I use Redhat 9.0 and I have it working, I'm not sure if it's the same on
Debian but here are what my files look like. They were generated by the
'authconfig' tool. The only line I added manually was the
pam_mkhomedir.so
line.
My /etc/pam.d/login looks like this - (Note: pam_mkhomedir.so automatically
makes home directories, you may not want that, it puts them in 'template
homedir' which is specified in smb.conf)
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_UNIX.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_mkhomedir.so umask=0022
session optional pam_console.so
My /etc/pam.d/gdm looks like this -
#%PAM-1.0
auth required pam_env.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
/etc/pam.d/system-auth looks like this -
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_smb_auth.so use_first_pass
nolocal
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3
typepassword sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
-----Original Message-----
From: Charles McLaughlin [mailto:cmclaughlin@ucdavis.edu]
Sent: 19 December 2003 05:19
To: samba@lists.samba.org
Subject: [Samba] help with winbind/pam
Hello,
I'm trying to get a debian sid box to authenticate against an NT4 domain.
I've followed the instructions in the winbindd man page and I think I'm
on
the right track. However, I'm having problems with PAM.
As the winbindd man page suggests, I edited the /etc/nsswitch.conf and added
some winbindd related stuff to my smb.conf file.
I also edited the /etc/pam.d/* files. This is where I'm having problems...
more on that later.
I joined the domain using this:
net join -U Administrator
I was prompted for a password and was allowed to join the domain.
I ran the winbindd program just to make sure it is up and running, then I
did this: wbinfo -t And that told me that the trust relationship with the
domain is ok.
So, my linux box is part of the NT4 domain and things look good. I can walk
over to the N4 domain controller and see a computer account for my linux
box. I can do wbinfo -u on my linux box and see a list of all the windows
domain users... and I'm starting to smell success. But wait...
Here is where the problem starts. I want use a Windows domain account to
login to the linux box. For instance, I should be able to use the windows
Administrator account to login on my linux box.
So I go to a terminal and try to log in as Administrator and it says
"permission denied". I've screwed around with the /etc/pam.d/*
files enough
to allow me to login via a linux terminal using the Windows Administrator
account, but I haven't been able to do the same with GDM/Gnome. I
eventually screwed around with these files enough to lock myself out of my
system, but got back in. ;-)
So, I guess I need help understanding the /etc/pam.d/* files.
The winbindd man page says this:
-------
In /etc/pam.d/* replace the auth lines with something like this:
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so use_first_pass
shadow nullok
Note in particular the use of the sufficient keyword and the
use_first_pass keyword.
Now replace the account lines with this:
account required /lib/security/pam_winbind.so
-------
When I edited the pam.d files, anytime I saw a line that starts with auth, I
commented it out and inserted all of the above lines that start with auth.
Likewise, I made similar edits for lines that start with account. I don't
really understand with this means though... Any suggestions? Am I doing
something out of order?
Thanks!
Charles
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba