[Samba] pam_winbind fails to authenticate domain users on my debian wheezy domain member servers
Bruno La Torre
b.thetower at gmail.com
Thu Jan 2 17:11:54 MST 2014
look at
https://wiki.samba.org/index.php/Samba4/Winbind
for winbind + pam
2014/1/2 Georg Vorlaufer <georg.vorlaufer at gmail.com>
>
> [SNIP]
> However, when I try to login via ssh to either of the two machines using my
> domain account (georg), I get rejected by the pam_winbind module. However,
> the kerberos ticket cache is created during the ssh authentication process
> (i.e. the file /tmp/krb5cc_10001, where 10001 is the numeric uid of user
> georg, is created and contains a valid ticket)
>
> And here is the pam config (/etc/pam.d/common-auth)
>
> #
> # /etc/pam.d/common-auth - authentication settings common to all services
> #
>
> # here are the per-package modules (the "Primary" block)
> auth [success=2 default=ignore] pam_unix.so nullok_secure
> auth [success=1 default=ignore] pam_winbind.so krb5_auth
> krb5_ccache_type=FILE try_first_pass
> # here's the fallback if no module succeeds
> auth requisite pam_deny.so
> # prime the stack with a positive return value if there isn't one already;
> # this avoids us returning an error just because nothing sets a success
> code
> # since the modules above will each just jump around
> auth required pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> # end of pam-auth-update config
>
>
>
you must write pam_winbind.so line before pam_unix.so line.
bruno
More information about the samba
mailing list