[Samba] pam_winbind succeeds but pam_unix fails !

Samba Samba at guidemail.com
Fri Apr 30 11:37:09 GMT 2004 

Try this:  

auth       sufficient   pam_winbind.so debug
auth       required     pam_stack.so service=system-auth
account    sufficient   pam_winbind.so debug
account    sufficient   pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so

Once winbind passes and is sufficient the rest of the checks in that "stack"
are skipped.  If you run the pam_unix check first and it fails then the
stack will fail regardless.

Josh

-----Original Message-----
From: McNally, Ian [mailto:Ian.McNally at racq.com.au]
Sent: Thursday, April 29, 2004 9:47 PM
To: samba at lists.samba.org
Subject: [Samba] pam_winbind succeeds but pam_unix fails !


Hi, I am attempting to authenticate ssh access against users in active
directory using winbind + pam . Unfortunately all they receive is
"permission denied, please try again". A tail -f of /var/log/messages
reveals :

Apr 30 12:32:41 HOST sshd(pam_unix)[3011]: check pass; user unknown
Apr 30 12:32:41 HOST sshd(pam_unix)[3011]: authentication failure; logname=
uid=0 euid=0 tty=NODEVssh ruser= rhost=localhost.localdomain 
Apr 30 12:32:41 HOST pam_winbind[3011]: Verify user `DOMAIN+bob'
Apr 30 12:32:42 HOST pam_winbind[3011]: user 'DOMAIN+bob' granted acces

The server users are sshing to is running samba 3.0.2 of Fedora core 1. as a
domain member server. wbinfo and getent commands work correctly on the samba
server, and chown files as active directory users works. I know I have
missed something simple, but for the life of me, I can't find what it is

/etc/pam.d/sshd

auth       required     pam_stack.so service=system-auth
auth       sufficient   pam_winbind.so debug
account    sufficient   pam_stack.so service=system-auth
account    sufficient   pam_winbind.so debug
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so



 


Please Note:

This communication has been sent on behalf of The Royal Automobile Club of
Queensland Limited (RACQ).  The information contained in this communication
may be privileged and confidential.  If you are not the intended recipient,
any use, disclosure or copying of this communication is expressly
prohibited.  If you have received this communication in error, please delete
it immediately.  RACQ and its associated entities do not warrant or
represent that this communication (including any enclosed files) is free
from electronic viruses, faults or defects.

If this is a commercial electronic message within the meaning of the Spam 
Act(2003), you may indicate that you do not wish to receive any further 
commercial electronic messages from RACQ by sending an e-mail to 
unsubscribe at racq.com.au with your details or by contacting RACQ on 131905


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba
   
This message and accompanying documents are covered by the Electronic
Communications Privacy Act, 18 U.S.C. §§ 2510-2521, and contains information
intended for the specified individual(s) only. This information is
confidential. If you are not the intended recipient or an agent responsible
for delivering it to the intended recipient, you are hereby notified that
you have received this document in error and that any review, dissemination,
copying, or the taking of any action based on the contents of this
information is strictly prohibited. If you have received this communication
in error, please notify us immediately by e-mail, and delete the original
message.

More information about the samba mailing list