[Samba] SSH and winbind authentication on Solaris 10

Stefan Varga Stefan_Varga at tempest.sk
Fri Jul 21 07:59:39 GMT 2006


here they are:
krb5.conf

[libdefaults]
   default_realm = ADS.SK

   [realms]
   ADS.UNIT.SK = {
        kdc = windows.ads.unit.sk
   }
[domain_realms]
        .kerberos.server = WINDOWS.ADS.SK

smb.conf

[global]

#host settings
        netbios name = SOLARIS
        server string = Test Server for join to ADS
        workgroup = ADS
        os level = 20
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
#winbind conofiguration
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        winbind gid = 10000-20000
        winbind cache time = 20
        winbind separator = +
#server
        socket address = ip
        password server = ip
        preferred master = no
        realm = ADS.SK
        security = ADS
        encrypt passwords = yes
        dns proxy = no
#logging
        max log size = 50
        log level = 1
        log file = /var/samba/log/log.%m
        template homedir = /export/home/%D.%U
        template shell = /bin/bash

pam.conf
login   auth sufficient         pam_winbind.so.1
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
#
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth sufficient         pam_winbind.so.1
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth required           pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account sufficient      pam_winbind.so.1
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
#other  session optional        pam_mkhomedir.so skel=/etc/skel umask=0022
other   session required        pam_unix_session.so.1
#other  session sufficient      pam_winbind.so


Any commnets, suggestions are welcome.
root and AD users are able to login by ssh, telnet, dtlogin ..
I have only 2 problems:
1. if root logs in pam gives me(but root can log in):
Jul 21 09:55:30 solaris pam_winbind[885]: [ID 744057 auth.error] request 
failed: Logon failure, PAM error was Authentication failed (9), NT error 
was NT_STATUS_LOGON_FAILURE
Jul 21 09:55:30 solaris pam_winbind[885]: [ID 912734 auth.error] request 
failed, but PAM error 0!
Jul 21 09:55:30 solaris pam_winbind[885]: [ID 799888 auth.error] 
internal module error (retval = 3, user = `root')
Can you give me some suggestions how to avoid this ?
2. I cannot use pam_mkhomedir, if pam_mk_homedir is commented out users 
cannot log in, because the sun box drops the ssh connetions.
Do you see guys some misconfiguration here ?
Thanks
Stefan





Burris, Celeste Suliin wrote:
> I've googled my heart out, but I cannot see an example of ssh authentication
> with Active Directory and winbindd, particularly on Solaris 10. I have it
> working on Solaris 8 with telnet, but I'm trying to break my users of
> telnet.
>
> Has anyone got it working? If so, would you be willing to share the global
> section of your smb.conf and pam.conf with me?  Is there something I need to
> put in one of the ssh configuration files?
>
> Celeste Suliin Burris
> Systems Administrator
> Community and Economic Development Department
> Phone - 253-591-5093
> Email - csburris at ci.tacoma.wa.us
> URL   - http://www.cityofdestiny.com
>
>
>   


-- 
+----------------------------------------------+
| Stefan Varga               TEMPEST a.s.      |
| Systems Engineer           IT Services       |
| +421908 760617             Plynarenska 7/B   |
| Stefan_Varga at tempest.sk    Bratislava        |
| Sun Microsystems Enterprise system provider  |
+----------------------------------------------+



More information about the samba mailing list