samba - Jul 2003 - winbind on SUSE8.2

Hello Community,

is there someone who has winbind working on SUSE 8.X?
On my system the authenication of the domain users simply does not work
getent passwd
shows all domain users
gentent group
shows all domain groups
Login as domain user: Login incorrect!
There seems to be no pam_stack.so on SUSE. Can it work without it?
How can I fix ist? How can I trace the cause of the disfunction?
I would appreciate any help on this.

Roman Klesel

Welcome to the twilight zone Roman. I have windbind working (partially)
on SuSE 8.2, I can get it to authenticate users that have an account on
the box, but I have not been able to get it to work for users that do
not have an account on the box. Is that the same symptom you are seeing?
Or are you having trouble with all authentication?

Terry


On Thu, 2003-07-10 at 06:14, Klesel, Roman wrote:
> Hello Community,
> 
> is there someone who has winbind working on SUSE 8.X?
> On my system the authenication of the domain users simply does not work
> getent passwd
> shows all domain users
> gentent group
> shows all domain groups
> Login as domain user: Login incorrect!
> There seems to be no pam_stack.so on SUSE. Can it work without it?
> How can I fix ist? How can I trace the cause of the disfunction?
> I would appreciate any help on this.
> 
> Roman Klesel
>

Hi,
don't despair !!

Am Donnerstag, 10. Juli 2003 14:14 schrieb Klesel,
Roman:
> Login as domain user: Login incorrect!
Logon for some reason seems to go through the /etc/pam.d/other file. 
At least if you aithenticate from WIN. 

Also: man winbindd:

/etc/pam.d/*: 
auth sufficient pam_winbind.so
auth required pam_unix.so
...

I have it working like so.
Also do not forget the /etc/nsswitch.conf

Regrads 
Dan

As Mr. Lammersdrof suggested I used webmin to "convet samba users to
unixusers".
Now I can su into HBC+Administrator from my local root account. However password
authentication still will not work.
My smb.conf:
[global]
        workgroup = HBC
        security = domain
        password server = *
	os level = 2
	time server = Yes
	unix extensions = Yes
	encrypt passwords = Yes
	map to guest = Bad User
	printing = CUPS
	printcap name = CUPS
	socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
	wins support = No
	veto files = /*.eml/*.nws/riched20.dll/*.{*}/
        winbind separator = +
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/nt/%D/%U
        template shell = /bin/bash

/etc/nsswitch.conf
shadow: files

passwd: files winbind 
group: files winbind 

hosts:  	files dns
networks:       files dns

services:       files
protocols:      files
rpc:		files
ethers:		files
netmasks:       files
netgroup:       files
publickey:	files

bootparams:     files
automount:      files nis
aliases:        files

/etc/pam.d/login
auth requisite	pam_unix2.so	nullok     #set_secrpc
auth required	pam_securetty.so
auth required	pam_nologin.so
#auth	 required	pam_homecheck.so
auth required	pam_env.so
auth required	pam_mail.so
account required	pam_unix2.so
password required	pam_pwcheck.so	nullok
password required	pam_unix2.so	nullok use_first_pass use_authtok
session required	pam_unix2.so	none     # debug or trace
session required	pam_limits.so

I added the line "auth sufficient pam_winbind.so" to the end of
/etc/pam.d/* but the only result is that I have to enter the password twice
before its rejected.

Roman

Dear Keneth,

yes, now I can ssh into my box with the domainusers. I guess I can figure out
which file I have to modify to enable the console login.

Thanks so far everyone for your kind help.

Roman



-----Original Message-----
From: kenneth.westelinck@tiscali.be
[mailto:kenneth.westelinck@tiscali.be]
Sent: Donnerstag, 10. Juli 2003 16:33
To: Klesel, Roman; 'Lammersdorf, Lorenz'
Cc: 'samba@samba.org'
Subject: RE: [Samba] winbind on SUSE8.2


This is my working ssh file in /etc/pam.d/

#%PAM-1.0
auth       required     pam_nologin.so
auth       sufficient   pam_winbind.so
auth       required     pam_unix.so use_first_pass shadow
auth       required     pam_env.so # [1]

account    sufficient   pam_winbind.so
account    required     pam_unix.so use_first_pass

session    sufficient   pam_mkhomedir.so skel=/etc/skel umask=0022
session    required     pam_unix.so
session    optional     pam_lastlog.so # [1]
session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so

password   required     pam_unix.so

# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
#

I think the order is important and you shouldn't add it at "the
end" of
the file.


----------------------------------------------------
Solden Tiscali ADSL : 27,50 euro/maand tot eind 2003.
U bent veel betalen niet meer gewoon!
Meer info? Klik hier... http://reg.tiscali.be/default.asp?lg=nl

>should be /etc/pam.d/login
>make sure to make a backup, in case something goes wrong ;)

Jipiie!!

works like a charme! Especially the "pam_mkhomedir.so" is impressive.
Here is my /etc/pam.d/login:

#%PAM-1.0
auth required	pam_nologin.so
auth sufficient   pam_winbind.so
auth requisite	pam_unix2.so	use_first_pass shadow #set_secrpc
auth required	pam_securetty.so
#auth	 required	pam_homecheck.so
auth required	pam_env.so
auth required	pam_mail.so

account sufficient pam_winbind.so
account required	pam_unix2.so

password required	pam_pwcheck.so	nullok
password required	pam_unix2.so	nullok use_first_pass use_authtok

session    sufficient   pam_mkhomedir.so skel=/etc/skel umask=0022
session required	pam_unix2.so	none     # debug or trace
session required	pam_limits.so


Thanks everyone for your kind help.

Roman