samba - Oct 2001 - Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working

Hello,

	I have gone through the howto provided but I am not yet able to
logon to my linux box using NT4 domain accounts. I can however authenticate
to restricted shares and I can obtain groups and users via "getent"
and
"wbinfo -u". All I really need now is a working /etc/pam.d/login.
I've tried
examples from the howto as with others from the mailing list but I can not
seem to get the needed results. 

This is a redhat 7.1 install with version 2.2.2 of samba( ./configure
--with-winbind --with-pam). I've provided my /etc/pam.d/login below and my
smb.conf.  Any help would be much appreciated. 

Thanks in advance,

Adam 
/etc/pam.d/login:

#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so

/usr/local/samba/lib/smb.conf:

[global]
workgroup = MKS
server string = hqnis1   ###( not running NIS)###
load printers = yes
printcap name = /etc/printcap
printing = bsd
guest account = nobody
log file = /usr/local/samba/var/log.%m
max log size = 50
security = domain
password server = *
encrypt passwords = Yes
update encrypted = Yes
netbios name = hqnis1
socket options = TCP_NODELAY
local master = No
os level = 0
domain master = False
preferred master = False
wins server = 1.0.0.101
dns proxy = no
smb passwd file = /usr/local/samba/private/smbpasswd
debug level = 1
name resolve order =  wins host bcast
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
 
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
 
[printers]
   comment = All Printers
   path = /usr/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes
 
 
[adamdir]
comment = Adam Directory
path = /home/test
valid users = MKS\adam
public = no
writable = yes
printable = no

On Mon, 22 Oct 2001, Adam Ranville wrote:
> Hello,
>
> 	I have gone through the howto provided but I am not yet able to
> logon to my linux box using NT4 domain accounts. I can however authenticate
> to restricted shares and I can obtain groups and users via
"getent" and
> "wbinfo -u". All I really need now is a working /etc/pam.d/login.
I've tried
> examples from the howto as with others from the mailing list but I can not
> seem to get the needed results.
>
> This is a redhat 7.1 install with version 2.2.2 of samba( ./configure
> --with-winbind --with-pam). I've provided my /etc/pam.d/login below and
my
> smb.conf.  Any help would be much appreciated.
>
> Thanks in advance,
>
> Adam
> /etc/pam.d/login:
>
> #%PAM-1.0
> auth       required     /lib/security/pam_securetty.so
> auth       required     /lib/security/pam_stack.so service=system-auth
> auth       required     /lib/security/pam_nologin.so
> account    required     /lib/security/pam_stack.so service=system-auth
> password   required     /lib/security/pam_stack.so service=system-auth
> session    required     /lib/security/pam_stack.so service=system-auth
> session    optional     /lib/security/pam_console.so

Can we see the dat in /etc/pam.d/system-auth.  You're statcking the
aith sysytem from there so thats the fil we need to see.

#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so


Also check  that thses files exist.
-rwxr-xr-x   1 root     root        14921 Sep 10 14:11 /lib/libnss_winbind.so
lrwxrwxrwx   1 root     root           17 Sep  4 13:44 /lib/libnss_winbind.so.2
-> libnss_winbind.so
-rwxr-xr-x   1 root     root        13838 Sep 10 14:12
/lib/security/pam_winbind.so

> /usr/local/samba/lib/smb.conf:
<snip>

Looks fine to me.

When you logon to the console makesure you login as:
DOMAIN\user  NOT user

You will probably see errors in the login process as the domain seperator
'\'
has special meaning.  Many people recomend a '+' instead.

Yours Tony.

/*
 * "The significant problems we face cannot be solved at the
 * same level of thinking we were at when we created them."
 * --Albert Einstein
 */

Hello,

	I've attached the config that I was trying to use along with my
original file. 

	I can access a share without domain\username and it works fine. Do I
require domain\(or +) username for telnet? I have tried that as well. 

	With the attempted system-auth it would kick me out right after
entering the login. It doesn't even prompt for a password. (single user got
me out of it).

Thanks for the help,

Adam

attempted /etc/pam.d/system-auth:

auth      sufficient    /lib/security/pam_winbind.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok md5
shadow use_first_pass
auth        required      /lib/security/pam_deny.so
account     sufficient    /lib/security/pam_unix.so
account     required      /lib/security/pam_deny.so
account     required      /lib/security/pam_winbind.so
password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so



original /etc/pam.d/system-auth:

auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so
 
account     required      /lib/security/pam_unix.so
 
password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
shadow
password    required      /lib/security/pam_deny.so
 
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so


On Mon, 22 Oct 2001, Adam Ranville wrote:
> Hello,
>
> 	I have gone through the howto provided but I am not yet able to
> logon to my linux box using NT4 domain accounts. I can however
authenticate
> to restricted shares and I can obtain groups and users via
"getent" and
> "wbinfo -u". All I really need now is a working /etc/pam.d/login.
I've
tried
> examples from the howto as with others from the mailing list but I can not
> seem to get the needed results.
>
> This is a redhat 7.1 install with version 2.2.2 of samba( ./configure
> --with-winbind --with-pam). I've provided my /etc/pam.d/login below and
my
> smb.conf.  Any help would be much appreciated.
>
> Thanks in advance,
>
> Adam
> /etc/pam.d/login:
>
> #%PAM-1.0
> auth       required     /lib/security/pam_securetty.so
> auth       required     /lib/security/pam_stack.so service=system-auth
> auth       required     /lib/security/pam_nologin.so
> account    required     /lib/security/pam_stack.so service=system-auth
> password   required     /lib/security/pam_stack.so service=system-auth
> session    required     /lib/security/pam_stack.so service=system-auth
> session    optional     /lib/security/pam_console.so

Can we see the dat in /etc/pam.d/system-auth.  You're statcking the
aith sysytem from there so thats the fil we need to see.

#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so


Also check  that thses files exist.
-rwxr-xr-x   1 root     root        14921 Sep 10 14:11
/lib/libnss_winbind.so
lrwxrwxrwx   1 root     root           17 Sep  4 13:44
/lib/libnss_winbind.so.2 -> libnss_winbind.so
-rwxr-xr-x   1 root     root        13838 Sep 10 14:12
/lib/security/pam_winbind.so

> /usr/local/samba/lib/smb.conf:
<snip>

Looks fine to me.

When you logon to the console makesure you login as:
DOMAIN\user  NOT user

You will probably see errors in the login process as the domain seperator
'\'
has special meaning.  Many people recomend a '+' instead.

Yours Tony.

/*
 * "The significant problems we face cannot be solved at the
 * same level of thinking we were at when we created them."
 * --Albert Einstein
 */

Well that seems to have moved me one step closer. I now get a
positive authentication not in /var/messages but it just hangs after I input
the password. Missing a home directory? Invalid shell maybe? I checked the
logs and I've been getting nothing negative.

Almost there...

Adam

tail /var/log/messages:
	Oct 24 12:36:19 hqnis1 pam_winbind[1552]: user 'MKS\adam' granted
acces  


/etc/pam.d/system-auth:

auth      sufficient    /lib/security/pam_winbind.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok md5
shadow use_first_pass
auth        required      /lib/security/pam_deny.so
account     sufficient    /lib/security/pam_unix.so
account     sufficient  /lib/security/pam_winbind.so
account     required      /lib/security/pam_deny.so
password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so


-----Original Message-----
From: Anthony J. Breeds-Taurima [mailto:tony@cantech.net.au]
Sent: Tuesday, October 23, 2001 10:00 PM
To: Adam Ranville
Cc: Samba (E-mail)
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working


On Tue, 23 Oct 2001, Adam Ranville wrote:
> original file. 
Thanks.
 
> 	I can access a share without domain\username and it works fine. Do I
> require domain\(or +) username for telnet? I have tried that as well. 
Yes you will need to login as:
DOMAIN\user   (or DOMAIN+user)
 
> 	With the attempted system-auth it would kick me out right after
> entering the login. It doesn't even prompt for a password. (single user
got
> me out of it).
> 
> Thanks for the help,
> 
> Adam
> 
> attempted /etc/pam.d/system-auth:
<snip>
> account     required      /lib/security/pam_deny.so
> account     required      /lib/security/pam_winbind.so
Like Andrew said swap these 2 lines and you should be happy.

Yours Tony.

/*
 * "The significant problems we face cannot be solved at the 
 * same level of thinking we were at when we created them."
 * --Albert Einstein
 */

Did you change the "template shell" to "bin/bash" or another
shell?

If you want to create the home dir on the fly, try this

session     optional      /lib/security/pam_mkhomedir.so umask=0077

in your system-auth

It is working for me without any problem in my RH 7.0 and 7.1 boxes

Rogelio J.

-----Original Message-----
From: Adam Ranville [mailto:adam@mks.com]
Sent: Wednesday, October 24, 2001 12:45 PM
To: Samba (E-mail)
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working


	Well that seems to have moved me one step closer. I now get a
positive authentication not in /var/messages but it just hangs after I
input
the password. Missing a home directory? Invalid shell maybe? I checked
the
logs and I've been getting nothing negative.

Almost there...

Adam

tail /var/log/messages:
	Oct 24 12:36:19 hqnis1 pam_winbind[1552]: user 'MKS\adam'
granted
acces  


/etc/pam.d/system-auth:

auth      sufficient    /lib/security/pam_winbind.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok md5
shadow use_first_pass
auth        required      /lib/security/pam_deny.so
account     sufficient    /lib/security/pam_unix.so
account     sufficient  /lib/security/pam_winbind.so
account     required      /lib/security/pam_deny.so
password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5
shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so


-----Original Message-----
From: Anthony J. Breeds-Taurima [mailto:tony@cantech.net.au]
Sent: Tuesday, October 23, 2001 10:00 PM
To: Adam Ranville
Cc: Samba (E-mail)
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working


On Tue, 23 Oct 2001, Adam Ranville wrote:
> original file. 
Thanks.
 
> 	I can access a share without domain\username and it works fine.
Do I
> require domain\(or +) username for telnet? I have tried that as well. 
Yes you will need to login as:
DOMAIN\user   (or DOMAIN+user)
 
> 	With the attempted system-auth it would kick me out right after
> entering the login. It doesn't even prompt for a password. (single
user
got
> me out of it).
> 
> Thanks for the help,
> 
> Adam
> 
> attempted /etc/pam.d/system-auth:
<snip>
> account     required      /lib/security/pam_deny.so
> account     required      /lib/security/pam_winbind.so
Like Andrew said swap these 2 lines and you should be happy.

Yours Tony.

/*
 * "The significant problems we face cannot be solved at the 
 * same level of thinking we were at when we created them."
 * --Albert Einstein
 */

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

I did put the template shell line in before, it hasn't really changed
anything.
/usr/local/samba/lib/smb.conf:
template shell = /bin/bash

I added "session     optional      /lib/security/pam_mkhomedir.so
umask=0077"

Still no luck, it just pauses then closes the session.

Adam
-----Original Message-----
From: Rogelio J. Baucells [mailto:rogelio@ats-corp.com]
Sent: Wednesday, October 24, 2001 1:04 PM
To: samba@lists.samba.org
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working


Did you change the "template shell" to "bin/bash" or another
shell?

If you want to create the home dir on the fly, try this

session     optional      /lib/security/pam_mkhomedir.so umask=0077

in your system-auth

It is working for me without any problem in my RH 7.0 and 7.1 boxes

Rogelio J.

-----Original Message-----
From: Adam Ranville [mailto:adam@mks.com]
Sent: Wednesday, October 24, 2001 12:45 PM
To: Samba (E-mail)
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working


	Well that seems to have moved me one step closer. I now get a
positive authentication not in /var/messages but it just hangs after I
input
the password. Missing a home directory? Invalid shell maybe? I checked
the
logs and I've been getting nothing negative.

Almost there...

Adam

tail /var/log/messages:
	Oct 24 12:36:19 hqnis1 pam_winbind[1552]: user 'MKS\adam'
granted
acces  


/etc/pam.d/system-auth:

auth      sufficient    /lib/security/pam_winbind.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok md5
shadow use_first_pass
auth        required      /lib/security/pam_deny.so
account     sufficient    /lib/security/pam_unix.so
account     sufficient  /lib/security/pam_winbind.so
account     required      /lib/security/pam_deny.so
password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5
shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so


-----Original Message-----
From: Anthony J. Breeds-Taurima [mailto:tony@cantech.net.au]
Sent: Tuesday, October 23, 2001 10:00 PM
To: Adam Ranville
Cc: Samba (E-mail)
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working


On Tue, 23 Oct 2001, Adam Ranville wrote:
> original file. 
Thanks.
 
> 	I can access a share without domain\username and it works fine.
Do I
> require domain\(or +) username for telnet? I have tried that as well. 
Yes you will need to login as:
DOMAIN\user   (or DOMAIN+user)
 
> 	With the attempted system-auth it would kick me out right after
> entering the login. It doesn't even prompt for a password. (single
user
got
> me out of it).
> 
> Thanks for the help,
> 
> Adam
> 
> attempted /etc/pam.d/system-auth:
<snip>
> account     required      /lib/security/pam_deny.so
> account     required      /lib/security/pam_winbind.so
Like Andrew said swap these 2 lines and you should be happy.

Yours Tony.

/*
 * "The significant problems we face cannot be solved at the 
 * same level of thinking we were at when we created them."
 * --Albert Einstein
 */

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

I had that problem before and was the "template shell".

Check it is getting that value with:

getent passwd DOMAIN\\username

it should say the shell at the end of the line


Rogelio J.

-----Original Message-----
From: Adam Ranville [mailto:adam@mks.com]
Sent: Wednesday, October 24, 2001 1:16 PM
To: samba@lists.samba.org
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working



I did put the template shell line in before, it hasn't really changed
anything.
/usr/local/samba/lib/smb.conf:
template shell = /bin/bash

I added "session     optional      /lib/security/pam_mkhomedir.so
umask=0077"

Still no luck, it just pauses then closes the session.

Adam
-----Original Message-----
From: Rogelio J. Baucells [mailto:rogelio@ats-corp.com]
Sent: Wednesday, October 24, 2001 1:04 PM
To: samba@lists.samba.org
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working


Did you change the "template shell" to "bin/bash" or another
shell?

If you want to create the home dir on the fly, try this

session     optional      /lib/security/pam_mkhomedir.so umask=0077

in your system-auth

It is working for me without any problem in my RH 7.0 and 7.1 boxes

Rogelio J.

-----Original Message-----
From: Adam Ranville [mailto:adam@mks.com]
Sent: Wednesday, October 24, 2001 12:45 PM
To: Samba (E-mail)
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working


	Well that seems to have moved me one step closer. I now get a
positive authentication not in /var/messages but it just hangs after I
input
the password. Missing a home directory? Invalid shell maybe? I checked
the
logs and I've been getting nothing negative.

Almost there...

Adam

tail /var/log/messages:
	Oct 24 12:36:19 hqnis1 pam_winbind[1552]: user 'MKS\adam'
granted
acces  


/etc/pam.d/system-auth:

auth      sufficient    /lib/security/pam_winbind.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok md5
shadow use_first_pass
auth        required      /lib/security/pam_deny.so
account     sufficient    /lib/security/pam_unix.so
account     sufficient  /lib/security/pam_winbind.so
account     required      /lib/security/pam_deny.so
password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5
shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so


-----Original Message-----
From: Anthony J. Breeds-Taurima [mailto:tony@cantech.net.au]
Sent: Tuesday, October 23, 2001 10:00 PM
To: Adam Ranville
Cc: Samba (E-mail)
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working


On Tue, 23 Oct 2001, Adam Ranville wrote:
> original file. 
Thanks.
 
> 	I can access a share without domain\username and it works fine.
Do I
> require domain\(or +) username for telnet? I have tried that as well. 
Yes you will need to login as:
DOMAIN\user   (or DOMAIN+user)
 
> 	With the attempted system-auth it would kick me out right after
> entering the login. It doesn't even prompt for a password. (single
user
got
> me out of it).
> 
> Thanks for the help,
> 
> Adam
> 
> attempted /etc/pam.d/system-auth:
<snip>
> account     required      /lib/security/pam_deny.so
> account     required      /lib/security/pam_winbind.so
Like Andrew said swap these 2 lines and you should be happy.

Yours Tony.

/*
 * "The significant problems we face cannot be solved at the 
 * same level of thinking we were at when we created them."
 * --Albert Einstein
 */

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[root@hqnis1 pam.d]# getent passwd MKS\\adam
MKS\adam:x:10002:10000:Adam Ranville:/home/MKS/adam:/bin/bash

Seems to be in order... I created /home/MKS.Wish the logs could give me an
area to work on.

Adam
-----Original Message-----
From: Rogelio J. Baucells [mailto:rogelio@ats-corp.com]
Sent: Wednesday, October 24, 2001 1:21 PM
To: Adam Ranville
Cc: samba@lists.samba.org
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working


I had that problem before and was the "template shell".

Check it is getting that value with:

getent passwd DOMAIN\\username

it should say the shell at the end of the line


Rogelio J.

-----Original Message-----
From: Adam Ranville [mailto:adam@mks.com]
Sent: Wednesday, October 24, 2001 1:16 PM
To: samba@lists.samba.org
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working



I did put the template shell line in before, it hasn't really changed
anything.
/usr/local/samba/lib/smb.conf:
template shell = /bin/bash

I added "session     optional      /lib/security/pam_mkhomedir.so
umask=0077"

Still no luck, it just pauses then closes the session.

Adam
-----Original Message-----
From: Rogelio J. Baucells [mailto:rogelio@ats-corp.com]
Sent: Wednesday, October 24, 2001 1:04 PM
To: samba@lists.samba.org
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working


Did you change the "template shell" to "bin/bash" or another
shell?

If you want to create the home dir on the fly, try this

session     optional      /lib/security/pam_mkhomedir.so umask=0077

in your system-auth

It is working for me without any problem in my RH 7.0 and 7.1 boxes

Rogelio J.

-----Original Message-----
From: Adam Ranville [mailto:adam@mks.com]
Sent: Wednesday, October 24, 2001 12:45 PM
To: Samba (E-mail)
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working


	Well that seems to have moved me one step closer. I now get a
positive authentication not in /var/messages but it just hangs after I
input
the password. Missing a home directory? Invalid shell maybe? I checked
the
logs and I've been getting nothing negative.

Almost there...

Adam

tail /var/log/messages:
	Oct 24 12:36:19 hqnis1 pam_winbind[1552]: user 'MKS\adam'
granted
acces  


/etc/pam.d/system-auth:

auth      sufficient    /lib/security/pam_winbind.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok md5
shadow use_first_pass
auth        required      /lib/security/pam_deny.so
account     sufficient    /lib/security/pam_unix.so
account     sufficient  /lib/security/pam_winbind.so
account     required      /lib/security/pam_deny.so
password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5
shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so


-----Original Message-----
From: Anthony J. Breeds-Taurima [mailto:tony@cantech.net.au]
Sent: Tuesday, October 23, 2001 10:00 PM
To: Adam Ranville
Cc: Samba (E-mail)
Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working


On Tue, 23 Oct 2001, Adam Ranville wrote:
> original file. 
Thanks.
 
> 	I can access a share without domain\username and it works fine.
Do I
> require domain\(or +) username for telnet? I have tried that as well. 
Yes you will need to login as:
DOMAIN\user   (or DOMAIN+user)
 
> 	With the attempted system-auth it would kick me out right after
> entering the login. It doesn't even prompt for a password. (single
user
got
> me out of it).
> 
> Thanks for the help,
> 
> Adam
> 
> attempted /etc/pam.d/system-auth:
<snip>
> account     required      /lib/security/pam_deny.so
> account     required      /lib/security/pam_winbind.so
Like Andrew said swap these 2 lines and you should be happy.

Yours Tony.

/*
 * "The significant problems we face cannot be solved at the 
 * same level of thinking we were at when we created them."
 * --Albert Einstein
 */

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Hi, again,

            My problem is that i can see the domain users with getent and
wbinfo, but the login is not granted and the message in the
/var/log/messages is "User not known to the underlying authentication
module".
            I don't know, but i don't believe it's a pam problem.
Does
anyone know or have a hunt???

Rafael



----- Original Message -----
From: "Rafael" <rafiros@posgrad.nce.ufrj.br>
To: <rafiros@posgrad.nce.ufrj.br>
Sent: Thursday, October 25, 2001 1:07 AM
Subject: Fwd: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working

> ==================BEGIN FORWARDED MESSAGE=================>
>Received: from lists.samba.org (unverified [198.186.203.85]) by
servpos1.posgrad.nce.ufrj.br
> > (EMWAC SMTPRS 0.83) with SMTP id
<B0004182829@servpos1.posgrad.nce.ufrj.br>;
> > Wed, 24 Oct 2001 15:44:05 -0300
> >Received: from va.samba.org (localhost [127.0.0.1])
> > by lists.samba.org (Postfix) with ESMTP
> > id 1787A5115; Wed, 24 Oct 2001 10:41:38 -0700 (PDT)
> >Delivered-To: samba@lists.samba.org
> >Received: from hqsmtp.mks.com (hqsmtp.mks.com [198.73.192.3])
> > by lists.samba.org (Postfix) with ESMTP id 112BF50CA
> > for <samba@lists.samba.org>; Wed, 24 Oct 2001 10:40:23 -0700
(PDT)
> >Message-ID:
<610C0DAE7B14D31193A90060943F3D0A052E5A78@hqntexch.mks.com>
> >From: Adam Ranville <adam@mks.com>
> >To: samba@lists.samba.org
> >Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working
> >MIME-Version: 1.0
> >X-Mailer: Internet Mail Service (5.5.2653.19)
> >Content-Type: text/plain;
> > charset="iso-8859-1"
> >Sender: samba-admin@lists.samba.org
> >Errors-To: samba-admin@lists.samba.org
> >X-BeenThere: samba@lists.samba.org
> >X-Mailman-Version: 2.0.6
> >Precedence: bulk
> >List-Help: <mailto:samba-request@lists.samba.org?subject=help>
> >List-Post: <mailto:samba@lists.samba.org>
> >List-Subscribe: <http://lists.samba.org/mailman/listinfo/samba>,
> > <mailto:samba-request@lists.samba.org?subject=subscribe>
> >List-Id: General questions regarding Samba
<samba.lists.samba.org>
> >List-Unsubscribe:
<http://lists.samba.org/mailman/listinfo/samba>,
> > <mailto:samba-request@lists.samba.org?subject=unsubscribe>
> >List-Archive: <http://lists.samba.org/pipermail/samba/>
> >X-Original-Date: Wed, 24 Oct 2001 13:41:48 -0400
> >Date: Wed, 24 Oct 2001 13:41:48 -0400
> >
>
> [root@hqnis1 pam.d]# getent passwd MKS\\adam
> MKS\adam:x:10002:10000:Adam Ranville:/home/MKS/adam:/bin/bash
>
> Seems to be in order... I created /home/MKS.Wish the logs could give me an
> area to work on.
>
> Adam
> -----Original Message-----
> From: Rogelio J. Baucells [mailto:rogelio@ats-corp.com]
> Sent: Wednesday, October 24, 2001 1:21 PM
> To: Adam Ranville
> Cc: samba@lists.samba.org
> Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working
>
>
> I had that problem before and was the "template shell".
>
> Check it is getting that value with:
>
> getent passwd DOMAIN\\username
>
> it should say the shell at the end of the line
>
>
> Rogelio J.
>
> -----Original Message-----
> From: Adam Ranville [mailto:adam@mks.com]
> Sent: Wednesday, October 24, 2001 1:16 PM
> To: samba@lists.samba.org
> Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working
>
>
>
> I did put the template shell line in before, it hasn't really changed
> anything.
> /usr/local/samba/lib/smb.conf:
> template shell = /bin/bash
>
> I added "session     optional      /lib/security/pam_mkhomedir.so
> umask=0077"
>
> Still no luck, it just pauses then closes the session.
>
> Adam
> -----Original Message-----
> From: Rogelio J. Baucells [mailto:rogelio@ats-corp.com]
> Sent: Wednesday, October 24, 2001 1:04 PM
> To: samba@lists.samba.org
> Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working
>
>
> Did you change the "template shell" to "bin/bash" or
another shell?
>
> If you want to create the home dir on the fly, try this
>
> session     optional      /lib/security/pam_mkhomedir.so umask=0077
>
> in your system-auth
>
> It is working for me without any problem in my RH 7.0 and 7.1 boxes
>
> Rogelio J.
>
> -----Original Message-----
> From: Adam Ranville [mailto:adam@mks.com]
> Sent: Wednesday, October 24, 2001 12:45 PM
> To: Samba (E-mail)
> Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working
>
>
> Well that seems to have moved me one step closer. I now get a
> positive authentication not in /var/messages but it just hangs after I
> input
> the password. Missing a home directory? Invalid shell maybe? I checked
> the
> logs and I've been getting nothing negative.
>
> Almost there...
>
> Adam
>
> tail /var/log/messages:
> Oct 24 12:36:19 hqnis1 pam_winbind[1552]: user 'MKS\adam'
> granted
> acces
>
>
> /etc/pam.d/system-auth:
>
> auth      sufficient    /lib/security/pam_winbind.so
> auth        sufficient    /lib/security/pam_unix.so likeauth nullok md5
> shadow use_first_pass
> auth        required      /lib/security/pam_deny.so
> account     sufficient    /lib/security/pam_unix.so
> account     sufficient  /lib/security/pam_winbind.so
> account     required      /lib/security/pam_deny.so
> password    required      /lib/security/pam_cracklib.so retry=3
> password    sufficient    /lib/security/pam_unix.so nullok use_authtok
> md5
> shadow
> password    required      /lib/security/pam_deny.so
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so
>
>
> -----Original Message-----
> From: Anthony J. Breeds-Taurima [mailto:tony@cantech.net.au]
> Sent: Tuesday, October 23, 2001 10:00 PM
> To: Adam Ranville
> Cc: Samba (E-mail)
> Subject: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to working
>
>
> On Tue, 23 Oct 2001, Adam Ranville wrote:
>
> > original file.
>
> Thanks.
>
> > I can access a share without domain\username and it works fine.
> Do I
> > require domain\(or +) username for telnet? I have tried that as well.
>
> Yes you will need to login as:
> DOMAIN\user   (or DOMAIN+user)
>
> > With the attempted system-auth it would kick me out right after
> > entering the login. It doesn't even prompt for a password. (single
> user
> got
> > me out of it).
> >
> > Thanks for the help,
> >
> > Adam
> >
> > attempted /etc/pam.d/system-auth:
>
> <snip>
>
> > account     required      /lib/security/pam_deny.so
> > account     required      /lib/security/pam_winbind.so
>
> Like Andrew said swap these 2 lines and you should be happy.
>
> Yours Tony.
>
> /*
>  * "The significant problems we face cannot be solved at the
>  * same level of thinking we were at when we created them."
>  * --Albert Einstein
>  */
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>
> ===================END FORWARDED MESSAGE==================>
>
>

Tony,

        Everything described here i already did and works fine, the problem
is that i can't: login in the linux box(with the nt account) and and access
from a nt machine (but i can if the winbind is off).

Rafael



----- Original Message -----
From: "Rafael" <rdilego@connection.com.br>
To: <beaver@dcc.ufrj.br>
Sent: Monday, October 29, 2001 5:33 AM
Subject: Fwd: Re: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to
working

> ==================BEGIN FORWARDED MESSAGE=================>
>Received: from pandora.cantech.net.au (unverified [203.26.6.29]) by
servpos1.posgrad.nce.ufrj.br
> > (EMWAC SMTPRS 0.83) with SMTP id
<B0004184582@servpos1.posgrad.nce.ufrj.br>;
> > Thu, 25 Oct 2001 23:14:42 -0300
> >Received: from thor.cantech.net.au (thor.cantech.net.au [203.26.6.12])
> > by pandora.cantech.net.au (8.11.6/8.11.6) with ESMTP id f9Q1EEl22483;
> > Fri, 26 Oct 2001 09:14:14 +0800
> >Date: Fri, 26 Oct 2001 09:14:14 +0800 (WST)
> >From: "Anthony J. Breeds-Taurima" <tony@cantech.net.au>
> >To: Rafael <rafiros@posgrad.nce.ufrj.br>
> >cc: <samba@lists.samba.org>
> >Subject: Re: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to
working
> >In-Reply-To: <00a601c15d6f$d6179fb0$f110a492@posgrad.nce.ufrj.br>
> >Message-ID:
<Pine.LNX.4.33.0110260907000.1075-100000@thor.cantech.net.au>
> >MIME-Version: 1.0
> >Content-Type: TEXT/PLAIN; charset=US-ASCII
> >
>
> On Thu, 25 Oct 2001, Rafael wrote:
>
> > Hi, again,
> >
> >             My problem is that i can see the domain users with getent
and
> > wbinfo, but the login is not granted and the message in the
> > /var/log/messages is "User not known to the underlying
authentication
> > module".
> >             I don't know, but i don't believe it's a pam
problem. Does
> > anyone know or have a hunt???
>
> Make sure:
>
> a) you have joind the domain corrently.
> wbinfo -t  should help there
> b) you have something like:
>    winbind cache time = 10
>    winbind enum users = yes
>    winbind enum groups = yes
>    template shell = /bin/bash
>    template homedir = /home/%D/%U
>    winbind uid = 10000-20000
>    winbind gid = 10000-20000
>   in smb.conf
> c) you have tha appropriate domain setting in smb.conf
> d) your winbindd is running
> e) you have something like:
>     passwd:     files winbind
>     group:      files winbind
>    in /etc/nsswitch.conf
> e) /lib/libnss_winbind.so exists
> g) /lib/libnss_winbind.so.2 is a symlink to /lib/libnss_winbind.so
>
> Assuming all that is correct you definatly should be able to see
> domain users with:  wbinfo -u
> domain groups with:  wbinfo -g
>
> you should be able to "finger DOMAIN\\User" and get info.
>
> If you are still having problems the start a new thread and detail exactly
> what is and isn't working.
>
> Yours Tony.
>
> /*
>  * "The significant problems we face cannot be solved at the
>  * same level of thinking we were at when we created them."
>  * --Albert Einstein
>  */
>
>
> ===================END FORWARDED MESSAGE==================>
>
>
>
>
>
>

Joe,

        Thanks for taking time to help me, but unfurtnely didn't work it.
        If anyone have any idea, please..........

Rafael

----- Original Message -----
From: "Kroboth, Joe" <joe_kroboth@chernay.com>
To: "'Rafael'" <rafiros@posgrad.nce.ufrj.br>
Sent: Monday, October 29, 2001 4:30 PM
Subject: RE: Re: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to
working

>
> Hello Rafael,
>
> Here is an email that helped me to get it to work:
>
>
>
>
> ------------------------------------------------
> Hi Joe,
>
> I believe that RH 7.1 uses the centralized /etc/pam.d/system-auth
> file. You can set you /etc/pam.d/samba file to mimic /etc/pam.d/login
> or the like.
>
> Here's my /etc/pam.d/samba
> auth       required /lib/security/pam_nologin.so
> auth       required /lib/security/pam_stack.so service=system-auth
> account    required /lib/security/pam_stack.so service=system-auth
> session    required /lib/security/pam_stack.so service=system-auth
>
> The pam_stack.so module invokes the specified service (system-auth in
> this case which means that you must have a /etc/pam.d/system-auth file).
>
> Here's my /etc/pam.d/system-auth:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/pam_env.so
> auth     sufficient   /lib/security/pam_winbind.so debug
> auth        sufficient    /lib/security/pam_unix.so use_first_pass
> likeauth nullok
> auth        required      /lib/security/pam_deny.so
>
> account     required   /lib/security/pam_winbind.so
> #account     required      /lib/security/pam_unix.so
>
> password    required      /lib/security/pam_cracklib.so retry=3
> password    sufficient    /lib/security/pam_unix.so nullok use_authtok
> md5 shadow nis
> password    required      /lib/security/pam_deny.so
>
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so
>
> Note the pam_windbind entries and the auth pam_unix entry with the
> "use_first_pass"
> argument. You could probably replace the pam_unix stuff with pam_pwdb
> if you prefer that. Anyway, this configuration works for me using
> swat and, in particular, correctly authenticates local/nis users vs.
> domain
> users.
>
> Hope this helps.
> Scott
> ------------------------------------------------------------
>
>
> Let me know how it goes.
>
> Best,
>
> Joe
>
>
> -----Original Message-----
> From: Rafael [mailto:rafiros@posgrad.nce.ufrj.br]
> Sent: Monday, October 29, 2001 2:17 PM
> To: samba@lists.samba.org
> Subject: Re: Re: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to
> working
>
>
> Tony,
>
>         Everything described here i already did and works fine, the
problem
> is that i can't: login in the linux box(with the nt account) and and
access
> from a nt machine (but i can if the winbind is off).
>
> Rafael
>
>
>
> ----- Original Message -----
> From: "Rafael" <rdilego@connection.com.br>
> To: <beaver@dcc.ufrj.br>
> Sent: Monday, October 29, 2001 5:33 AM
> Subject: Fwd: Re: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to
> working
>
>
> > ==================BEGIN FORWARDED MESSAGE=================> >
>Received: from pandora.cantech.net.au (unverified [203.26.6.29]) by
> servpos1.posgrad.nce.ufrj.br
> > > (EMWAC SMTPRS 0.83) with SMTP id
> <B0004184582@servpos1.posgrad.nce.ufrj.br>;
> > > Thu, 25 Oct 2001 23:14:42 -0300
> > >Received: from thor.cantech.net.au (thor.cantech.net.au
[203.26.6.12])
> > > by pandora.cantech.net.au (8.11.6/8.11.6) with ESMTP id
f9Q1EEl22483;
> > > Fri, 26 Oct 2001 09:14:14 +0800
> > >Date: Fri, 26 Oct 2001 09:14:14 +0800 (WST)
> > >From: "Anthony J. Breeds-Taurima"
<tony@cantech.net.au>
> > >To: Rafael <rafiros@posgrad.nce.ufrj.br>
> > >cc: <samba@lists.samba.org>
> > >Subject: Re: RE: Winbind, RedHat 7.1, Pam 0.74-22 ohh so close to
working
> > >In-Reply-To:
<00a601c15d6f$d6179fb0$f110a492@posgrad.nce.ufrj.br>
> > >Message-ID:
<Pine.LNX.4.33.0110260907000.1075-100000@thor.cantech.net.au>
> > >MIME-Version: 1.0
> > >Content-Type: TEXT/PLAIN; charset=US-ASCII
> > >
> >
> > On Thu, 25 Oct 2001, Rafael wrote:
> >
> > > Hi, again,
> > >
> > >             My problem is that i can see the domain users with
getent
> and
> > > wbinfo, but the login is not granted and the message in the
> > > /var/log/messages is "User not known to the underlying
authentication
> > > module".
> > >             I don't know, but i don't believe it's a
pam problem. Does
> > > anyone know or have a hunt???
> >
> > Make sure:
> >
> > a) you have joind the domain corrently.
> > wbinfo -t  should help there
> > b) you have something like:
> >    winbind cache time = 10
> >    winbind enum users = yes
> >    winbind enum groups = yes
> >    template shell = /bin/bash
> >    template homedir = /home/%D/%U
> >    winbind uid = 10000-20000
> >    winbind gid = 10000-20000
> >   in smb.conf
> > c) you have tha appropriate domain setting in smb.conf
> > d) your winbindd is running
> > e) you have something like:
> >     passwd:     files winbind
> >     group:      files winbind
> >    in /etc/nsswitch.conf
> > e) /lib/libnss_winbind.so exists
> > g) /lib/libnss_winbind.so.2 is a symlink to /lib/libnss_winbind.so
> >
> > Assuming all that is correct you definatly should be able to see
> > domain users with:  wbinfo -u
> > domain groups with:  wbinfo -g
> >
> > you should be able to "finger DOMAIN\\User" and get info.
> >
> > If you are still having problems the start a new thread and detail
exactly
> > what is and isn't working.
> >
> > Yours Tony.
> >
> > /*
> >  * "The significant problems we face cannot be solved at the
> >  * same level of thinking we were at when we created them."
> >  * --Albert Einstein
> >  */
> >
> >
> > ===================END FORWARDED MESSAGE==================> >
> >
> >
> >
> >
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba