[Samba] entering password twice
Robert Wooden
wdn2420systm at gmail.com
Fri Sep 11 03:47:00 UTC 2020
I might be asking this question the incorrect group but, here goes.
I have successfully added a Debian 10 member (workstation) and made the
/etc/pam.d files adjustments per the Debianwiki page
https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory and Debian
is allowing me to login with AD users and passwords except for one thing. I
have to enter the password twice to login.
Here are the changed pam_mount files (the red font are the added lines):
root at lws2:~# cat /etc/pam.d/common-account
#
SNIPPED FOR BREVITY
# pam-auth-update(8) for details.
#
# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore]
pam_winbind.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
account sufficient pam_winbind.so
account required pam_unix.so
root at lws2:~# cat /etc/pam.d/common-auth
#
SNIPPED FOR BREVITY
#
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
root at lws2:~# cat /etc/pam.d/common-session
#
SNIPPED FOR BREVITY
#
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_winbind.so
session optional pam_systemd.so
session optional pam_mkhomedir.so
# end of pam-auth-update config
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
root at lws2:~# cat /etc/pam.d/sudo
#%PAM-1.0
#
Auth sufficient pam_winbind.so
Auth sufficient pam_unix.so use_first_pass
Auth required pam_deny.so
@include common-auth
@include common-account
@include common-session-noninteractive
The Debian wiki was very brief but, is based on
https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto however, the
Ubuntu wiki referenced some older versions of Ubuntu.
So I made the additions to the end of each file with the exception of the
/etc/pam.d/sudo file, those additions went in front of the line "@include
common-auth".
I'm wondering if the simple question, *why am I having to enter the
password twice?* can be answered here or do I need to head over the Debian
forum?
More information about the samba
mailing list