[Samba] samba + kerberos + active directory with multiple domains

Dale Schroeder dale at BriannasSaladDressing.com
Thu Oct 31 12:53:42 MDT 2013

You are correct.  I have an almost default /etc/pam.d/sshd that works; 
all I have added is

auth    sufficient    pam_winbind.so
account    sufficient    pam_winbind.so


On 10/31/2013 8:16 AM, Winkel, Richard J. wrote:
> I think it must be something with /etc/pam.d/password-auth (immediately
> included from pam.d/sshd) because there are no messages from pam_winbind
> in the syslog except for the connections for the domain admin.  The
> other users are rejected seemingly without any pam_winbind involvement
> (only messages from sshd).
> This is password-auth:
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_winbind.so use_first_pass
> auth        required      pam_deny.so
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
> account     required      pam_permit.so
> password    requisite     pam_cracklib.so try_first_pass retry=3 type=
> password    sufficient    pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password    sufficient    pam_winbind.so use_authtok
> password    required      pam_deny.so
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     optional      pam_oddjob_mkhomedir.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> On 10/30/13 6:05 PM, Winkel, Richard J. wrote:
>> Many thanks Dale!  Sorry I missed it earlier.  Now I have wbinfo -a
>> working with "domain+user" for the primary as
>> well as the trusted domain, but I still can't "ssh domain+user at hostname"
>> except for the user that joined the
>> machine to the domain (it even created the home dir for that user).  But
>> for the others it says invalid user in the logs.
>> Sorry to be a pain, I'm sure the answer is obvious but the amount of
>> documentation is overwhelming :<
>> Rich
>> On 10/29/13 1:24 PM, Dale Schroeder wrote:
>>> Richard,
>>> See if the example for multiple domains as shown on this page is what
>>> you are looking for:
>>> http://www.samba.org/samba/docs/man/manpages/idmap_rid.8.html
>>> Dale
> .

More information about the samba mailing list