[Samba] AD integration checklist
Don Meyer
dlmeyer at uiuc.edu
Sat Dec 9 23:50:36 GMT 2006
At 07:58 PM 12/8/2006, simo wrote:
> > The one slight hiccup I am seeing is for console logins: locally
> > defined users can log onto the console successfully -- if they use
> > there AD password, they are accepted on the first password prompt.
> >
> > However, if they use their locally defined password (shadow) at the
> > console, then they are subjected to a second password prompt each time
> > -- and it doesn't matter whether they enter the local password
> > correctly on the first prompt, it only matters on the second one. Is
> > there something about my placement/ordering above that might be
> > causing this?
>
>put the option use_first_pass on the second module in the stack, so that
>it doesn't ask for a new password, but try with the one provided to the
>first module.
Bingo! That did the trick.
To be specific for others running across this problem, the option
"use_first_pass" needs to be added to the second (and any subsequent)
modules in the auth stack. (Excluding the pam_env module...)
E.g.:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_winbind.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth
nullok use_first_pass
auth required /lib/security/$ISA/pam_deny.so
Cheers,
-D
Don Meyer <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
"They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety." -- Benjamin Franklin, 1759
More information about the samba
mailing list