[Samba] SSH and winbind authentication on Solaris 10
Stefan Varga
Stefan_Varga at tempest.sk
Fri Jul 21 07:59:39 GMT 2006
here they are:
krb5.conf
[libdefaults]
default_realm = ADS.SK
[realms]
ADS.UNIT.SK = {
kdc = windows.ads.unit.sk
}
[domain_realms]
.kerberos.server = WINDOWS.ADS.SK
smb.conf
[global]
#host settings
netbios name = SOLARIS
server string = Test Server for join to ADS
workgroup = ADS
os level = 20
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
#winbind conofiguration
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind gid = 10000-20000
winbind cache time = 20
winbind separator = +
#server
socket address = ip
password server = ip
preferred master = no
realm = ADS.SK
security = ADS
encrypt passwords = yes
dns proxy = no
#logging
max log size = 50
log level = 1
log file = /var/samba/log/log.%m
template homedir = /export/home/%D.%U
template shell = /bin/bash
pam.conf
login auth sufficient pam_winbind.so.1
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth sufficient pam_winbind.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account sufficient pam_winbind.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
#other session optional pam_mkhomedir.so skel=/etc/skel umask=0022
other session required pam_unix_session.so.1
#other session sufficient pam_winbind.so
Any commnets, suggestions are welcome.
root and AD users are able to login by ssh, telnet, dtlogin ..
I have only 2 problems:
1. if root logs in pam gives me(but root can log in):
Jul 21 09:55:30 solaris pam_winbind[885]: [ID 744057 auth.error] request
failed: Logon failure, PAM error was Authentication failed (9), NT error
was NT_STATUS_LOGON_FAILURE
Jul 21 09:55:30 solaris pam_winbind[885]: [ID 912734 auth.error] request
failed, but PAM error 0!
Jul 21 09:55:30 solaris pam_winbind[885]: [ID 799888 auth.error]
internal module error (retval = 3, user = `root')
Can you give me some suggestions how to avoid this ?
2. I cannot use pam_mkhomedir, if pam_mk_homedir is commented out users
cannot log in, because the sun box drops the ssh connetions.
Do you see guys some misconfiguration here ?
Thanks
Stefan
Burris, Celeste Suliin wrote:
> I've googled my heart out, but I cannot see an example of ssh authentication
> with Active Directory and winbindd, particularly on Solaris 10. I have it
> working on Solaris 8 with telnet, but I'm trying to break my users of
> telnet.
>
> Has anyone got it working? If so, would you be willing to share the global
> section of your smb.conf and pam.conf with me? Is there something I need to
> put in one of the ssh configuration files?
>
> Celeste Suliin Burris
> Systems Administrator
> Community and Economic Development Department
> Phone - 253-591-5093
> Email - csburris at ci.tacoma.wa.us
> URL - http://www.cityofdestiny.com
>
>
>
--
+----------------------------------------------+
| Stefan Varga TEMPEST a.s. |
| Systems Engineer IT Services |
| +421908 760617 Plynarenska 7/B |
| Stefan_Varga at tempest.sk Bratislava |
| Sun Microsystems Enterprise system provider |
+----------------------------------------------+
More information about the samba
mailing list