[Samba] Re: Authentication against AD?

Dimitri Yioulos dyioulos at firstbhph.com
Wed Sep 14 15:33:58 GMT 2005

On Wednesday 14 September 2005 11:11 am, you wrote:
> I just wanted to make sure what I have currently is accurate for the
> /etc/pam.d/login, which according to what you sent me and the HOWTO you
> refered me to it is.
> For some reason I have still having problems.  Would it matter if I had
> a non-traditional active directory schema (was modified to include unix
> services)?
> Dimitri Yioulos wrote:
> >On Wednesday 14 September 2005 10:21 am, you wrote:
> >>Could I get an example of the /etc/pam.d/login configuration for use
> >>with winbind?
> >>
> >>Dimitri Yioulos wrote:
> >>>On Tuesday 13 September 2005 3:58 pm, Rex Dieter wrote:
> >>>>Jason Gerfen wrote:
> >>>>>I am having a hard time getting Samba to authentication correctly
> >>>>>against a Windows Active Directory setup.
> >>>>>
> >>>>>      template shell = /bin/bash
> >>>>>      template homedir = /home/%D/%U
> >>>>>
> >>>>>I can run the net ads join command which works fine, but if I try to
> >>>>>authentication without a local account I am recieving errors.  Any
> >>>>>assistance or pointers is appreciated.
> >>>>
> >>>>If you want to avoid the use of local accounts, you also need to
> >>>>configure/use winbind and pam+nss_winbind
> >>>>
> >>>>-- Rex
> >>>
> >>>Rex is right.  You need to configure resolv.conf, nsswitch.conf, and
> >>>etc/pam.d/login.
> >>>
> >>>Dimitri
> >
> >Jason,
> >
> >I'll do it, but you really should read Samba-3 by Example.  John H. and
> >company have done an excellent job of documenting Samba configuration and
> >use.  It would be better to use the mailing list after that.
> >
> >That said:
> >
> >#%PAM-1.0
> >auth       required     pam_securetty.so
> >auth    sufficient      pam_winbind.so
> >auth    sufficient      pam_unix.so use_first_pass
> >auth       required     pam_stack.so service=system-auth
> >auth       required     pam_nologin.so
> >account sufficient      pam_winbind.so
> >account    required     pam_stack.so service=system-auth
> >password   required     pam_stack.so service=system-auth
> >session    required     pam_stack.so service=system-auth
> >session    optional     pam_console.so
> >
> >Dimitri

I don't particularly see that as being an issue.  So, let's review:

- Your smb.conf was changed to include/modify/etc. the directives mentioned in 
previous posts.

Let me say here that I use the ip address in  password server =.  I'd also 
change realm = server.com to realm = SERVER.COM.  I know these work for me, 
and we have 6 samba member servers working great in our AD scheme.

- nsswitch.conf, resolv.conf, and /etc/pam.d/login are configured correctly.

- krb5.conf is configured correctly.

You might want to post your krb5.conf so we can have a look-see.

When you start samba, do you also start the winbind daemon?


More information about the samba mailing list