[Samba] Winbindd and SSH (just disconnects after login)

[Tim]

Buchan,

First off, thanks for the reply, it's greatly appreciated.

I decided to leave it alone for a day or two and re-visit the configuration
and was able to successfully get things working on my first attempt.  Here's
what I ended up with for my /etc/pam.d/sshd:

auth       required     pam_nologin.so
auth       sufficient   /lib/security/pam_winbind.so
auth       required     pam_unix.so use_first_pass shadow
auth       required     pam_env.so

account    sufficient   /lib/security/pam_winbind.so
account    required     pam_unix.so use_first_pass

session    sufficient   pam_mkhomedir.so skel=/etc/skel umask=0022
session    required     pam_unix.so
session    optional     pam_lastlog.so
session    optional     pam_motd.so
session    optional     pam_mail.so standard noenv
session    required     pam_limits.so

password   sufficient   /lib/security/pam_winbind.so
password   required     pam_unix.so

So you can see that you were correct in regards to use_pass_first.  I'm not
sure if everything I have in here is necessary, but it appears to be
working, so I may tweak things a little to find out exactly what *is*
required.

> > account    required     pam_unix.so use_first_pass
>
> You might need "try_first_pass" here too.

I'll find out today if this is necessary or not.

> openssh's approach to solving the longer delay for a valid user account
> (account discovery bug) was to give a pam authentication failure first
> for any connection (as I understand this). So, your "use_first_pass" is
> getting a bad password, and you aren't allowing it to prompt for a 2nd
> attempt.
>
> BTW, you don't see this with public key authentication ... so the
> default /etc/pam.d/system-auth is broken for ssh too if you use drakauth
> to setup winbind :-(.

Thanks again,
-=tim