[Samba] winbindd behaving oddly

Gerald (Jerry) Carter jerry at samba.org
Fri Aug 8 11:53:27 GMT 2008

Hash: SHA1

Glenn Bailey wrote:
> Hello folks,
> Been beating my head with an winbind and pam just behaving oddly. I have following
> various HOW-TO's, wiki's, and docs, and just can't seem to get past a wall. Here a
> some of the issues:

If you just want desktop or server logins and not File/Print, you might
want to try likewise-open (http://www.likewisesoftware.com/community/).

> - the 1st attempt at ssh'ing to a server gives me a 'Wrong Password' 
> in the logs. Here's an exact snippet:
> Aug  6 18:45:40 mia21654bcu001 sshd[5371]: pam_winbind(sshd): request failed: Wrong Password, PAM error was Authentication failure (7), NT error was NT_STATUS_WRONG_PASSWORD
> I get this w/o even entering a password. If I break out and just hit it 2 more times it will lock the account out
> as expected.
> - require_membership_of seems to be flat out ignored. 

Works for me.  but I define it in /etc/security/pam_winbind.conf

> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass use_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so

I stack pam_winbind before pam_unix

> account     required      /lib/security/$ISA/pam_unix.so
> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> account     sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
> account     required      /lib/security/$ISA/pam_permit.so

Don't need use_first_pass

> password    required      /lib/security/$ISA/pam_cracklib.so retry=3
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
> password    sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
> password    required      /lib/security/$ISA/pam_deny.so

need useauthtok and not use_first_pass here.

> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
> session     required      /lib/security/$ISA/pam_winbind.so use_first_pass require_membership_of=some_group

The require-.... option is enforced in auth and not session.

cheers, jerry
- --
Samba                                    ------- http://www.samba.org
Likewise Software          ---------  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list