[vox-tech] need help with samba/winbind/pam
vox-tech@lists.lugod.org
vox-tech@lists.lugod.org
Thu, 18 Dec 2003 15:56:45 -0800
Hello,
I'm trying to get a debian sid box to authenticate against an NT4
domain. I've followed the instructions in the winbindd man page and I
think I'm on the right track. However, I'm having problems with PAM.
As the winbindd man page suggests, I edited the /etc/nsswitch.conf and
added some winbindd related stuff to my smb.conf file.
I also edited the /etc/pam.d/* files. This is where I'm having
problems... more on that later.
I joined the domain using this:
net join -U Administrator
I was prompted for a password and was allowed to join the domain.
I ran the winbindd program just to make sure it is up and running, then
I did this:
wbinfo -t
And that told me that the trust relationship with the domain is ok.
So, my linux box is part of the NT4 domain and things look good. I can
walk over to the N4 domain controller and see a computer account for my
linux box. I can do wbinfo -u on my linux box and see a list of all the
windows domain users... and I'm starting to smell success. But wait...
Here is where the problem starts. I want use a Windows domain account
to login to the linux box. For instance, I should be able to use the
windows Administrator account to login on my linux box.
So I go to a terminal and try to log in as Administrator and it says
"permission denied". I've screwed around with the /etc/pam.d/* files
enough to allow me to login via a terminal using the Windows
Administrator account, but I haven't been able to do the same with
GDM/Gnome. I eventually screwed around with these files enough to lock
myself out of my system, but got back in. ;-)
So, I guess I need help understanding the /etc/pam.d/* files.
The winbindd man page says this:
-------
In /etc/pam.d/* replace the auth lines with something like this:
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so use_first_pass
shadow nullok
Note in particular the use of the sufficient keyword and the
use_first_pass keyword.
Now replace the account lines with this:
account required /lib/security/pam_winbind.so
-------
When I edited the pam.d files, anytime I saw a line that starts with
auth, I commented it out and inserted all of the above lines that start
with auth. Likewise, I made similar edits for lines that start with
account. I don't really understand with this means though... Any
suggestions?
Thanks!
Charles