Hello,
I'm trying to get Winbind to authenticate users that don't have local
accounts on a SAMBA BDC.
I have (3) BDCs (1) PDC running OpenLDAP 2.1.23 pass backend and Samba
3.0. These are on RedHat 8.0 systems. 3 BDC are also slave LDAP and 1
master directory server on the PDC.
I went through the Samba documentation CH21 and made modifications to
the BDCs and PDC as follows:
nsswitch.conf files winbind for passwd and group
pam.d/login
#%PAM-1.0
#auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
pam.d/samba
#%PAM-1.0
#auth required /lib/security/pam_stack.so service=system-auth
#account required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_pwdb.so nullok shadow
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_winbind.so
account required /lib/security/pam_pwdb.so
account required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
pam.d.system-auth
#%PAM-1.0
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
use_first_pass
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3 typepassword
sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_mkhomedir.so umask=0022
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
pam_winbind.s is in /lib/security
libnss_winbind.so and symbolic link to it from libnss_winbind.so.2
smb.conf
...
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /accounts/default/%D/%U
template shell = /bin/bash
winbind use default domain = yes
...
If I run smbclient on a BDC:
smbclient -L localhost -U fred
where fred is a local account I get shares and an appropriate response.
When I check the logs, samba.bdc name it indicates that samba is getting
information from the LDAP directory, including password.
When I do the same for a person without a local account, the LDAP
directory returns user found but :
session setup failed: NT_STATUS_LOGON_FAILURE
Also when I run getent passwd as root I only get local accounts. When I
run wbinfo -u I get all users in the LDAP directory, wbinfo -g only
domain groups no local groups.
Any help would be appreciated. I'm a little stumped with this one.
--
Kent
nasve525@regis.edu
kent@wareham.k12.ma.us
Tips:---------------------------------------------->
"OpenOffice.org ... Stops Word macro viruses DEAD!"
"Postgresql.org ... Don't 'kill -9' the postmaster"
"Technology is legislation - C. Einfeldt on OO.o discuss list"
