su uses /etc/pam.d/su, so if that does not have winbind support then it
will not accept the user. An easy way to configure pam on RedHat is to
use authconfig. It has an option for windows authentication. When it
is turned on it will add the winbind lines to /etc/pam.d/system-auth
which all pam files on RedHat point to. The down side to this is they
will be able to use anything that requires a password. So for example
it you have remote x-logins enabled they would be able to login to an
x-session.
Patrick
Kenneth Savoy wrote:
>I have configured winbind and pam. I start the samba daemons in the
following order : smbd, nmbd, winbindd. wbinfo shows users and groups. so does
getent. If I open a terminal window and go su THEDOMAIN+user it asks for a
password and wont accept anything. my smb.conf,nsswitch.conf, /etc/pam.d/samba,
/etc/pam.d/login are below. Using windows server 2003 for AD, I have two
servers, two domains, one for each domain. I am only using one domain for now.
There is also a seperate LDAP server. Ive looked through the documentation and
have not found anything that has corrected the problem. Does LDAP have to be
configured in some way or is there something wrong with my configuration?
>
><<SMB.CONF>>
>[global]
> winbind separator = +
> workgroup = <<THEDOMAIN>>
> netbios name = IBPS12
> server string = clients12
> security = DOMAIN
> password server = <<MY PDC>>
> idmap uid = 10000-20000
> idmap gid = 10000-20000
>
>
><<NSSWITCH.CONF>>
>passwd: files winbind
>shadow: files
>group: files winbind
>
>hosts: files dns
>
>bootparams: nisplus [NOTFOUND=return] files
>
>ethers: files
>netmasks: files
>networks: files
>protocols: files
>rpc: files
>services: files
>
>netgroup: files
>
>publickey: nisplus
>
>automount: files
>aliases: files nisplus
>
><</etc/pam.d/samba>>
>#%PAM-1.0
>auth required pam_nologin.so
>auth required pam_stack.so service=system-auth
>account required pam_stack.so service=system-auth
>session required pam_stack.so service=system-auth
>password required pam_stack.so service=system-auth
>
><</etc/pam.d/login>>
>#%PAM-1.0
>auth required /lib/security/pam_securetty.so
>auth sufficient /lib/security/pam_winbind.so
>auth sufficient /lib/security/pam_UNIX.so use_first_pass
>auth required /lib/security/pam_stack.so service=system-auth
>auth required /lib/security/pam_nologin.so
>account sufficient /lib/security/pam_winbind.so
>account required /lib/security/pam_stack.so service=system-auth
>password required /lib/security/pam_stack.so service=system-auth
>session required /lib/security/pam_stack.so service=system-auth
>session optional /lib/security/pam_console.so
>
>
>