[Samba] Gentoo, Pam, Sshd, Winbind + AD

Fri Aug 5 19:22:54 GMT 2005

Hi,

I've read through some of the posts and can't see an answer to my query so I'm throwing it here :)

GOAL: To use Winbind to authenticate users against directory,for Console Login, GDM, SSH etc

While this has been somewhat successful, there are a few errors that I would like to remove (if possible).

Firstly :

When I ssh with an AD user all appears to log in ok, except the ssh client in windows throws up 'Enter your Authentication Response', and in the syslog there are 2 entries :

pam_winbind[12657]: user 'bill' granted access
pam_winbind[12657]: user 'bill' granted access
sshd[12714]: Accepted keyboard-interactive/pam for bill from xx.xx.xx.xx port 1423 ssh2
sshd(pam_unix)[12720]: session opened for user bill by (uid=0)

Shouldn't there just be one pam_winbind entry?

Secondly :

When I ssh with a non AD user,such as root, windows still throws up 'Enter your Authentication Response', and in the syslog, the following :

pam_winbind[12682]: request failed: No such user, PAM error was 10, NT error was NT_STATUS_NO_SUCH_USER
pam_winbind[12682]: user 'root' granted access
sshd[12677]: Accepted keyboard-interactive/pam for root from xx.xx.xx.xx port 1413 ssh2
sshd(pam_unix)[12683]: session opened for user root by root(uid=0)

Now, although it did indeed log my root user in, I'm baffled as to why winbind even attempted to look in the AD. In the nsswitch.conf (below) it clearly states COMPAT WINBIND,which I took to believe, that it would look in files first (e.g passwd/group) and then winbind would query the AD,but clearly this error states otherwise.

# /etc/nsswitch.conf:

passwd:      compat winbind
shadow:      compat
group:       compat winbind

# /etc/pam/sshd

#%PAM-1.0

auth       required     pam_stack.so service=system-auth-winbind 
auth       required     pam_shells.so
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth-winbind
password   required     pam_stack.so service=system-auth-winbind
session    required     pam_stack.so service=system-auth-winbind

# /etc/pam/system-auth-winbind
#%PAM-1.0

auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_winbind.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok use_first_pass
auth        required      /lib/security/pam_deny.so

account     sufficient    /lib/security/pam_winbind.so
account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/pam_deny.so

#session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

Any pointers or direct help would be gratefully received.

Thanks

-- 
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze