We have a samba server running on linux with winbindd. We want the
linux passwd file to be consulted first, and then if it fails, continue on
to use winbind. I did not set this up, and I've never administrated a
samba server before. I have read the O'Reilly Using Samba book,
and looking at the config files I believe it is set up to get the
desired behavior.
/etc/nsswitch.conf has:
passwd: files winbind
shadow: files winbind
group: files winbind
/etc/pam.d/system-auth has:
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_winbind.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so broken_shadow
account sufficient /lib/security/pam_localuser.so
account sufficient /lib/security/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore]
/lib/security/pam_winbind.so
account required /lib/security/pam_permit.so
password requisite /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password sufficient /lib/security/pam_winbind.so use_authtok
password required /lib/security/pam_deny.so
session optional /lib/security/pam_mkhomedir.so
skel=/etc/skel umask=0022
session required /lib/security//pam_limits.so
session required /lib/security/pam_unix.so
However, every time a user who exists only on the linux side authenticates I
see a message like this in winbindd.log:
[2007/04/02 17:18:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
user 'XXXX' does not exist
This makes me think that it's authenticating using winbind first.
So my questions are:
1) Am I correct that the log messages I see mean that it's authenticating
using winbind first?
2) If so, how do I make it use the linux files before winbind?
3) If not, why do I get those messages, and what do that mean?
TIA!
-larry