| Ben Love on 28 Mar 2010 08:53:46 -0700 |
|
* Mike Leone wrote on [2010-03-28 11:33:36 -0400]: > Stephen Gran had this to say: > > On Sun, Mar 28, 2010 at 12:35:59AM -0400, Mike Leone said: > >> Looks like it *should* be working - it's using kerberos, as I told > >> winbind to do; I see "request wbcLogonUser succeeded". I see "granted > >> access". Then I see the session closed. :-( > >> > >> I suppose this means that tomorrow, I concentrate on the > >> "common-ssession" parts of /etc/pam.d > > > > You want something like: > > auth sufficent pam_windbind.so > > auth required pam_unix.so try_first_pass > > in your pam config file. > > # cat common-auth > auth [success=2 default=ignore] pam_unix.so nullok_secure > auth [success=1 default=ignore] pam_winbind.so krb5_auth > krb5_ccache_type=FILE debug > auth requisite pam_deny.so > auth required pam_permit.so This should be mostly good. new_authtok_reqd is the pam option for when a user needs to change his (expired) password. Since you have default=ignore, the user probably won't be able to log in then. Adding try_first_pass or use_first_pass will probably fix your multiple password problem. We don't have that though, so I'm not sure why that's different for you. As for the order, you probably want pam_unix first, because local password lookups are probably faster than network lookups. Just make sure whichever one is first has the success=2. The <integer> means skip the next <integer> modules. Namely, on success you want to skip the pam_deny module. In the past, many people would use sufficient for this, but (like with success=done) you don't necessarily want to halt the stack execution completely. This would cause other modules further down the stack to not execute (e.g. pam_mount). > > What is the output of `getent passwd $user` ? I wonder if your shell is > > not set to an sh variant. > > # getent passwd DACRIB+ldap-proxy > DACRIB+ldap-proxy:*:10006:10012:LDAP Proxy:/home/DACRIB:/bin/false > > I suppose it's that "/bin/false" that's doing it? How can I change that, > only for my AD domain users? My local Linux users show "/bin/bash". So, your logins are successful. The shell just exits immediately and the user logs out! It looks like you need "template shell = /bin/bash" in your smb.conf file. (At least that's what Google tells me.) Ben -- Ben Love http://www.kylimar.com/ Attachment:
signature.asc ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|