[Samba] samba > winbind > pam problem

Matt Glover msglover at gmail.com
Wed Mar 9 17:09:42 GMT 2005

The specs:

Fedora Core 1

The details:

SAMBA is installed
computer is connected to the a Windows 2000 domain
wbinfo -u / -g / -t all give the desired results
getent passwd lists domain users


auth       sufficient   pam_winbind.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    sufficient   pam_winbind.so
account    required     pam_stack.so service=system-auth
password   sufficient   pam_winbind.so use_authtok
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
#session    required     pam_limits.so
#session    optional     pam_console.so


# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel uma
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

The problem:

If I try to log in through ssh the messages log file shows I have been
granted access but the ssh session shows I have been disconnected from
the server.  The secure log shows:

Mar  9 11:10:43 webb sshd[2315]: Accepted password for matt from
1xx.2xx.1x.1xx port 1022
Mar  9 11:10:43 webb sshd[2317]: fatal: PAM session setup failed[6]:
Permission denied

Now if I create a directory in /export/httpd/users/ called matt I can
log in with no problem.  If I change the permissions on the
/export/httpd/users/ directory to 777 I can log in with no problem. 
So obviously pam_mkhomedir.so isn't being run with the correct
permissions.  I don't want to have to generate directories for each
user in our AD so hopefully someone can point out what I am missing. 
As a test I set up another machine running Core3 with a standard
install and it worked without a hitch.  I have compared the files
between the two systems and everything looks about the same....  Any
help would be greatly appreciated!


More information about the samba mailing list