[Samba] pam_winbind succeeds but pam_unix fails !
Samba
Samba at guidemail.com
Fri Apr 30 11:37:09 GMT 2004
Try this:
auth sufficient pam_winbind.so debug
auth required pam_stack.so service=system-auth
account sufficient pam_winbind.so debug
account sufficient pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
Once winbind passes and is sufficient the rest of the checks in that "stack"
are skipped. If you run the pam_unix check first and it fails then the
stack will fail regardless.
Josh
-----Original Message-----
From: McNally, Ian [mailto:Ian.McNally at racq.com.au]
Sent: Thursday, April 29, 2004 9:47 PM
To: samba at lists.samba.org
Subject: [Samba] pam_winbind succeeds but pam_unix fails !
Hi, I am attempting to authenticate ssh access against users in active
directory using winbind + pam . Unfortunately all they receive is
"permission denied, please try again". A tail -f of /var/log/messages
reveals :
Apr 30 12:32:41 HOST sshd(pam_unix)[3011]: check pass; user unknown
Apr 30 12:32:41 HOST sshd(pam_unix)[3011]: authentication failure; logname=
uid=0 euid=0 tty=NODEVssh ruser= rhost=localhost.localdomain
Apr 30 12:32:41 HOST pam_winbind[3011]: Verify user `DOMAIN+bob'
Apr 30 12:32:42 HOST pam_winbind[3011]: user 'DOMAIN+bob' granted acces
The server users are sshing to is running samba 3.0.2 of Fedora core 1. as a
domain member server. wbinfo and getent commands work correctly on the samba
server, and chown files as active directory users works. I know I have
missed something simple, but for the life of me, I can't find what it is
/etc/pam.d/sshd
auth required pam_stack.so service=system-auth
auth sufficient pam_winbind.so debug
account sufficient pam_stack.so service=system-auth
account sufficient pam_winbind.so debug
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
Please Note:
This communication has been sent on behalf of The Royal Automobile Club of
Queensland Limited (RACQ). The information contained in this communication
may be privileged and confidential. If you are not the intended recipient,
any use, disclosure or copying of this communication is expressly
prohibited. If you have received this communication in error, please delete
it immediately. RACQ and its associated entities do not warrant or
represent that this communication (including any enclosed files) is free
from electronic viruses, faults or defects.
If this is a commercial electronic message within the meaning of the Spam
Act(2003), you may indicate that you do not wish to receive any further
commercial electronic messages from RACQ by sending an e-mail to
unsubscribe at racq.com.au with your details or by contacting RACQ on 131905
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
This message and accompanying documents are covered by the Electronic
Communications Privacy Act, 18 U.S.C. §§ 2510-2521, and contains information
intended for the specified individual(s) only. This information is
confidential. If you are not the intended recipient or an agent responsible
for delivering it to the intended recipient, you are hereby notified that
you have received this document in error and that any review, dissemination,
copying, or the taking of any action based on the contents of this
information is strictly prohibited. If you have received this communication
in error, please notify us immediately by e-mail, and delete the original
message.
More information about the samba
mailing list