[Samba] ADS Authentication

Christoph Scheeder christoph.scheeder at scheeder.de
Tue Dec 7 11:48:41 GMT 2004

2 points:
1.) use the smb.conf which gives you a working wbinfo.
2.) this sounds like missconfigured pam to me.
    -you have to tell pam that winbind is "sufficient" for "auth" and
     "account" with the lines

     "account   sufficient pam_winbind.so" and
     "auth      sufficient pam_winbind.so"

     this drops the need for the local posix-account.
    -And for the "auth" modify the line with pam_unix.so to read like

     "auth required pam_unix.so use_first_pass nullok"

     this gets you rid of the second password-prompt.

hope it helps.

Tom Skeren schrieb:
> Jeremy Allison wrote:
>> On Mon, Dec 06, 2004 at 02:29:29PM -0800, Tom Skeren wrote:
>>> I'm about ready to smash my head through a wall...I could use a few 
>>> answers.
>>> 1.  When using security = ads, and completing net ads join, it was my 
>>> understanding that samba authenticated username/pword against ads, 
>>> and local posix accounts were nolonger needed, is this true?
>> Yes, so long as you have nsswitch and pam set up correctly. It sounds
>> like you don't.
> Well, I've followed every how to that I can find.  I have some 
> strangeness.  When I log into the unix terminal I have to supply 2 root 
> passwords...the posix one and the one for root in ADS (they're 
> different)....to login.  The same for a user with both posix and ADS 
> accounts.  Non posix account users cannot login with an ADS account to 
> the terminal.
> Depending on changes to the smb.conf file I get wild results with 
> winbindd.  One config gives users and groups with a wbinfo -u/g 
> command.  Others error out with differing reasons for the errors.
> I'm really not sure where the error is...it should be working, but it is 
> not.
>> Jeremy.

More information about the samba mailing list