The only way I could get it to work was to have the following gdm pam
config:
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_stack.so service=system-auth
session optional pam_console.so
That will allow gdm to authenticate the user, but it will not allow
usernames with a + or \ separator so the way around that is to set the
following option:
winbind use default domain = yes
that will allow loging in with just the username. The only problem
occurs when you have a user from another domain that needs to login.
Patrick
Brett Hales wrote:
>Hi,
>
>I am currently trying to set up a RedHat 9 Linux client to authenticate
>against a Windows 2000 Active Directory server.
>
>Using the Winbind documentation I have successfully authenticated
>however I now have a problem with gdm.
>
>Jun 18 12:18:48 jerry pam_winbind[1192]: user 'AU+Bhales' granted
acces
>Jun 18 12:18:48 jerry pam_winbind[1192]: user 'AU+Bhales' granted
acces
>Jun 18 12:18:49 jerry gdm(pam_unix)[1192]: session opened for user
>AU+Bhales by (uid=0)
>Jun 18 12:18:49 jerry gdm[1202]: gdm_slave_session_start: User not
>allowed to log in
>
>Does anybody know why gdm_slave_session_start is not allowing me to
>login when pam_winbind has already authenticated me?
>
>Thanks,
>
>
>