[WBEL-users] samba and AD

Toby Bluhm tkb9@adelphia.net
Thu, 13 Jan 2005 13:22:31 -0500 

 
---- Rodrigo Cortes <rcortes@placevendome.cl> wrote: 
> Well. In the doc with winbind and samba and AD is possible auth telnet and ftp. Doc say this, but don't work. 
> 
> 
> 


I was able to get a stock wb3 box with current updates ( at the time ~ 2 months ago ) to allow AD account login with console,ssh,ftp,telnet. The pam setup was the key. 

You need to have your smb.conf, krb5.conf, krb.realms, nsswitch.conf setup right and you've joined the box to AD, a share works - this all needs to be happy before trying the pam edits.

Note the message about using authconfig - it will mess with your pam setup & nsswitch.conf. 

I first ran authconfig to setup the box to authenticate with nis. If you use only local accounts, I see at least one line in system-auth that may need to be different than what I have here. Then I made the manual edits to the config files. Also, anytime during my testing that I made domain type changes to smb.conf, I deleted *.tdb in /etc/samba, /var/cache/samba, /var/cache/samba/printing and rejoined the wb3 box to the domain. 

YMMV

in /etc/pam.d

login:
 #%PAM-1.0
auth       required     pam_securetty.so
auth       sufficient   pam_winbind.so
auth       sufficient   pam_unix.so use_first_pass
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    sufficient   pam_winbind.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so


sshd:
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
auth       sufficient   pam_winbind.so
account    required     pam_stack.so service=system-auth
account    sufficient   pam_winbind.so
password   required     pam_stack.so service=system-auth
password   sufficient   pam_winbind.so
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so

system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_winbind.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_unix.so
password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow nis
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_winbind.so

 
-Toby