hi there, i'm trying to get my winbind working without having a local account on the machine, but it's just not working for me can someone show me an example of a pam module that requires only a Active directory password.(i'm working with /etc/pam.d/dovecot) i can use my AD password as long as i have a local account, but i don't want to have a local account.
Paul Matthews wrote:> hi there, > > i'm trying to get my winbind working without having a local account > on the machine, but it's just not working for me > > can someone show me an example of a pam module that requires only a > Active directory password.(i'm working with /etc/pam.d/dovecot) > > i can use my AD password as long as i have a local account, but i > don't want to have a local account.For samba on debian this works: auth sufficient pam_winbind.so auth required pam_unix.so nullok account sufficient pam_winbind.so account required pam_unix.so session required pam_unix.so password required pam_unix.so Also what do the getent & wbinfo tests show? Do they work? Regards Geoff Scott
[root@fedora pam.d]# wbinfo -g builtin\system operators builtin\replicators builtin\guests builtin\power users builtin\print operators builtin\administrators builtin\account operators builtin\backup operators builtin\users domain guests domain users domain computers etc..., etc... i'm running fedora core 3 i've never used 'getent' before what do i do there? but i have a local account called 'pma' with the password 'unix' set locally and the password 'ads' set on active directory, i can set my pam module so i can login with the username 'pma and password 'ads'. so i think my winbind is working fine. ps: i tried that pam module below, same thing happened i can login with my ads password, but i need a local account without a local account it wont let me. i'm using squirriel mail and '/etc/pam.d/dovecot' to test it out. -----Original Message----- From: Geoffrey Scott [mailto:geoffs@guestshire.com] Sent: Thursday, 12 January 2006 11:38 To: paul.matthews@cathedral.qld.edu.au; samba@lists.samba.org Subject: RE: [Samba] winbind without localuser account Paul Matthews wrote:> hi there, > > i'm trying to get my winbind working without having a local account > on the machine, but it's just not working for me > > can someone show me an example of a pam module that requires only a > Active directory password.(i'm working with /etc/pam.d/dovecot) > > i can use my AD password as long as i have a local account, but i > don't want to have a local account.For samba on debian this works: auth sufficient pam_winbind.so auth required pam_unix.so nullok account sufficient pam_winbind.so account required pam_unix.so session required pam_unix.so password required pam_unix.so Also what do the getent & wbinfo tests show? Do they work? Regards Geoff Scott
hi there, i'm trying to get my winbind working without having a local account on the machine, but it's just not working for me can someone show me an example of a pam module that requires only a Active directory password.(i'm working with /etc/pam.d/dovecot) i can use my AD password as long as i have a local account, but i don't want to have a local account.
Paul Matthews wrote:> [root@fedora pam.d]# wbinfo -g > builtin\system operators > builtin\replicators > builtin\guests > builtin\power users > builtin\print operators > builtin\administrators > builtin\account operators > builtin\backup operators > builtin\users > domain guests > domain users > domain computers > etc..., etc...What does the global section look like?> i'm running fedora core 3Everyone seems to have probs with selinux that's not in core 3 is it?> i've never used 'getent' before what do i do there?getent passwd | less> but i have a local account called 'pma' with the password 'unix' set > locally and the password 'ads' set on active directory, i can set my > pam module so i can login with the username 'pma and password 'ads'. > so i think my winbind is working fine.You shouldn't need any local account. Did you read SBE? You should have followed chapter 12.3.1 & 12.3.2 then 7.3.4 I personally use 7.3.4.1 like this though, (idmap_rid only allows one AD domain): [global] workgroup = GUESTSHIRE realm = GUESTSFURNITUREHIRE.COM.AU server string = Guests_NSW File & Print server security = ADS allow trusted domains = No syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 printcap name = CUPS panic action = /usr/share/samba/panic-action %d idmap backend = idmap_rid:GUESTSHIRE=5000-1000000 idmap uid = 5000-1000000 idmap gid = 5000-1000000 template homedir = /home/%U template shell = /bin/bash winbind nested groups = Yes printer admin = "@GUESTSHIRE\Domain Admins" printing = cups print command lpq command = %p lprm command [homes] comment = Home Directories path = /home/%U valid users = GUESTSHIRE\%S admin users = "@GUESTSHIRE\Domain Admins" read only = No browseable = No> ps: i tried that pam module below, same thing happened i can login > with my ads password, but i need a local account without a local > account it wont let me. > > i'm using squirriel mail and '/etc/pam.d/dovecot' to test it out.So you put those contents in there then?> > Regards Geoff Scott
Paul Matthews wrote:> [root@fedora pam.d]# wbinfo -g > builtin\system operators > builtin\replicators > builtin\guests > builtin\power users > builtin\print operators > builtin\administrators > builtin\account operators > builtin\backup operators > builtin\users > domain guests > domain users > domain computers > etc..., etc...What does the global section look like?> i'm running fedora core 3Everyone seems to have probs with selinux that's not in core 3 is it?> i've never used 'getent' before what do i do there?getent passwd | less> but i have a local account called 'pma' with the password 'unix' set > locally and the password 'ads' set on active directory, i can set my > pam module so i can login with the username 'pma and password 'ads'. > so i think my winbind is working fine.You should need any local account. Did you read SBE? You should have followed chapter 12.3.1 & 12.3.2 then 7.3.4 I personally use 7.3.4.1 like this though: [global] workgroup = GUESTSHIRE realm = GUESTSFURNITUREHIRE.COM.AU server string = Guests_NSW File & Print server security = ADS allow trusted domains = No syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 printcap name = CUPS panic action = /usr/share/samba/panic-action %d idmap backend = idmap_rid:GUESTSHIRE=5000-1000000 idmap uid = 5000-1000000 idmap gid = 5000-1000000 template homedir = /home/%U template shell = /bin/bash winbind nested groups = Yes printer admin = "@GUESTSHIRE\Domain Admins" printing = cups print command lpq command = %p lprm command [homes] comment = Home Directories path = /home/%U valid users = GUESTSHIRE\%S admin users = "@GUESTSHIRE\Domain Admins" read only = No browseable = No> ps: i tried that pam module below, same thing happened i can login > with my ads password, but i need a local account without a local > account it wont let me. > > i'm using squirriel mail and '/etc/pam.d/dovecot' to test it out.> > Regards Geoff Scott
this is the how-to i followed to get to where i am. http://www.yourhowto.org/content/view/31/9/ this is how simple my pam module is at the moment auth required pam_winbind.so account sufficient pam_winbind.so using that pam module, i can only sign in if i have a local account and an Active directory account. or it will work with only a lock account.
i have try is with the ssh pam module as well and it just rejects me username, would it have something to do with the users not having home directories and shells? how can i make them automatically be added when a new user logins in? -----Original Message----- From: samba-bounces+paul.matthews=cathedral.qld.edu.au@lists.samba.org [mailto:samba-bounces+paul.matthews=cathedral.qld.edu.au@lists.samba.org ]On Behalf Of Paul Matthews Sent: Thursday, 12 January 2006 1:28 To: Samba Lists Subject: RE: [Samba] winbind without localuser account this is the how-to i followed to get to where i am. http://www.yourhowto.org/content/view/31/9/ this is how simple my pam module is at the moment auth required pam_winbind.so account sufficient pam_winbind.so using that pam module, i can only sign in if i have a local account and an Active directory account. or it will work with only a lock account. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Paul Matthews wrote:> i have try is with the ssh pam module as well and it just rejects me > username, would it have something to do with the users not having > home directories and shells? how can i make them automatically be > added when a new user logins in? > > -----Original Message----- > From: samba-bounces+paul.matthews=cathedral.qld.edu.au@lists.samba.org > [mailto:samba-bounces+paul.matthews=cathedral.qld.edu.au@lists.samba.org > ]On Behalf Of Paul Matthews > Sent: Thursday, 12 January 2006 1:28 > To: Samba Lists > Subject: RE: [Samba] winbind without localuser account > > > this is the how-to i followed to get to where i am. > > http://www.yourhowto.org/content/view/31/9/ >This howto doesn't mention editing /etc/nsswitch.conf. try editing it like so : passwd: files winbind group: files winbind shadow: files winbind Have a read of the chapters that I mentioned to you before: http://au1.samba.org/samba/docs/man/Samba-Guide/ Regards Geoff Scott
wbinfo uses the winbindd daemon to query an active directory, if you get user and group listing output from wbinfo -u/-g then it tells you it's correctly communicating with the AD. getent is similar, but it appends the AD accounts to your /etc/passwd and /etc/group files so indicates if the AD accounts are appearing as local accounts. Regarding your pam module question, i did my setup on Fedora, which has a central pam module that all other modules refer to system-auth, which is where i placed all my winbind changes. I know i have seen an example of the /etc/pam.d/samba file in one of the online books at www.samba.org but i spent 10 minutes or so looking for it without success. But there is a searchable archive of the samba mailing list at: http://marc.theaimsgroup.com/?l=samba&r=1&w=2 I use it all the time. HTH Mike On 1/11/06, Geoffrey Scott <geoffs@guestshire.com> wrote:> > Paul Matthews wrote: > > hi there, > > > > i'm trying to get my winbind working without having a local account > > on the machine, but it's just not working for me > > > > can someone show me an example of a pam module that requires only a > > Active directory password.(i'm working with /etc/pam.d/dovecot) > > > > i can use my AD password as long as i have a local account, but i > > don't want to have a local account. > > For samba on debian this works: > > auth sufficient pam_winbind.so > auth required pam_unix.so nullok > account sufficient pam_winbind.so > account required pam_unix.so > session required pam_unix.so > password required pam_unix.so > > Also what do the getent & wbinfo tests show? Do they work? > > Regards Geoff Scott > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >