[Samba] winbindd behaving oddly

Glenn Bailey gbailey at terremark.com
Mon Aug 11 15:11:47 GMT 2008

Ok wow,

Looks like the likewise solution is exactly what I've been looking
for, as I've been developing an internal solution that was basically
a stripped down samba that wouldn't conflict with any other existing
samba installs.


I threw my group membership settings in /etc/security/pam_winbind.conf
with the following format:


and this worked just fine ..

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry at samba.org]
Sent: Friday, August 08, 2008 6:53 AM
To: Glenn Bailey
Cc: samba at lists.samba.org
Subject: Re: [Samba] winbindd behaving oddly

Hash: SHA1

Glenn Bailey wrote:
> Hello folks,
> Been beating my head with an winbind and pam just behaving oddly. I
> have following various HOW-TO's, wiki's, and docs, and just can't seem
> to get past a wall. Here a some of the issues:

If you just want desktop or server logins and not File/Print, you might want to try likewise-open (http://www.likewisesoftware.com/community/).

> - the 1st attempt at ssh'ing to a server gives me a 'Wrong Password'
> in the logs. Here's an exact snippet:
> Aug  6 18:45:40 mia21654bcu001 sshd[5371]: pam_winbind(sshd): request
> failed: Wrong Password, PAM error was Authentication failure (7), NT
> I get this w/o even entering a password. If I break out and just hit
> it 2 more times it will lock the account out as expected.
> - require_membership_of seems to be flat out ignored.

Works for me.  but I define it in /etc/security/pam_winbind.conf

> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass use_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so

I stack pam_winbind before pam_unix

> account     required      /lib/security/$ISA/pam_unix.so
> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> account     sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
> account     required      /lib/security/$ISA/pam_permit.so

Don't need use_first_pass

> password    required      /lib/security/$ISA/pam_cracklib.so retry=3
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
> password    sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
> password    required      /lib/security/$ISA/pam_deny.so

need useauthtok and not use_first_pass here.

> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
> session     required      /lib/security/$ISA/pam_winbind.so use_first_pass require_membership_of=some_group

The require-.... option is enforced in auth and not session.

cheers, jerry
- --
Samba                                    ------- http://www.samba.org
Likewise Software          ---------  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list