Samba setup as a Member Server in native AD domain with winbind authenticating AD users for access to shares. My understanding is that with pam and winbind, domain users can log into the samba server via ssh, even if they do not have a local user account? Logs shows access granted but user unknown, so I must be missing something and need some help. /var/log/messages during an ssh login: Nov 30 21:44:56 myserver pam_winbind[7349]: user 'stile' granted access Nov 30 21:45:44 myserver sshd(pam_unix)[7349]: check pass; user unknown Nov 30 21:45:44 myserver pam_winbind[7349]: user 'stile' granted access Using Red Hat EL AS 3 + samba-3.0.9-1 + krb5-lib-1.3.1 /etc/pam.d/sshd #%PAM-1.0 auth required pam_stack.so service=system-auth auth sufficient pam_winbind.so auth required pam_nologin.so account sufficient pam_winbind.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_limits.so session optional pam_console.so /etc/pam.d/login #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_winbind.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account sufficient pam_winbind.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session optional pam_console.so /etc/samba/smb.conf [global] server string = Samba Server workgroup = MYREALM realm = MYREALM.MY.DOMAIN.COM security = ADS username map = /etc/samba/smbusers map to guest = Bad User password server = * socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 preferred master = no local master = no domain master = no os level = 33 wins server = 128.32.68.75 128.32.67.118 ldap ssl = no idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind separator = + winbind use default domain = Yes template primary group = "Domain Users" template homedir = /home/%U template shell = /bin/bash load printers = no log level = 1 syslog = 0 log file = /var/log/samba/%m.log max log size = 0
John Stile <john@stilen.com> wrote:> Samba setup as a Member Server in native AD domain with winbind > authenticating AD users for access to shares. My understanding is that > with pam and winbind, domain users can log into the samba server via > ssh, even if they do not have a local user account? Logs shows access > granted but user unknown, so I must be missing something and need some > help.I might be way off here, but did you know you have to prefix usernames with your workgroup and the winbind separator? With your config/example this means you'd have to log on as MYREALM+stile. I'm not using pam/winbind with ssh, but it works fine with ftp, netatalk and apache (just implemented a little webapp using it). Sverre