[Samba] SUSE 9.3 Winbind+ PAM+AD

Guille Williams guillemw at hotmail.com
Mon Jul 11 21:01:19 GMT 2005 

Hello,

I have been using Fedora Core, Samba, and Active Directory to provide 
authentication services for Windows based users for a few years now, but as 
an experiment I wanted to accomplish the same service with SUSE 9.3 .

I have been able to get this configuration to run successfully with RH9, 
FC1, FC2, FC3, and FC4 (buggy but works), but with SUSE I have stalled a 
bit. I feel I have Samba+SUSE 9.3 running about 90% with only winbind and 
pam restrictions holding up the other 10% (nscd disabled of course). I can 
use all the wbinfo tricks (-a -g -t -u) to lookup users in AD, which 
suggests everything is working as it should; however, when I attempt to 
access a home folder for an established user in the directory I am prompted 
for a password.

So, of course I tried googling and the Samba howto for a light bulb 
inspiring thought, but the answer eludes me. I did come across this site 
which caught my eye...

http://www-uxsup.csx.cam.ac.uk/pub/doc/suse/suse9.3/suselinux-adminguide_en/sec.update.version.html

4.2.3.16. From Samba 2.x to Samba 3.x

Following the update from Samba 2.x to Samba 3.x, winbind authentication is 
no longer available. The other authentication methods can still be used. For 
this reason, the following programs have been removed:

/usr/sbin/wb_auth
/usr/sbin/wb_ntlmauth
/usr/sbin/wb_info_group.pl


Is this true? Will I not be able to use winbind authentication with SUSE 
9.3?  Does this rule apply only during the update?

The system-auth stacks are setup a little differently in SUSE 9.3 in 
relation to Fedora Core. I now see common-auth common-account common-session 
and common-password for SUSE. I realized they use includes to call the 
separated statements that are normally bundled together in Fedora's 
system-auth file. I did not think it would be too hard to modify the 
common-* files and login for use with winbind as I had with Fedora. I was 
wrong. :(

Anyway, I am using SUSE 9.3 all patched up with Samba 3.020101. The server 
is not a production server, so if I have to downgrade or play a bit it is 
all good.

I have a working /etc/pam.d/login and /etc/pam.d/system-auth configuration 
that I use for Fedora to enforce the pam restrictions I require.

pam.d login

#%PAM-1.0
auth       required	pam_securetty.so
auth       required	pam_stack.so service=system-auth
auth       required	pam_nologin.so
account    sufficient pam_winbind.so
account    required	pam_stack.so service=system-auth
password   required	pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session    required	pam_selinux.so close
session    required	pam_stack.so service=system-auth
session    optional	pam_console.so
# pam_selinux.so open should be the last session rule
session    required	pam_selinux.so multiple open

pam.d system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_winbind.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok 
use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     sufficient    /lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 
quiet
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok 
md5 shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

Since I am new to SUSE it would be of great help if someone could translate 
the winbind calls used in Fedora's login and system-auth to SUSE's common-* 
and login files.

I also came across this site, 
http://www.billboswellconsulting.com/addl_Linux_Info_authenticating_suse.html, 
which didn't mention the login or system-auth, but did use 
/etc/security/pam_unix2.conf (SUSE 9.1). Should I head in the direction 
below?

The actual path is /etc/security/pam_unix2.conf.

You'll need to modify the auth and account lines to show 
call_modules=winbind. If you neglect to make this change, you won't be able 
to login using Active Directory credentials.

auth: call_modules=winbind
account: call_modules=winbind
password:
session: none

Thanks ahead of time for any responses,

Guille

More information about the samba mailing list