[vox-tech] need help with samba/winbind/pam

vox-tech@lists.lugod.org vox-tech@lists.lugod.org
Thu, 18 Dec 2003 15:56:45 -0800


Hello,

I'm trying to get a debian sid box to authenticate against an NT4
domain.  I've followed the instructions in the winbindd man page and I
think I'm on the right track.  However, I'm having problems with PAM.  

As the winbindd man page suggests, I edited the /etc/nsswitch.conf and
added some winbindd related stuff to my smb.conf file. 

I also edited the /etc/pam.d/* files.  This is where I'm having
problems... more on that later.

I joined the domain using this:
net join -U Administrator
I was prompted for a password and was allowed to join the domain.

I ran the winbindd program just to make sure it is up and running, then
I did this:
wbinfo -t
And that told me that the trust relationship with the domain is ok.

So, my linux box is part of the NT4 domain and things look good.  I can
walk over to the N4 domain controller and see a computer account for my
linux box.  I can do wbinfo -u on my linux box and see a list of all the
windows domain users... and I'm starting to smell success.  But wait...

Here is where the problem starts.  I want use a Windows domain account
to login to the linux box.  For instance, I should be able to use the
windows Administrator account to login on my linux box.  

So I go to a terminal and try to log in as Administrator and it says
"permission denied".  I've screwed around with the /etc/pam.d/* files
enough to allow me to login via a terminal using the Windows
Administrator account, but I haven't been able to do the same with
GDM/Gnome.  I eventually screwed around with these files enough to lock
myself out of my system, but got back in.  ;-)

So, I guess I need help understanding the /etc/pam.d/* files.

The winbindd man page says this:

-------
 In /etc/pam.d/* replace the  auth lines with something like this:
 
 auth       required /lib/security/pam_securetty.so
 auth       required /lib/security/pam_nologin.so
 auth       sufficient /lib/security/pam_winbind.so
 auth       required /lib/security/pam_pwdb.so use_first_pass
shadow nullok
 
 Note  in  particular  the  use  of  the  sufficient   keyword  and  the
 use_first_pass keyword.
 
 Now replace the account lines with this:
 
 account required /lib/security/pam_winbind.so
-------

When I edited the pam.d files, anytime I saw a line that starts with
auth, I commented it out and inserted all of the above lines that start
with auth.  Likewise, I made similar edits for lines that start with
account.  I don't really understand with this means though... Any
suggestions? 

Thanks!

Charles