[Samba] Re: samba with ADS. winbindd ignore for user authentication

Oliver Neubauer oliver at netfirms.com
Thu Oct 20 17:45:02 GMT 2005


Thanks Rex, that was helpful. However, I have now run into something 
else. From the smb.conf documentation:

obey pam restrictions (G)

     <snip>
Note that Samba always ignores PAM for authentication in the case of 
encrypt passwords = yes. The reason is that PAM modules cannot support 
the challenge/response authentication mechanism needed in the presence 
of SMB password encryption.



So, if I have to use encrypted passwords, and I can't use nsswitch 
(apparently not working in FreeBSD 4.x), and PAM is ignored....am I out 
of luck?

Say it ain't so.

Oliver


Rex Dieter wrote:
> Oliver Neubauer wrote:
> 
>> I'm trying to set up samba using ADS for authentication.
>>
>> I can successfully join the samba machine to the domain. Windows hosts 
>> can "see" the samba machine.
>>
>> After successfully joining, doing:
>> # wbinfo -u
>> shows me ADS-defined users. Same goes for groups.
>>
>> However, when I try and assign one of those users ownership of a file, 
>> I get:
>>
>> # chown user1 /tmp/test
>> chown: test1: illegal user name
>> even though that user is a valid AD user.
> 
> 
> You need to configure pam to use nss_winbind, see
> http://us1.samba.org/samba/docs/man/Samba3-HOWTO/winbind.html#id2634773
> for example, my /etc/pam.d/system-auth contains references to pam_winbind:
> 
> auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
> ...
> account     [default=bad success=ok user_unknown=ignore] 
> /lib/security/$ISA/pam_winbind.so
> ...
> password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
> 

-- 
Oliver Neubauer
System Administrator

Netfirms Inc.
5160 Yonge St.
Toronto, ON, CA


More information about the samba mailing list