[Samba] winbind / trust questions and issues

Eric A. Hall ehall at ntrg.com
Tue Dec 21 09:31:03 MST 2010

On 12/20/2010 11:17 AM, Eric A. Hall wrote:
> On 12/15/2010 4:19 PM, Eric A. Hall wrote:
>> First issue is that I would like to filter out the local (LABS) users and
>> groups in winbind if possible.

> Anything else I could try?

I experimented with pam_access a little bit but that did not work for two
reasons--first is that it doesn't support wildcards or regex so no way to
deny access to LABS.* username(s), and anyway it uses uid number instead
of the login name and I needed to filter by name not number.

In the process of debugging this I noticed that pam_winbind returns
PAM_SYSTEM_ERR for users in the local domain, but the error was not being
trapped as fatal by pam. I changed the common-auth config file so that
pam_winbind was REQUIRED instead of SUFFICIENT and moved it to the end of
the stack, and now the errors are trapped as fatal and login requests for
users in the local domain are rejected.

I think some kind of generalized allow_domains and reject_domains option
statements for pam_winbind would be good to have. In the meantime my
problem is resolved

Eric A. Hall                                  http://www.eric-a-hall.com/
Network Technology Research Group                    http://www.ntrg.com/
Internet Core Protocols          http://www.oreilly.com/catalog/coreprot/

More information about the samba mailing list