[Samba] samba/PAM/winbind/ssh

[Matt Herzog]

On Fri, Sep 15, 2006 at 11:42:12AM -0300, Felipe Augusto van de Wiel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 09/12/2006 06:50 PM, Matt Herzog escreveu:
> > I have the winbind login working on FC5 but now logins to local accounts
> > cannot authenticate.
> > 
> > My config files are here:
> > 
> > http://www.pigeonnier.org/nsswitch.conf
> > http://www.pigeonnier.org/pam.d/
> > http://www.pigeonnier.org/krb.conf
> > 
> > Again, if I try to ssh in as a user that exists only as a local account on the remote 
> > host, I am rejected. User msh is -not- a AD account and only exists on the
> > FC5 server "province"
> > 
> >>From the /var/log/secure file:
> > 
> > Sep 12 16:58:29 province sshd[11521]: reverse mapping checking getaddrinfo
> > for zogness.cinteractive.com failed - POSSIBLE BREAK-IN ATTEMPT!
> > Sep 12 16:58:33 province sshd[11521]: pam_unix(sshd:auth): authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=198.76.121.62  user=msh
> > Sep 12 16:58:35 province sshd[11521]: Failed password for msh from
> > 198.76.121.62 port 58069 ssh2
> > Sep 12 16:58:39 province sshd[11521]: pam_succeed_if(sshd:account):
> > requirement "uid < 100" not met by user "msh"
> > Sep 12 16:58:39 province sshd[11521]: fatal: Access denied for user msh by
> > PAM account configuration
> 
> 	Well, for some reason your pam requires that your user has
> an uid less than 100, I don't know why, but it doesn't looks like
> to be related with Samba.
> 
> 	Kind regards,

Thanks. My problem was solved by Red Hat's authconfig utility. I am still
kicking myself for not having run it before. As it turns out, Red Hat's PAM
config for winbind authentication puts the line:

session     sufficient    pam_mkhomedir.so skel=/etc/skel umask=0027

in /etc/pam.d/sshd

while in Debian that same line needs to be in /etc/pam.d/system-auth.

-- 
Announcing your plans is a good way to hear the gods' laughter.