[Samba] Re: pam settings for winbind
Aaron Bennett
aaron.bennett at olin.edu
Fri Feb 21 18:40:13 GMT 2003
Thank you. That did the trick.
Chris de Vidal wrote:
> --- Aaron Bennett <aaron.bennett at olin.edu> wrote:
>
>>I'd also like to configure sshd to use this
>>winbindd. However, this
>>/etc/pam.d/sshd file doesn't work and I can't figure
>>out why. I've put
>>+ signs to show the lines I added I added to the
>>stock RHAT 8 sshd pam def.
>>
>>
>>#%PAM-1.0
>>+ auth sufficient
>>/lib/security/pam_winbind.so
>>+ auth sufficient /lib/security/pam_unix.so
>>use_first_pass
>>auth required /lib/security/pam_stack.so
>>service=system-auth
>>auth required /lib/security/pam_nologin.so
>>account required /lib/security/pam_stack.so
>>service=system-auth
>>+ account sufficient
>>/lib/security/pam_winbind.so
>>password required /lib/security/pam_stack.so
>>service=system-auth
>>session required /lib/security/pam_stack.so
>>service=system-auth
>>session required /lib/security/pam_limits.so
>>session optional /lib/security/pam_console.so
>>
>>ideas, solutions, and pointers to a FAQ or some good
>>pam documentation
>>are all appreciated, as I'll be the first to admit
>>that I don't know my
>>ass from my elbow with regards to pam.
>
>
> LOL.
>
> I looked at the same document you probably looked at:
> http://us3.samba.org/samba/docs/Samba-HOWTO-Collection.html#AEN2358
> and used the ftp example for any services I have,
> except I leave out the pam_listfile.so line at the
> top.
>
> In essense, you want auth sufficient pam_winbind.so
> before any other auth lines. Then you want account
> sufficient pam_winbind.so before any other account
> lines.
>
> This is different for login-type services like kde,
> gdm, and login. Follow the login example for these.
>
> Also, the pam_unix.so use_first_pass you added is only
> necessary for pam.d/login (I believe ssh reads that
> after reading pam.d/ssh). Remove this line.
>
> Following the pattern in the ftp example, account
> sufficient pam_winbind.so needs to go immediately
> before any account lines. Move it up one.
>
> Finally, the /lib/security is implied (at least it is
> in RedHat 7+... YMMV), so you can shorten it to just
> pam_winbind.so, which is slick.
>
> For reference, here is my pam.d/ssh file:
> #######################################################
> #%PAM-1.0
> auth sufficient pam_winbind.so
> auth required /lib/security/pam_stack.so
> service=system-auth
> auth required /lib/security/pam_nologin.so
> account sufficient pam_winbind.so
> account required /lib/security/pam_stack.so
> service=system-auth
> password required /lib/security/pam_stack.so
> service=system-auth
> session required /lib/security/pam_stack.so
> service=system-auth
> session required /lib/security/pam_limits.so
> session optional /lib/security/pam_console.so
> #######################################################
>
>
> Use the pattern I explained above for any other
> services (NetAtalk, FTP, etc.). Use the login example
> for login-type services like kde, login, or gdm (as
> you have already done). SSH seems like it would be a
> login-type service, but it doesn't appear to act that
> way.
>
> Good luck,
> /dev/idal
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Tax Center - forms, calculators, tips, more
> http://taxes.yahoo.com/
--
Aaron Bennett
UNIX Administrator
Franklin W. Olin College of Engineering
More information about the samba
mailing list