[Samba] pam ssh athentication using winbind
John Stile
john at stilen.com
Wed Dec 1 06:16:11 GMT 2004
Samba setup as a Member Server in native AD domain with winbind
authenticating AD users for access to shares. My understanding is that
with pam and winbind, domain users can log into the samba server via
ssh, even if they do not have a local user account? Logs shows access
granted but user unknown, so I must be missing something and need some
help.
/var/log/messages during an ssh login:
Nov 30 21:44:56 myserver pam_winbind[7349]: user 'stile' granted access
Nov 30 21:45:44 myserver sshd(pam_unix)[7349]: check pass; user unknown
Nov 30 21:45:44 myserver pam_winbind[7349]: user 'stile' granted access
Using Red Hat EL AS 3 + samba-3.0.9-1 + krb5-lib-1.3.1
/etc/pam.d/sshd
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth sufficient pam_winbind.so
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
/etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_winbind.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
/etc/samba/smb.conf
[global]
server string = Samba Server
workgroup = MYREALM
realm = MYREALM.MY.DOMAIN.COM
security = ADS
username map = /etc/samba/smbusers
map to guest = Bad User
password server = *
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = no
local master = no
domain master = no
os level = 33
wins server = 128.32.68.75 128.32.67.118
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind use default domain = Yes
template primary group = "Domain Users"
template homedir = /home/%U
template shell = /bin/bash
load printers = no
log level = 1
syslog = 0
log file = /var/log/samba/%m.log
max log size = 0
More information about the samba
mailing list