[Samba] winbindd behaving oddly
gbailey at terremark.com
Mon Aug 11 15:11:47 GMT 2008
Looks like the likewise solution is exactly what I've been looking
for, as I've been developing an internal solution that was basically
a stripped down samba that wouldn't conflict with any other existing
I threw my group membership settings in /etc/security/pam_winbind.conf
with the following format:
and this worked just fine ..
From: Gerald (Jerry) Carter [mailto:jerry at samba.org]
Sent: Friday, August 08, 2008 6:53 AM
To: Glenn Bailey
Cc: samba at lists.samba.org
Subject: Re: [Samba] winbindd behaving oddly
-----BEGIN PGP SIGNED MESSAGE-----
Glenn Bailey wrote:
> Hello folks,
> Been beating my head with an winbind and pam just behaving oddly. I
> have following various HOW-TO's, wiki's, and docs, and just can't seem
> to get past a wall. Here a some of the issues:
If you just want desktop or server logins and not File/Print, you might want to try likewise-open (http://www.likewisesoftware.com/community/).
> - the 1st attempt at ssh'ing to a server gives me a 'Wrong Password'
> in the logs. Here's an exact snippet:
> Aug 6 18:45:40 mia21654bcu001 sshd: pam_winbind(sshd): request
> failed: Wrong Password, PAM error was Authentication failure (7), NT
> error was NT_STATUS_WRONG_PASSWORD
> I get this w/o even entering a password. If I break out and just hit
> it 2 more times it will lock the account out as expected.
> - require_membership_of seems to be flat out ignored.
Works for me. but I define it in /etc/security/pam_winbind.conf
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
I stack pam_winbind before pam_unix
> account required /lib/security/$ISA/pam_unix.so
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
> account required /lib/security/$ISA/pam_permit.so
Don't need use_first_pass
> password required /lib/security/$ISA/pam_cracklib.so retry=3
> password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
> password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
> password required /lib/security/$ISA/pam_deny.so
need useauthtok and not use_first_pass here.
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> session required /lib/security/$ISA/pam_winbind.so use_first_pass require_membership_of=some_group
The require-.... option is enforced in auth and not session.
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewisesoftware.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba