[Samba] self compiled samba domain member, jessie, pam config

[Rowland Penny]

On 26/10/15 18:59, mourik jan c heupink wrote:
> Hi,
>
> I installed a debian jessie machine, compiled/installed samba 4.3.1, 
> configured as a domain member server, configured winbind: all working 
> nicely. Great docs on the wiki.
> (https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server)
>
> One remaining thing: How do I exactly configure pam_winbind in the 
> setup above?
>
> On the wiki I read that debian uses pam-auth-update. That does not 
> seem to detect the winbind install. Installing doing apt-get install 
> libpam-winbind wants to install the complete samba package from debian 
> jessie.
>
> I have read this page also: 
> https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory but it 
> seems very old, and the pam files on my system look very different.
>
> Are there instructions somewhere on the wiki, or does someone have 
> some notes in the subject he or she would care to share?
>
> MJ
>

OK, create a file called /usr/share/pam-configs/winbind containing this:

Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
     [success=end default=ignore]    pam_winbind.so krb5_auth 
krb5_ccache_type=FILE cached_login try_first_pass
Auth-Initial:
     [success=end default=ignore]    pam_winbind.so krb5_auth 
krb5_ccache_type=FILE cached_login
Account-Type: Primary
Account:
     [success=end new_authtok_reqd=done default=ignore] pam_winbind.so
Password-Type: Primary
Password:
     [success=end default=ignore]    pam_winbind.so use_authtok 
try_first_pass
Password-Initial:
     [success=end default=ignore]    pam_winbind.so
Session-Type: Additional
Session:
     optional            pam_winbind.so


See: 
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#libnss_winbind

Follow the link to: https://wiki.samba.org/index.php/Libnss_winbind_links

Rowland