Aniket Bharaswadkar
2008-Jun-04 23:32 UTC
[Samba] Problem with Login Shell in User Information using Winbind
Hi all I am trying to get windows AD logins to work with Fedora 8/9 linux.I had the same setup working well with fedora 7 , but with fedora 8/9 the problem is whenever I do "getent passwd 'username'" the login shell is listed as /bin/false and users cannot login , even though I have set it to use template shell= /bin/bash in the smb.conf configuration file. Also I have made the necessary changes to krb.conf , krb.realms and krb5.conf files for kerberos configuration and obtained the tickets using "kinit" . "klist" shows that I have the tickets. I have enabled pam_mkhomedir.so , so if I try my windows AD login by doing "su username" , it shows messages about creating home directory , and gets me back to my local user prompt, due to no login shell. Also, if I input the wrong password , it says wrong password. So authentication seems working fine. For more info , here is the output of getent , admin:*:16777216:16777216:admin:/home/ASURITE/admin:/bin/false I am running samba 3.2.0-rc1 version which shipped with Fedora 9 . Please advise me how to set the login shells as /bin/bash, as currently no domain users can login to my server. Aniket
Philipoff, Andrew
2008-Jun-05 02:46 UTC
[Samba] Problem with Login Shell in User Information using Winbind
Edit your smb.conf and restart smbd: Change: template shell = /bin/false To: template shell = /bin/bash Be careful in enabling this as it will potentially allow all domain users to login with a shell. We add the following to /etc/pam.d/sshd to restrict ssh shell access to specific AD and local groups (substitute your AD or local group for group_name): account sufficient pam_succeed_if.so user ingroup group_name You'll need to restart sshd after editing /etc/pam.d/sshd. Note that you'll also need to add any local users/groups that need ssh access. I found how to do this here: http://blogs.sun.com/tkblog/entry/integrating_linux_with_active_directory http://linux.die.net/man/8/pam_succeed_if You could also add AD users to a local group and use it in /etc/pam.d/sshd instead of an AD group. Andrew Philipoff Information Systems Department of Medicine, UCSF -----Original Message----- From: samba-bounces+aphilipoff=medicine.ucsf.edu@lists.samba.org [mailto:samba-bounces+aphilipoff=medicine.ucsf.edu@lists.samba.org] On Behalf Of Aniket Bharaswadkar Sent: Wednesday, June 04, 2008 4:32 PM To: samba@lists.samba.org Subject: [Samba] Problem with Login Shell in User Information using Winbind Hi all I am trying to get windows AD logins to work with Fedora 8/9 linux.I had the same setup working well with fedora 7 , but with fedora 8/9 the problem is whenever I do "getent passwd 'username'" the login shell is listed as /bin/false and users cannot login , even though I have set it to use template shell= /bin/bash in the smb.conf configuration file. Also I have made the necessary changes to krb.conf , krb.realms and krb5.conf files for kerberos configuration and obtained the tickets using "kinit" . "klist" shows that I have the tickets. I have enabled pam_mkhomedir.so , so if I try my windows AD login by doing "su username" , it shows messages about creating home directory , and gets me back to my local user prompt, due to no login shell. Also, if I input the wrong password , it says wrong password. So authentication seems working fine. For more info , here is the output of getent , admin:*:16777216:16777216:admin:/home/ASURITE/admin:/bin/false I am running samba 3.2.0-rc1 version which shipped with Fedora 9 . Please advise me how to set the login shells as /bin/bash, as currently no domain users can login to my server. Aniket -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba