[Samba] WinBind and gdm/login

Patrick Gunerud slu at firerun.net
Wed Jun 18 23:32:55 GMT 2003


The only way I could get it to work was to have the following gdm pam 
config:

#%PAM-1.0
auth       required    pam_env.so
auth       sufficient   pam_winbind.so
auth       sufficient   pam_unix.so use_first_pass
auth       required    pam_stack.so service=system-auth
auth       required    pam_nologin.so
account    sufficient   pam_winbind.so
account    required    pam_stack.so service=system-auth
password   required    pam_stack.so service=system-auth
session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0022
session    required    pam_stack.so service=system-auth
session    optional     pam_console.so

That will allow gdm to authenticate the user, but it will not allow 
usernames with a + or \ separator so the way around that is to set the 
following option:

winbind use default domain = yes

that will allow loging in with just the username.  The only problem 
occurs when you have a user from another domain that needs to login.

Patrick


Brett Hales wrote:

>Hi,
>
>I am currently trying to set up a RedHat 9 Linux client to authenticate
>against a Windows 2000 Active Directory server.
>
>Using the Winbind documentation I have successfully authenticated
>however I now have a problem with gdm.
>
>Jun 18 12:18:48 jerry pam_winbind[1192]: user 'AU+Bhales' granted acces
>Jun 18 12:18:48 jerry pam_winbind[1192]: user 'AU+Bhales' granted acces
>Jun 18 12:18:49 jerry gdm(pam_unix)[1192]: session opened for user
>AU+Bhales by (uid=0)
>Jun 18 12:18:49 jerry gdm[1202]: gdm_slave_session_start: User not
>allowed to log in
>
>Does anybody know why gdm_slave_session_start is not allowing me to
>login when pam_winbind has already authenticated me?
>
>Thanks,
>
>  
>





More information about the samba mailing list