[Samba] ADS Authentication

Christoph Scheeder christoph.scheeder at scheeder.de
Wed Dec 8 08:01:46 GMT 2004

Your pam.d/logon file locks nice, mostly......
as you stated, the winbind part is authenticating correct, so you would
be able to login with an ADS account, if not the pam system would try to
verify the posix-account too.
This is why you get asked for the second password.
As i'm running linux and you FreeBSD there are differences in the syntax
of the pam-files.
There must be an option like "use_first_pass" in your system too, and i
guess it would apply to the lines calling the "system"-module.
You'll have to check your pam documentation for this.
It is definitly not a samba problem.
After winbind authenticated the user there is no part of samba involved
in the login process anymore.

Tom Skeren schrieb:
> Christoph Scheeder wrote:
>> Hi,
>> 2 points:
>> 1.) use the smb.conf which gives you a working wbinfo.
>> 2.) this sounds like missconfigured pam to me.
>>    -you have to tell pam that winbind is "sufficient" for "auth" and
>>     "account" with the lines
> Here's the /etc/pam.d/logon file info.  This must be working because of 
> the dual authentication when logging in at the terminal.  In fact if you 
> open a new terminal sessions and log in there, the primary [F1] screen 
> will show "pam_winbind[451]: user 'root' granted access".
> Further, when attempting to log on with an ADS account, although the log 
> in fails, pam_winbind grants access.
> Here's the file info:
> #
> # $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
> #
> # PAM configuration for the "login" service
> #
> # auth
> auth            required        pam_nologin.so          no_warn
> auth            sufficient      pam_self.so             no_warn
> auth            include         system
> auth            sufficient      /usr/local/lib/pam_winbind.so
> # account
> account         requisite       pam_securetty.so
> account         include         system
> account         sufficient      /usr/local/lib/pam_winbind.so
> # session
> session         include         system
> # password
> password        include         system
>>     "account   sufficient pam_winbind.so" and
>>     "auth      sufficient pam_winbind.so"
>>     this drops the need for the local posix-account.
>>    -And for the "auth" modify the line with pam_unix.so to read like
>>     "auth required pam_unix.so use_first_pass nullok"
>>     this gets you rid of the second password-prompt.

More information about the samba mailing list