[Samba] samba + kerberos + active directory with multiple domains

Winkel, Richard J. winkelr at missouri.edu
Thu Oct 31 07:16:30 MDT 2013

I think it must be something with /etc/pam.d/password-auth (immediately 
included from pam.d/sshd) because there are no messages from pam_winbind 
in the syslog except for the connections for the domain admin.  The 
other users are rejected seemingly without any pam_winbind involvement 
(only messages from sshd).
This is password-auth:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok 
try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in 
crond quiet use_uid
session     required      pam_unix.so

On 10/30/13 6:05 PM, Winkel, Richard J. wrote:
> Many thanks Dale!  Sorry I missed it earlier.  Now I have wbinfo -a
> working with "domain+user" for the primary as
> well as the trusted domain, but I still can't "ssh domain+user at hostname"
> except for the user that joined the
> machine to the domain (it even created the home dir for that user).  But
> for the others it says invalid user in the logs.
> Sorry to be a pain, I'm sure the answer is obvious but the amount of
> documentation is overwhelming :<
> Rich
> On 10/29/13 1:24 PM, Dale Schroeder wrote:
>> Richard,
>> See if the example for multiple domains as shown on this page is what
>> you are looking for:
>> http://www.samba.org/samba/docs/man/manpages/idmap_rid.8.html
>> Dale

More information about the samba mailing list