Someone on the pam mailing list suggested I try my
question here.
In our pam.d/imap we have:
account required pam_permit.so
auth sufficient pam_winbind.so try_first_pass
Authentication for imap works fine with this.
If we switch to :
account sufficient pam_winbind.so
for the first line, then logins using their AD password fail.
We also have a non-AD ldap authentication server,
and have found that these line works fine for ldap
(no pam_permit):
account sufficient pam_ldap.so
auth sufficient pam_ldap.so try_first_pass
We would like to implement a pam_groupdn within ldap,
and so that would require using account on both:
account sufficient pam_winbind.so
account sufficient pam_ldap.so
However we can't use the above with pam_winbind failing.
ssh uses /etc/pam.d/system-auth in Redhat, and Redhat has this
account related clump:
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
ssh logins using winbind authentication are working well with the
above account clump in place.
Perhaps I don't understand the meaning of the account section. Wouldn't
the above always succeed due to the pam_permit line?
We are at samba-client-3.0.25b , pam-0.99.6.2-3.26 and
pam_smb-1.1.7-7.2.1
--Donald
