[Samba] Kerberos and PAM

M Azer azermina at gmail.com
Sun Jan 7 02:06:05 GMT 2007


when setting winbind to auth windows 2003 AD users do i need to configure
pam.d/login or pam.d/system_auth?

On 1/6/07, M Azer <azermina at gmail.com> wrote:
>
> Thank you all for your replies. i have read the samba docs and followed it
> to the letter  i have supplied my configurations please let me know if i am
> missing anything -
>
> *smb.conf*
> [global]
> workgroup = CAD
> netbios name = itbox
> hosts allow = 192.168.1. 192.168.0. 127.
> winbind separator = +
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind cache time = 10
> template homedir = /home/%D/%U
> template shell = /bin/bash
> security = ADS
> realm = CAD.TESTDOMAIN
> password server = vdc2.CAD.TESTDOMAIN
> encrypt passwords = yes
> log file = /var/log/samba/%m.log
> log level = 10
> max log size= 50
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
> [homes]
> comment = Home Directories
> valid users = %S
> read only = No
> browseable = No
> directory mask = 0700
> create mask = 0700
>
> [data]
> comment = Doc Samba Server
> path = /data
> read only = yes
> guest only = yes
>
>
> *nsswitch.conf*
> passwd: files winbind
> shadow: files winbind
> group: files winbind
>
> *krb5.conf*
> [libdefaults]
> default_realm = CAD.TESTDOMAIN
>
> [realms]
> CAD.TESTDOMAIN = {
> kdc = vdc2.cad.testdomain
> }
>
> [domain_realms]
> .kerberos.server = CAD.TESTDOMAIN
>
>
> *pam.d/login*
> #%PAM-1.0
> auth required pam_securetty.so
> auth sufficient pam_winbind.so
> auth sufficient pam_unix.so use_first_pass
> auth required pam_stack.so service=system-auth
> auth required pam_nologin.so
> account sufficient pam_winbind.so
> account required pam_stack.so service=system-auth
> password required pam_stack.so service=system-auth
> session required pam_stack.so service=system-auth
> session optional pam_console.so
>
> *pam.d/samba*
> #%PAM-1.0
> auth required pam_nologin.so
> auth required pam_stack.so service=system-auth
> account required pam_stack.so service=system-auth
> session required pam_stack.so service=system-auth
> password required pam_stack.so service=system-auth
>
> [mina at itbox pam.d]$ wbinfo -t
> checking the trust secret via RPC calls succeeded
>
> [mina at itbox pam.d]$ wbinfo -m
> itbox
> CAD
>
> [mina at itbox pam.d]$ getent passwd admin_mina
> admin_mina:*:10001:10002:admin mina:/home/CAD/admin_mina:/bin/bash
>
>
> [root at itbox pam.d]# /usr/bin/net ads join -Uadministrator
> administrator's password:
> Using short domain name -- CAD
> Joined 'ITBOX' to realm 'CAD.TESTDOMAIN'
>
> wbinfo -u, wbinfo -g all work fine
>
> ps aux | grep winbind
> root 2965 0.0 0.3 10188 2848 ? Ss Jan05 0:00 winbindd
> root 2966 0.0 0.4 10676 3292 ? S Jan05 0:00 winbindd
>
> smbclient -L itbox
> Password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
>
> when i use a xp client machine to login i see the share, data and home
> directory, i am able to open data however when i click on homedir windows
> logon screen comes up requesting username and password - always says wrong
> username and password please try again
>
> any help will be appreciated.
>
> On 1/5/07, kk <c_kitu at yahoo.co.in> wrote:
> >
> > Refer this :
> > http://kbase.redhat.com/faq/FAQ_85_5787.shtm
> >
> >
> > Regards,
> > Kaustubh
> > --- M Azer <azermina at gmail.com > wrote:
> >
> > > I am new to samba. I followed the docs on samba.com
> > > to configure samba as
> > > "domain member", security = domain, and to user
> > > winbind to authenticate
> > > users against windows 2003 AD. well, my question is
> > > the steps mentioned the
> > > use of PAM to do the authentications against the AD
> > > but it doesn't work - do
> > > I also need to configure kerberos for this type of
> > > installation?
> > >
> > > [root at itbox john]# smbclient -L testbox
> > > Password:
> > > session setup failed: *NT_STATUS_LOGON_FAILURE*
> > >
> > > client machines XP pro are able to browse the
> > > network and
> > > get to see my share (user share) however when i
> > > double click it i get a
> > > login asking for the user name and password
> > >
> > > smb.conf:
> > > [global]
> > > workgroup = CAD
> > > netbios name = itbox
> > > security = DOMAIN
> > > encrypt passwords = yes
> > > winbind separator = +
> > > idmap uid = 10000-20000
> > > idmap gid = 10000-20000
> > > winbind enum users = yes
> > > winbind enum groups = yes
> > > winbind use default domain = yes
> > > [homes]
> > > comment = Home Directories
> > > valid users = %S
> > > read only = No
> > > browseable = No
> > >
> > > pam.d/samba
> > > #%PAM-1.0
> > > auth required pam_nologin.so
> > > auth required pam_stack.so service=system-auth
> > > auth required pam_winbind.so
> > > account required pam_winbind.so
> > > account required pam_stack.so service=system-auth
> > > session required pam_mkhomedir.so
> > > skel=/etc/samba/skel umask=0022
> > > session required pam_stack.so service=system-auth
> > > password required pam_stack.so service=system-auth
> > > --
> > > To unsubscribe from this list go to the following
> > > URL and read the
> > > instructions:
> > > https://lists.samba.org/mailman/listinfo/samba
> > >
> >
> >
> > Do not go where the path may lead, go instead where there is no path and
> > leave a trail. -----
> >
> > KK
> >
> >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
>
>


More information about the samba mailing list