[Samba] ADS member server w/ winbind on debian sarge

Noah Dain noahdain at gmail.com
Tue Jun 21 04:07:46 GMT 2005 

On 6/20/05, Noah Dain <noahdain at gmail.com> wrote:
> On 6/19/05, John H Terpstra <jht at samba.org> wrote:
> > On Sunday 19 June 2005 16:21, Noah Dain wrote:
> > > ok, i've been buggering on and off with this for way too long now.
> > > I'm just plain stuck.
> > >
> > > The objective is to get full authentication working for a samba
> > > machine by integrating it into and existing AD system as a member
> > > server.
> > > ...
> > > debian uses /etc/pam.d/common-* files to hold pam settings which are
> > > @included into all other pam.d files.
> > >
> > > /etc/pam.d/common-account:
> > >
> > > account required    pam_unix.so
> >               ^^^^^^
> > Change to: sufficient.
> >
> > > account sufficient  pam_winbind.so use_first_pass
> > > <EOF>
> > >
> > > /etc/pam.d/common-auth:
> > >
> > > auth    required    pam_unix.so nullok_secure
> >              ^^^^^^
> >
> > Change to sufficient.
> >
> > > auth    sufficient  pam_winbind.so use_first_pass
> > > <EOF>
> > >
> > > /etc/pam.d/common-password:
> > >
> > > password    required    pam_unix.so nullok obscure min=4 max=8 md5
> >                    ^^^^^^
> >
> > Change to sufficient.
> >
> > > password    sufficient  pam_winbind.so use_first_pass
> > > <EOF>
> > >
> > > /etc/pam.d/common-session:
> > >
> > > session required    pam_unix.so
> >               ^^^^^^
> >
> > Change to sufficient.
> >
> > > session sufficient  pam_winbind.so use_first_pass
> > > <EOF>
> > >
> > > there are security audit entries of the samba machine logging on and
> > > off, using kerberos.
> >
> > Let me know what happens when you have made these changes.
> >
> > - John T.
> > --
> > John H Terpstra
> > Samba-Team Member
> > Phone: +1 (650) 580-8668
> >
> > Author:
> > The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
> > Samba-3 by Example, ISBN: 0131472216
> > Hardening Linux, ISBN: 0072254971
> > Other books in production.
> >
> 
> success!  Changing the debian defaults for pam_unix.so to sufficient
> as recommended above did the trick.  I can now log in using domain
> accounts via ssh and ftp using a username in the form: DOMAIN+user
> 
> I'll read up on chapter 27 to figure out why this worked, and revisit
> the pam docs on kernel.org.
> 
> I think the biggest points of my confusion are stemming from not
> knowing when and how the various authentication mechanisms interact,
> but I think I'm starting to get the picture.
> 
> thanks a lot guys,
> 

first off, apologies if I inadvertently sent emails to individuals and
not the list.  gmail never seems to do the same thing twice with lists
and email addresses.  my bad.

initially, JHT's suggestion instantly fixed the problem.  Access was
enabled for smb share access, ftp, and ssh (all that i tested).  I
promptly went to bed.

When I got into the office next day, the samba server somehow reverted
back to disallowing domain accounts access.  It's behaving just as it
was before  I made the changes to the winbind entries in /etc/pam.d. 
I havn't had a chance to troubleshoot it at all yet, though.

??

More information about the samba mailing list