[Samba] winbindd behaving oddly
Gerald (Jerry) Carter
jerry at samba.org
Fri Aug 8 11:53:27 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Glenn Bailey wrote:
> Hello folks,
> Been beating my head with an winbind and pam just behaving oddly. I have following
> various HOW-TO's, wiki's, and docs, and just can't seem to get past a wall. Here a
> some of the issues:
If you just want desktop or server logins and not File/Print, you might
want to try likewise-open (http://www.likewisesoftware.com/community/).
> - the 1st attempt at ssh'ing to a server gives me a 'Wrong Password'
> in the logs. Here's an exact snippet:
> Aug 6 18:45:40 mia21654bcu001 sshd: pam_winbind(sshd): request failed: Wrong Password, PAM error was Authentication failure (7), NT error was NT_STATUS_WRONG_PASSWORD
> I get this w/o even entering a password. If I break out and just hit it 2 more times it will lock the account out
> as expected.
> - require_membership_of seems to be flat out ignored.
Works for me. but I define it in /etc/security/pam_winbind.conf
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
I stack pam_winbind before pam_unix
> account required /lib/security/$ISA/pam_unix.so
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
> account required /lib/security/$ISA/pam_permit.so
Don't need use_first_pass
> password required /lib/security/$ISA/pam_cracklib.so retry=3
> password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
> password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
> password required /lib/security/$ISA/pam_deny.so
need useauthtok and not use_first_pass here.
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> session required /lib/security/$ISA/pam_winbind.so use_first_pass require_membership_of=some_group
The require-.... option is enforced in auth and not session.
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewisesoftware.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba