[Samba] Problem with Login Shell in User Information using Winbind

Philipoff, Andrew aphilipoff at medicine.ucsf.edu
Thu Jun 5 02:36:10 GMT 2008 

Edit your smb.conf and restart smbd:
Change:
	template shell = /bin/false
To:
	template shell = /bin/bash

Be careful in enabling this as it will potentially allow all domain users to login with a shell. We add the following to /etc/pam.d/sshd to restrict ssh shell access to specific AD and local groups (substitute your AD or local group for group_name):
account    sufficient   pam_succeed_if.so user ingroup group_name

You'll need to restart sshd after editing /etc/pam.d/sshd. Note that you'll also need to add any local users/groups that need ssh access. I found how to do this here:
http://blogs.sun.com/tkblog/entry/integrating_linux_with_active_directory
http://linux.die.net/man/8/pam_succeed_if
You could also add AD users to a local group and use it in /etc/pam.d/sshd instead of an AD group.

Andrew Philipoff
Information Systems
Department of Medicine, UCSF

-----Original Message-----
From: samba-bounces+aphilipoff=medicine.ucsf.edu at lists.samba.org [mailto:samba-bounces+aphilipoff=medicine.ucsf.edu at lists.samba.org] On Behalf Of Aniket Bharaswadkar
Sent: Wednesday, June 04, 2008 4:32 PM
To: samba at lists.samba.org
Subject: [Samba] Problem with Login Shell in User Information using Winbind

Hi all

I am trying to get windows AD logins to work with Fedora 8/9 linux.I had 
the same setup working well with fedora 7 , but with fedora 8/9 the 
problem is whenever I do "getent passwd 'username'" the login shell is 
listed as /bin/false and users cannot login , even though I have set it 
to use template shell= /bin/bash in the smb.conf configuration file. 
Also I have made the necessary changes to krb.conf , krb.realms and 
krb5.conf files for kerberos configuration and obtained the tickets 
using "kinit" . "klist" shows that I have the tickets.

I have enabled pam_mkhomedir.so , so if I try my windows AD login by 
doing "su username" , it shows messages about creating home directory , 
and gets me back to my local user prompt, due to no login shell. Also, 
if I input the wrong password , it says wrong password. So 
authentication seems working fine. For more info , here is the output of 
getent ,

admin:*:16777216:16777216:admin:/home/ASURITE/admin:/bin/false

I am running samba 3.2.0-rc1 version which shipped with Fedora 9 .

Please advise me how to set the login shells as /bin/bash, as currently 
no domain users can login to my server.

Aniket
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list