Ben Love on 28 Mar 2010 08:53:46 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Ongoing saga with Samba and AD

* Mike Leone wrote on [2010-03-28 11:33:36 -0400]:
> Stephen Gran had this to say:
> > On Sun, Mar 28, 2010 at 12:35:59AM -0400, Mike Leone said:
> >> Looks like it *should* be working - it's using kerberos, as I told 
> >> winbind to do; I see "request wbcLogonUser succeeded". I see "granted 
> >> access". Then I see the session closed. :-(
> >>
> >> I suppose this means that tomorrow, I concentrate on the 
> >> "common-ssession" parts of /etc/pam.d
> > 
> > You want something like:
> > auth sufficent
> > auth required try_first_pass
>  > in your pam config file.
> # cat common-auth
> auth    [success=2 default=ignore] nullok_secure
> auth    [success=1 default=ignore] krb5_auth 
> krb5_ccache_type=FILE debug
> auth    requisite             
> auth    required              

This should be mostly good.  new_authtok_reqd is the pam option for when
a user needs to change his (expired) password.  Since you have
default=ignore, the user probably won't be able to log in then.

Adding try_first_pass or use_first_pass will probably fix your multiple
password problem.  We don't have that though, so I'm not sure why that's
different for you.

As for the order, you probably want pam_unix first, because local
password lookups are probably faster than network lookups.  Just make
sure whichever one is first has the success=2.  The <integer> means skip
the next <integer> modules.  Namely, on success you want to skip the
pam_deny module.

In the past, many people would use sufficient for this, but (like with
success=done) you don't necessarily want to halt the stack execution
completely.  This would cause other modules further down the stack to
not execute (e.g. pam_mount).

> > What is the output of `getent passwd $user` ?  I wonder if your shell is
> > not set to an sh variant.
> # getent passwd DACRIB+ldap-proxy
> DACRIB+ldap-proxy:*:10006:10012:LDAP Proxy:/home/DACRIB:/bin/false
> I suppose it's that "/bin/false" that's doing it? How can I change that, 
> only for my AD domain users? My local Linux users show "/bin/bash".

So, your logins are successful.  The shell just exits immediately and
the user logs out!  It looks like you need "template shell = /bin/bash"
in your smb.conf file.  (At least that's what Google tells me.)


Ben Love

Attachment: signature.asc
Description: Digital signature

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --