[Samba] Re: samba with ADS. winbindd ignore for user
authentication
Oliver Neubauer
oliver at netfirms.com
Thu Oct 20 17:45:02 GMT 2005
Thanks Rex, that was helpful. However, I have now run into something
else. From the smb.conf documentation:
obey pam restrictions (G)
<snip>
Note that Samba always ignores PAM for authentication in the case of
encrypt passwords = yes. The reason is that PAM modules cannot support
the challenge/response authentication mechanism needed in the presence
of SMB password encryption.
So, if I have to use encrypted passwords, and I can't use nsswitch
(apparently not working in FreeBSD 4.x), and PAM is ignored....am I out
of luck?
Say it ain't so.
Oliver
Rex Dieter wrote:
> Oliver Neubauer wrote:
>
>> I'm trying to set up samba using ADS for authentication.
>>
>> I can successfully join the samba machine to the domain. Windows hosts
>> can "see" the samba machine.
>>
>> After successfully joining, doing:
>> # wbinfo -u
>> shows me ADS-defined users. Same goes for groups.
>>
>> However, when I try and assign one of those users ownership of a file,
>> I get:
>>
>> # chown user1 /tmp/test
>> chown: test1: illegal user name
>> even though that user is a valid AD user.
>
>
> You need to configure pam to use nss_winbind, see
> http://us1.samba.org/samba/docs/man/Samba3-HOWTO/winbind.html#id2634773
> for example, my /etc/pam.d/system-auth contains references to pam_winbind:
>
> auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
> ...
> account [default=bad success=ok user_unknown=ignore]
> /lib/security/$ISA/pam_winbind.so
> ...
> password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
>
--
Oliver Neubauer
System Administrator
Netfirms Inc.
5160 Yonge St.
Toronto, ON, CA
More information about the samba
mailing list