[Samba] pam ssh athentication using winbind

John Stile john at stilen.com
Wed Dec 1 06:16:11 GMT 2004 

Samba setup as a Member Server in native AD domain with winbind
authenticating AD users for access to shares.  My understanding is that
with pam and winbind,  domain users can log into the samba server via
ssh, even if they do not have a local user account?  Logs shows access
granted but user unknown, so I must be missing something and need some
help.

/var/log/messages during an ssh login:
   Nov 30 21:44:56 myserver pam_winbind[7349]: user 'stile' granted access
   Nov 30 21:45:44 myserver sshd(pam_unix)[7349]: check pass; user unknown
   Nov 30 21:45:44 myserver pam_winbind[7349]: user 'stile' granted access

Using Red Hat EL AS 3 + samba-3.0.9-1 + krb5-lib-1.3.1

/etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       sufficient   pam_winbind.so
auth       required     pam_nologin.so
account    sufficient   pam_winbind.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so

/etc/pam.d/login
#%PAM-1.0
auth       required     pam_securetty.so
auth       sufficient   pam_winbind.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    sufficient   pam_winbind.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so

/etc/samba/smb.conf
[global]
   server string = Samba Server
   workgroup = MYREALM
   realm = MYREALM.MY.DOMAIN.COM
   security = ADS
   username map = /etc/samba/smbusers
   map to guest = Bad User
   password server = *
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   preferred master = no
   local master = no
   domain master = no
   os level = 33
   wins server = 128.32.68.75 128.32.67.118
   ldap ssl = no
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   winbind separator = +
   winbind use default domain = Yes
   template primary group = "Domain Users"
   template homedir = /home/%U
   template shell = /bin/bash
   load printers = no
   log level = 1
   syslog = 0
   log file = /var/log/samba/%m.log
   max log size = 0

More information about the samba mailing list