-   Linux - Networking (
-   -   Winbind, Samba, NT (

acb67 07-17-2003 01:26 PM

Winbind, Samba, NT
I am trying to get authentication against AD using Winbind and Samba 3. We use Kerberos 5 as well. I know that winbind is running properly because when I run wbinfo -a, I get success messages. The problem seems to be when I try to play with the pam modules. For kicks, here is the pam module for sshd:

auth sufficient debug
auth sufficient # set_secrpc
auth required
auth required
account sufficient debug
account required
account required
password required
password required use_first_pass use_authtok
session required none # trace or debug
session required

The frustrating thing is that nothing shows up in the logs. SInce the auth is set to sufficient above, I can still use the service using my local credentials. This shows up in the shows the pam_winbind failing while the pam_unix2 succeeding. But when I try to use the service with DOMAIN+username, nothing shows up in the logs. All I get is a permission denied when I try to use the service.

I don't know if this problem could be related to the fact that we are using Krb and the PDC might not be configured for that???? I am not familiar with the specifics of everything yet. Any ideas?? Any help is much appreciated.

Thank in Advance,

acb67 07-18-2003 03:29 PM

Ok, I'm going a different route now. I've decided to play with the login pam module and I've made a little progress. The problem is now, though, when someone tries to login, the screen just resets itself. Nothing happens. Prompts for username and password and then it blinks back to the beginning. I looked in the logs and this is what I got:
Jul 18 16:16:55 pam_winbind[20821]: Verify user `xxxx+xxxx'
Jul 18 16:16:55 pam_winbind[20821]: user 'xxxx+xxxx' granted acces
Jul 18 16:16:55 pam_winbind[20821]: user `xxxx+xxxx' not found
Jul 18 16:16:55 login[20821]: pam_unix2: pam_sm_acct_mgmt() called
Jul 18 16:16:58 login[20821]: pam_unix2: pam_ldap returned 10
Jul 18 16:16:58 login[20821]: User not known to the underlying authentication module

It is obviously authenticating, but then it dies and says user not found. Here is my login pam:
auth required debug
auth sufficient debug
auth requisite debug,nullok set_secrpc
auth required debug
auth required debug
auth required debug
auth required debug
account sufficient debug
account required debug
password required debug,nullok
password required debug,nullok use_first_pass use\
session required debug,none # debug or trace
session required debug

NOTE: I think that the account module here is failing for pam_winbind...if I comment out the account pam_unix2 above, the entries in the log for pam_unix2 disappears. So for some reason winbind is failing here, but I don't know why. Is login tied to something else that I need to change?


acb67 07-22-2003 03:45 PM

I think I've gotten a step closer. The entry in pam 'account sufficient' performs a getpwnam() on the username. For some reason it doesn't seem to be going out the PDC to check the username. Does anyone know how I could change this?

All times are GMT -5. The time now is 09:07 PM.