I have set up winbind successfully, but every time I need to perform any task as root, winbind tries to login via the domain server, which gives an "incorrect password" error. Is there a way to set things up so that the root user is only checked against the local passwd/shadow files? -- Ramon Casha Malta Linux User Group (http://linux.org.mt)
> Is there a way to set things up so that the root > user is only checked against the local passwd/shadow files?I don't know about *only* against shadow. But I've got winbind setup, and it authenticates users first against the domain, but if that fails resorts to the local password database. Here are the relavent lines from my /etc/pam.d/system-auth auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pa ss auth required /lib/security/pam_deny.so
It sounds like your /etc/nsswitch.conf is set up to only use winbind. Change it to: Passwd: files winbind Group: files winbind That'll check the local files first, then resort to winbind if nothing local matches. Shannon ____________________________ Shannon Johnson Network Support Specialist / Systems Administrator Dept. of Mechanical and Nuclear Engineering 224 Reber Building University Park, PA 16802 Phone: (814) 865-8267 ____________________________> -----Original Message----- > From: Ramon Casha [mailto:ramon.casha@linux.org.mt] > Sent: Friday, July 09, 2004 2:32 AM > To: samba@lists.samba.org > Subject: [Samba] validate root locally with winbind > > I have set up winbind successfully, but every time I need to performany> task > as root, winbind tries to login via the domain server, which gives an > "incorrect password" error. Is there a way to set things up so thatthe> root > user is only checked against the local passwd/shadow files? > > -- > Ramon Casha > Malta Linux User Group (http://linux.org.mt) > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba
> I don't know about *only* against shadow. But I've got winbind setup, > and it authenticates users first against the domain, but if that fails > resorts to the local password database. > > Here are the relavent lines from my > /etc/pam.d/system-auth > > auth ? ? ? ?required ? ? ?/lib/security/pam_env.so > auth ? ? ? ?sufficient ? ?/lib/security/pam_winbind.so > auth ? ? ? ?sufficient ? ?/lib/security/pam_unix.so likeauth nullok > use_first_pa ss > auth ? ? ? ?required ? ? ?/lib/security/pam_deny.soCan I reverse that so that it checks local files first? That way if the user (eg "root") is local it doesn't have to check the domain. -- Ramon Casha Malta Linux User Group (http://linux.org.mt)