[Samba] ADS Authentication
tms3 at fsklaw.net
Tue Dec 7 17:31:06 GMT 2004
Christoph Scheeder wrote:
> 2 points:
> 1.) use the smb.conf which gives you a working wbinfo.
> 2.) this sounds like missconfigured pam to me.
> -you have to tell pam that winbind is "sufficient" for "auth" and
> "account" with the lines
Here's the /etc/pam.d/logon file info. This must be working because of
the dual authentication when logging in at the terminal. In fact if you
open a new terminal sessions and log in there, the primary [F1] screen
will show "pam_winbind: user 'root' granted access".
Further, when attempting to log on with an ADS account, although the log
in fails, pam_winbind grants access.
Here's the file info:
# $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
# PAM configuration for the "login" service
auth required pam_nologin.so no_warn
auth sufficient pam_self.so no_warn
auth include system
auth sufficient /usr/local/lib/pam_winbind.so
account requisite pam_securetty.so
account include system
account sufficient /usr/local/lib/pam_winbind.so
session include system
password include system
> "account sufficient pam_winbind.so" and
> "auth sufficient pam_winbind.so"
> this drops the need for the local posix-account.
> -And for the "auth" modify the line with pam_unix.so to read like
> "auth required pam_unix.so use_first_pass nullok"
> this gets you rid of the second password-prompt.
> hope it helps.
> Tom Skeren schrieb:
>> Jeremy Allison wrote:
>>> On Mon, Dec 06, 2004 at 02:29:29PM -0800, Tom Skeren wrote:
>>>> I'm about ready to smash my head through a wall...I could use a few
>>>> 1. When using security = ads, and completing net ads join, it was
>>>> my understanding that samba authenticated username/pword against
>>>> ads, and local posix accounts were nolonger needed, is this true?
>>> Yes, so long as you have nsswitch and pam set up correctly. It sounds
>>> like you don't.
>> Well, I've followed every how to that I can find. I have some
>> strangeness. When I log into the unix terminal I have to supply 2
>> root passwords...the posix one and the one for root in ADS (they're
>> different)....to login. The same for a user with both posix and ADS
>> accounts. Non posix account users cannot login with an ADS account
>> to the terminal.
>> Depending on changes to the smb.conf file I get wild results with
>> winbindd. One config gives users and groups with a wbinfo -u/g
>> command. Others error out with differing reasons for the errors.
>> I'm really not sure where the error is...it should be working, but it
>> is not.
More information about the samba