I have a problem with winbind and pam that I just can't quite get past.
Here is what I have:
I have a home office with a Windows 2000 active directory domain (domain
XYZ). I have a remote office running Samba 3.0.14a connected to the
home office via a VPN. All users at the remote office are required to
have an account on the active directory domain at the home office for
several reasons, including the use of Exchange Server. All client
machines at the remote office run XP Pro.
The Samba server at the remote office is a domain controller for it's
own domain (Workgroup = ABC). I have joined the Samba server to the
home office domain, domain XYZ. When I run wbinfo-u I receive a list of
users in the home domain of XYZ. When I run getent passwd I also see
the users in the home domain. I have successfully joined an XP Pro
workstation at the remote office to the remote office domain (ABC). All
appears well up to this point, however one of my main goals it to use
this setup to authenticate the XP Pro clients logging on to the remote
domain (ABC) against their user account in the home domain of XYZ and I
can't get that to work. XP Pro just displays the message about unknown
user name or bad password. I don't want to have to create user accounts
on the Samba server, only have them authenticate against the home
domain.
Here is the contents of my /etc/pam.d/samba file:
#%PAM-1.0
auth required pam_nologin.so
auth required pam_stack.so service=system-auth
auth required /lib/security/pam_winbind.so
account required /lib/security/pam_winbind.so
account required pam_stack.so service=system-auth
session required /lib/security/pam_mkhomedir.so
skel=/etc/samba/skel umask=0022
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
What am I doing wrong? Is this possible?
It might be worth noting that this is a continuation of another
discussion on another board that went as follows (I went with option B
below):
> Here is what I have:
> I have a home office with a Windows 2000 active directory domain. I
> have a remote office running Samba 3.0.14a connected to the home
> office via a VPN. All users at the remote office are required to have
> an account on the active directory domain at the home office for
> several reasons, including the use of Exchange Server. All client
> machines at the remote office run XP Pro.
>
> Required Options:
> * I need to be able to run logon scripts locally at the remote
> office, from the Samba server at the remote office.
> * I need for each user to have a single user account and it needs to
> be the one in active directory on the domain controller at the home
office.>
>
> Optional Result:
> * I would like the XP Pro client machines to still be able to log on
> if the VPN connect gets dropped. I believe this is taken care of
> already due to the fact that the XP machines will cache the logon
> credentials, but I thought I would mention that in case there is a
> better way of doing this.
>
> General Question:
> How do I go about setting this up? I have looked at the docs and have
> been messing around with several different settings and can't quite
> figure it out.
>
> Specific Questions:
> 1.) What samba security mode should I be using?
Your choices are:
a) Samba configured as an ADS domain member
- all domain logons will be handled from the central
office
- Samba is just a file/print server
b) Samba configured as its own domain controller with a trust
relationship to
the central office domain.
- Each remote office will be independant
- All network logons will be handled locally
> 2.) Should the samba server workgroup setting be unique for the
> remote site or the same as the home office domain?
Yes, but only if Samba is the domain controller for its own domain.
> 3.) Should the samba server be joined to the home office domain?
Yes in both cases.
> 4.) What domain should the XP Pro clients join, the local domain or
> the home office domain?
If the Samba server is just an ADS domain member server your XP clients
need to be members of the ADS domain.
If the Samba server is a PDC for the remote domain and you want logon
and authentication to take place in the remote office, the XP client
needs to be a member of the local domain.
> 5.) Does this require winbind to work?
Yes, and Yes.
Thanks to all in advance.