[Samba] winbind when machine account is not allowed to read users from ad

steve steve at steve-ss.com
Wed Dec 4 04:21:56 MST 2013

On Wed, 2013-12-04 at 11:57 +0100, Stefan Heß wrote:

> I don't know what the difference was the generated pam_krb5 stack from
> yesterday and the one half an hour ago?

We don't know either because we have neither the 'generated pam-krb5
stack yesterday', nor 'the one half an hour ago'!

Just a guess, but it seems that your stack is in the wrong order. Here
are a few guidelines, again I'm guessing, but winbind as isn't grabbing
you as you're falling through to the plain unix auth so try:

Add before pam_unix.so:
auth  sufficient  pam_winbind.so use_first_pass

Add before pam_unix.so:
account sufficient pam_winbind.so

Add at the start
session required pam_winbind.so

BE CAREFUL: Have a few root terminals open if you're gonna test
this. . .


More information about the samba mailing list