack.so
> service=system-auth
> auth       required     /lib/security/pam_nologin.so
> account    required     /lib/security/pam_stack.so
> service=system-auth
> + account    sufficient  
> /lib/security/pam_winbind.so
> password   required     /lib/security/pam_stack.so
> service=system-auth
> session    required     /lib/security/pam_stack.so
> service=system-auth
> session    required     /lib/security/pam_limits.so
> session    optional     /lib/security/pam_console.so
> 
> ideas, solutions, and pointers to a FAQ or some good
> pam documentation 
> are all appreciated, as I'll be the first to admit
> that I don't know my 
> ass from my elbow with regards to pam.

LOL.

I looked at the same document you probably looked at:
http://us3.samba.org/samba/docs/Samba-HOWTO-Collection.html#AEN2358
and used the ftp example for any services I have,
except I leave out the pam_listfile.so line at the
top.

In essense, you want auth sufficient pam_winbind.so
before any other auth lines.  Then you want account
sufficient pam_winbind.so before any other account
lines.

This is different for login-type services like kde,
gdm, and login.  Follow the login example for these.

Also, the pam_unix.so use_first_pass you added is only
necessary for pam.d/login (I believe ssh reads that
after reading pam.d/ssh).  Remove this line.

Following the pattern in the ftp example, account
sufficient pam_winbind.so needs to go immediately
before any account lines.  Move it up one.

Finally, the /lib/security is implied (at least it is
in RedHat 7+... YMMV), so you can shorten it to just
pam_winbind.so, which is slick.

For reference, here is my pam.d/ssh file:
#######################################################
#%PAM-1.0
auth       sufficient   pam_winbind.so
auth       required     /lib/security/pam_stack.so
service=system-auth
auth       required     /lib/security/pam_nologin.so
account    sufficient   pam_winbind.so
account    required     /lib/security/pam_stack.so
service=system-auth
password   required     /lib/security/pam_stack.so
service=system-auth
session    required     /lib/security/pam_stack.so
service=system-auth
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so
#######################################################


Use the pattern I explained above for any other
services (NetAtalk, FTP, etc.).  Use the login example
for login-type services like kde, login, or gdm (as
you have already done).  SSH seems like it would be a
login-type service, but it doesn't appear to act that
way.

Good luck,
/dev/idal

__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/


More information about the samba mailing list