[WBEL-users] samba and AD
Toby Bluhm
tkb9@adelphia.net
Thu, 13 Jan 2005 13:22:31 -0500
---- Rodrigo Cortes <rcortes@placevendome.cl> wrote:
> Well. In the doc with winbind and samba and AD is possible auth telnet and ftp. Doc say this, but don't work.
>
>
>
I was able to get a stock wb3 box with current updates ( at the time ~ 2 months ago ) to allow AD account login with console,ssh,ftp,telnet. The pam setup was the key.
You need to have your smb.conf, krb5.conf, krb.realms, nsswitch.conf setup right and you've joined the box to AD, a share works - this all needs to be happy before trying the pam edits.
Note the message about using authconfig - it will mess with your pam setup & nsswitch.conf.
I first ran authconfig to setup the box to authenticate with nis. If you use only local accounts, I see at least one line in system-auth that may need to be different than what I have here. Then I made the manual edits to the config files. Also, anytime during my testing that I made domain type changes to smb.conf, I deleted *.tdb in /etc/samba, /var/cache/samba, /var/cache/samba/printing and rejoined the wb3 box to the domain.
YMMV
in /etc/pam.d
login:
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
sshd:
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
auth sufficient pam_winbind.so
account required pam_stack.so service=system-auth
account sufficient pam_winbind.so
password required pam_stack.so service=system-auth
password sufficient pam_winbind.so
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_winbind.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow nis
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_winbind.so
-Toby