I'm currently beating my head against the pam_mount wall, with no luck. It's the only way I can think of to do this w/o storing the password in plain text. pam_mount is supposed to be able to mount using the login credentials, but I haven't been able to make it work. I'll report any results I find. If you come across any other solutions, could you let me know?
Cheers,
Aaron Bennett
Khanh Tran wrote:
OK, so I got all pam problems sorted out. For those interested, this
pam/gdm worked on my RH 8.0 box:
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so likeauth use_first_pass
nullok
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
The only difference from what I had been using was the addition of the
likeauth and nullok options on the pam_unix.so library.
Now on to my next issue with home directories! I've tried two methods.
First, I've used what the Winbind docs says for template homedir in
smb.conf: /home/%D/%U. When my user logs in, i get an error that the home
directory does not exist and then logs the user out. This is expected
because they don't exist locally :)
Second, I tried first mounting all my users' home directories (we mount them
here under windows like Novell used to) under /home.DOMAIN. Then, I changed
template homdir to /home/home.%D and restarted the Samba daemons. The user
can log in, but I get the following permission error because I've got the
home dirs mounted as root.
Feb 20 08:12:26 Martyr gdm[849]: gdm_slave_session_start: Directory
/home.DOMAIN/user/.gnome2 does not exist.
Feb 20 08:12:26 Martyr gdm[849]: gdm_slave_session_start: Directory
/home.DOMAIN/user/.gnome2 does not exist.
Feb 20 08:12:26 Martyr gdm[849]: gdm_auth_user_add: /home.DOMAIN/user is not
owned by uid 10173.
Feb 20 08:12:47 Martyr gdm(pam_unix)[849]: session closed for user
DOMAIN\user
So, I guess my question is, is there a way to mount each user's home
directory with their proper auth credentials under unix? I've read through
the MARC archives and seen brief mentions of a hacked pam_mount, but nothing
detailed or a more "standard" solution.
Thanks again for everyone's help.
Khanh Tran
Network Operations
Sarah Lawrence College
-----Original Message-----
From: Aaron Bennett [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 19, 2003 4:51 PM
To: Khanh Tran
Cc: '[EMAIL PROTECTED]'
Subject: Re: [Samba] Help with Winbind
For debugging purposes, put the machine in console mode (init 4 or whatever, just kill kdm/xdm/kdm), and modify /etc/pam.d/login as directed in the Howto. Login is much simpler then gdm, so you don't have to worry about multiple levels of pam stuf.
best luck,
Aaron Bennett
UNIX Administrator
Franklin W. Olin College of Engineering
Khanh Tran wrote:
OK, so I added the lines to /etc/pam.d/gdm file. It's not a big deal formeto re-install RH on this box, so I didn't bother with the telnet test. Anyway, I put in my username and password, and get this error: Feb 19 14:33:31 Martyr gdm(pam_unix)[835]: authentication failure;logname=uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost
But RH doesn't return to the username prompt, it asks for the password
again, so I enter the same password again, and get: Feb 19 14:33:45 Martyr pam_winbind[835]: user 'ADMIN+khanh' granted acces
Feb 19 14:33:45 Martyr gdm(pam_unix)[835]: check pass; user unknown
Feb 19 14:33:48 Martyr gdm-binary[835]: Couldn't authenticate user
Feb 19 14:33:48 Martyr gdm(pam_unix)[835]: 1 more authentication failure;
logname= uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost
I'm guessing from the error that the box is trying to authenticate the
userto the local passwd file? Anyway, thanks again for the help, but any more ideas? Khanh Tran Network Operations Sarah Lawrence College -----Original Message----- From: bin wen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 19, 2003 2:24 PM To: Khanh Tran; '[EMAIL PROTECTED]' Subject: RE: [Samba] Help with Winbind Looks like you are login through GDM, so you probably have to change the /etc/pam/gdm file too. Before you do that, you may want to just do a telnet to the RH see what happens. --- Khanh Tran <[EMAIL PROTECTED]> wrote:I changed the pam conf per the 12.5.3.6 section. Here's what I've got:
pam.d/login:
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so
use_first_pass
auth required /lib/security/pam_stack.so
service=system-auth
auth required /lib/security/pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so
service=system-auth
password required /lib/security/pam_stack.so
service=system-auth
session required /lib/security/pam_stack.so
service=system-auth
session optional /lib/security/pam_console.so
Khanh Tran
Network Operations
Sarah Lawrence College
-----Original Message-----
From: bin wen [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 19, 2003 1:58 PM
To: Khanh Tran; '[EMAIL PROTECTED]'
Subject: Re: [Samba] Help with Winbind
From your log file, it looks like the RH still usesthe pam_unix module to authenticate. Have you changed the pam configuration to use winbindd following the isntruction in section 12.5.3.6 ? --- Khanh Tran <[EMAIL PROTECTED]> wrote:I've been trying for weeks to get winbind working with RedHat Linux 8.0. I've got everything setup per the winbind docs onhttp://www.samba.org/samba/docs/Samba-HOWTO-Collection.html#WINBIND.I've successfully joined my NT4 domain with smbpasswd -j DOMAIN -r PDC -U Administrator. Running wbinfo -u returns mydomainuser list, as well as wbinfo -g returning my domain groups. getentpasswdreturns the domain user list in the passwd format, and getent group doesthesame. I've then set up
my /etc/pam.d/login to match the one on the HOWTO.
The problem is that when I go to login (username:
DOMAIN+user), the
workstation won't log me in. My messages log
returns only:
Feb 19 13:20:46 Martyr gdm(pam_unix)[835]: check
pass; user unknown
Feb 19 13:20:46 Martyr gdm(pam_unix)[835]:
authentication failure; logname=
uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost Feb 19 13:20:47 Martyr gdm-binary[835]: Couldn't
authenticate user
Any help is greatly appreciated, and thanks in
advance!
Khanh Tran
Network Operations
Sarah Lawrence College
--
To unsubscribe from this list go to the following
URL and read the
instructions:http://lists.samba.org/mailman/listinfo/samba __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com__________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
