Mike Leone on 28 Mar 2010 08:33:33 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Ongoing saga with Samba and AD

Stephen Gran had this to say:
> On Sun, Mar 28, 2010 at 12:35:59AM -0400, Mike Leone said:
>> Looks like it *should* be working - it's using kerberos, as I told 
>> winbind to do; I see "request wbcLogonUser succeeded". I see "granted 
>> access". Then I see the session closed. :-(
>> I suppose this means that tomorrow, I concentrate on the 
>> "common-ssession" parts of /etc/pam.d
> You want something like:
> auth sufficent pam_windbind.so
> auth required  pam_unix.so try_first_pass
 > in your pam config file.

# cat common-auth
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore] pam_winbind.so krb5_auth 
krb5_ccache_type=FILE debug
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

> What is the output of `getent passwd $user` ?  I wonder if your shell is
> not set to an sh variant.

# getent passwd DACRIB+ldap-proxy
DACRIB+ldap-proxy:*:10006:10012:LDAP Proxy:/home/DACRIB:/bin/false

I suppose it's that "/bin/false" that's doing it? How can I change that, 
only for my AD domain users? My local Linux users show "/bin/bash".

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug